CCPA vs GDPR: Learn the Key Differences in Data Privacy Laws [Infographic]

74% of consumers around the world feel they have little to no control over their personal data, according to research by Ponemon Institute.

More and more people are realizing the risks of sharing their personal information with companies and are taking steps to reduce the amount of sensitive data they share. As a result, privacy protection is an increasing priority for consumers and lawmakers alike.

Governments around the world have introduced major data privacy legislation, most notably the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act in the United States. Understanding how these laws compare, the organizations they apply to, and what they require is essential for growing organizations.

In this article we clarify the necessary points of each law, explain what they have in common, and list the key differences between GDPR vs CCPA.

The General Data Protection Regulation (The GDPR) explained

The General Data Protection Regulation (commonly known as the GDPR) is a law passed in 2016 by the European Union to protect data privacy and security. Its goal is to keep data safe while giving consumers greater insights into and control over who can process their personal data and why. Although it was drafted and passed by the EU, it applies to any organization that targets or collects data from EU citizens or residents.

GDPR applies to personal data, which is defined as any information that can be linked to a specific individual. This includes names, birth dates, phone numbers, physical and email addresses, financial data, medical records, and IP addresses.

GDPR compliance requirements

GDPR includes seven principles organizations need to follow when processing personal data. They are:

1. Lawfulness, fairness, and transparency: Data processing must be lawful, fair, and transparent to the data subject. 
2. Purpose limitation: Data processing must be limited to the purposes explicitly stated to the data subject when you collected it. 
3. Data minimization: Organizations may only process as much data as absolutely necessary for the purposes specified. 
4. Accuracy: Personal data must be kept accurate and up-to-date. 
5. Storage limitation: Personal data may only be stored for as long as necessary for its specified purpose. 
6. Integrity and confidentiality: Data must be processed in a way that ensures security, integrity, and confidentiality. 
7. Accountability: Data controllers must be able to prove compliance with all of these principles. 

To uphold these seven principles, organizations satisfy certain data processing requirements.

First, it must establish a legal basis for processing the data and obtain explicit consent from consumers. In other words, it has to have a legitimate reason for collecting and processing personal information. And consumers have to make a clear, informed decision to opt into data processing. Companies can’t coerce consumers into agreeing to share their data by denying access to products or services, and they can’t trick consumers into agreeing by hiding the opt-in or by using confusing language. 

Once an organization has permission from a data subject, it has to use that data responsibly. GDPR grants data subjects specific rights, including the right to be informed about how a company processes their data, any third parties their data might be shared with, and why. Consumers also have the right to request that their personal data be deleted, also known as the right to erasure or the right to be forgotten. 

Finally, organizations are required to implement technical and organizational safeguards to ensure any personal information it collects is secure from a data breach. While the legislation does not specify exact security controls, examples include data encryption, firewalls, access controls, and employee security training. If a data breach does occur, organizations must notify anyone affected by the breach within 72 hours. 

Non-compliance with GDPR can mean significant financial penalties — fines of up to 20 million euros, or 4% of a company’s global annual revenue from the previous financial year, whichever is higher. Amazon was famously fined $888M in 2021 for tracking customer data without proper consent.

The California Consumer Privacy Act (The CCPA) explained

Like its predecessor the GDPR, the California Consumer Privacy Act (CCPA) is data privacy legislation designed to give California residents greater insight into and control over how businesses collect and use consumer data.

CCPA compliance requirements

Like GDPR, CCPA requires companies to implement a range of data security and privacy initiatives, such as maintaining an up-to-date privacy policy. Organizations must also establish a valid business purpose for personal data collection and/or processing.

The legislation grants California residents specific data subject rights similar to those established by GDPR. Under CCPA, data subjects have the right to know what kind of personal information is being collected about them and how it’s used, They also have the right to opt-out of the sale of their data or request it be deleted, and companies can’t discriminate against consumers who choose to exercise those rights. 

CCPA applies to any for-profit organization that collects the personal information of California residents and also meets one of three thresholds:

• Exceeds $25 million in annual gross revenue
• Buys, sells, or receives/shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices
• Earns 50% or more of its annual revenue from selling consumers’ personal information

Companies that fail to comply with CCPA requirements can be issued fines by the California Attorney General, up to $7,500 per violation.

CCPA vs GDPR: Key differences to know

Both the General Data Protection Regulation (GDPR) and CCPA are considered some of the world’s strictest data privacy laws, and the two share several commonalities. 

First, both laws apply to companies that are located outside their borders. Any organization that serves either EU residents or Californians needs to understand its obligations under these data privacy laws.

Both GDPR and CCPA grant data subjects similar rights, such as the right to opt-out of processing their personal data. GDPR and CCPA also require organizations to notify consumers of a data breach. Both protect the consumer’s rights to request their personal data be erased and for data portability. 

That said, the two laws aren’t interchangeable. Here are some key differences to know.

Who’s affected by the legislation

CCPA regulates for-profit organizations that operate in California and meet one of the three thresholds. It also applies to their service providers. 

GDPR regulates data controllers and data processors that process the personal data of EU citizens and residents. Data controllers are organizations that decide how and why to process personal data. Data processors are organizations that process personal data on behalf of data controllers. 

Types of information that’s protected

One main difference to note is that CCPA takes a broader approach to data privacy by extending its definition of personal information. Under GDPR, personal information is information that can be linked to a particular individual. With CCPA, it can be linked to an individual, specific household, or device.

Data transfer restrictions

GDPR includes specific provisions for transferring personal data outside of the EU or European Economic Area (EEA). In cases where data transfers are made, strict conditions apply to ensure appropriate data protection. 

Penalties for non-compliance violations

GDPR and CCPA are both strict data protection laws, with potentially significant fines for failing to comply. However, organizations that violate GDPR can pay a much higher price. Data protection authorities in EU member states have made examples of non-compliant organizations with massive financial penalties in the hundreds of millions of euros.

Get GDPR and CCPA compliant with Secureframe

Our security and compliance automation platform makes it quick and easy to ensure you're compliant with data privacy legislation, including GDPR and CCPA. Get access to procedures and policies vetted by GDPR and CCPA experts, proprietary training for automatic employee compliance, access to in-house experts, and everything else you need to get and stay compliant. We also stay up-to-date on the latest data privacy regulations for you, so you can focus on what matters most — serving your customers and growing your business.

To learn more about our GDPR and CCPA offerings, schedule a demo with one of our product experts.