The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) were created to give people greater power over their personal information. Both regulate how companies collect and use individuals’ personal data.
While both laws are focused on user privacy rights and putting control over one’s data back into the users’ hands, there are a few crucial differences between the two regulations beyond just their jurisdiction.
Here is a comparison of the key differences between CCPA vs GDPR and an overview of how organizations can comply with both.
What is GDPR?
The General Data Protection Regulation is a European Union-wide regulation that controls how companies and other organizations handle personal data. It’s designed to give EU residents, regardless of their citizenship, more control over their personal data while simplifying rules for global businesses. It applies to companies that process the data of EU residents, even if the companies are not located in the EU, also known as extraterritoriality. The law went into effect on May 25th, 2018.
Some key aspects of the GDPR include:
- Organizations must only gather personal data for a particular, explicitly stated reason (purpose), which they must record.
- In most cases, organizations must get explicit, informed, voluntary consent from individuals for the stated purpose before collecting or using their data. If the purpose for collecting and processing data changes, organizations must get new consent from users.
- Data should be deleted, returned, or anonymized when it’s no longer needed.
- Individuals have rights regarding their data, including access to it, having it corrected or deleted, and receiving a copy of it.
- Companies require a documented legal reason to handle personal data (legal basis) and should openly share with users what that reason is and how they handle collected data.
What is CCPA?
The California Consumer Privacy Act (CCPA), also known as “the California GDPR” is a state-wide data privacy law that regulates how organizations handle the personal information of California residents.
The CCPA was passed in 2018 and went into effect on January 1, 2020. It was the first of the modern and comprehensive data privacy laws passed in the United States. Several states have passed laws since, and California has expanded and amended the CCPA with the California Privacy Rights Act (CPRA).
Some key aspects of the CCPA include:
- giving California residents the right to know what personal information, including data collected through cookies, a business has collected about them and how it is being used and shared
- enabling consumers to opt out of the sale of or sharing of their personal information with third parties
- requiring companies to obtain consumers’ consent to collect and use personal data if it is categorized as sensitive or belongs to a child
- requiring businesses to delete a consumer’s personal information upon request
Who needs to comply with GDPR vs CCPA privacy regulations?
Both the CCPA and the GDPR have global reach. The CCPA applies to businesses collecting data from California residents, regardless of the business’ location, while the GDPR applies to any entity worldwide offering goods or services to and collecting and using the personal data of EU residents.
The GDPR protects any individual in the EU during data processing. The CCPA specifically safeguards California residents who are not just temporarily in the state. Therefore, the CCPA does not apply to tourists.
However, the development of case law will likely have to make the definition of “resident” more granular, e.g., is a college student who resides in California for only part of the year a resident?
Who has to comply with the GDPR?
All organizations and their properties, including websites and mobile applications, that process data of people in the European Union, must comply with the GDPR. The law doesn’t have compliance thresholds, as the CCPA does.
This includes nonprofit organizations, community groups, e-commerce companies, etc. Compliance is also required if companies use third-party services like Google’s or Facebook’s (e.g., for advertising) to process personal data, though the initial company, the data controller, is ultimately responsible for privacy compliance by third-party processors.
Who has to comply with the CCPA?
The CCPA defines the term “business” broadly. It applies to any for-profit organization, regardless of its location, that collects personal information from California consumers and meets at least one of the following criteria:
- has annual gross revenues above $25 million
- buys, receives, sells, or shares the personal information of 50,000 or more California residents, households, or devices
- gets 50% or more of its annual revenue from selling California residents’ personal information
- IP addresses are considered personal data. So this would apply to any website with at least 50,000 website visitors from California
It should be noted that with the CPRA coming into effect, these thresholds have been updated. The requirements now specify that:
- revenue is from the preceding calendar year
- 50,000 consumers has been updated to 100,000
- “devices” has been removed from the threshold
- sharing is included alongside the selling of personal data
Learn more about how the CPRA expands California’s privacy laws and discover the 11 steps you need to follow for CPRA compliance.
How do GDPR and CCPA differ in their consent requirements?
Both CCPA and GDPR focus on obtaining cookie consent from users. But each law does this differently.
The GDPR emphasizes obtaining explicit consent before the collection of any data, whereas the CCPA focuses on enabling consumers to opt out later, and in most cases does not require prior consent to collect and process individuals’ personal data.
Additionally, the GDPR has wider coverage and stricter data protection rules than the CCPA.
Consent requirements under the GDPR
Under the GDPR, businesses must obtain explicit, unambiguous consent from individuals before collecting and processing their personal data, i.e., an “opt-in model”. The consent must be a clear affirmative action, and can not be assumed by an unrelated action or lack of one. Users also have the right to change or withdraw consent at any time.
This requirement extends to tracking cookies, which are considered a form of personal data for processing under the GDPR.
Consent requirements under the CCPA
The CCPA does not require explicit opt-in consent to collect personal data, except if the data is categorized as sensitive (because it poses a greater risk of harming a person if misused) or the data belongs to a child.
Instead, it gives consumers the right to opt out of the sale of their personal information to third parties (and also sharing with the passing of the CPRA). Businesses can collect and use most personal data without consent but must provide a “Do Not Sell My Personal Information” link on their website to allow consumers to exercise this opt-out right.
With the CPRA, this link is now required to be updated to say, “Do Not Sell Or Share My Personal Information”.
Determine if your website is compliant with the CCPA or GDPR. Use our free cookie audit tool to check cookie usage on your website and generate a detailed cookie audit report in minutes.
What data is protected under GDPR vs CCPA?
Both the CCPA and GDPR aim to protect people’s personal information that could make them identifiable, either via individual data points or in aggregate. So their definitions of personal data are very similar apart from a few small differences.
Definition of personal data under the GDPR
Under the GDPR, personal data is defined very broadly as “any information relating to an identified or identifiable natural person.” This includes direct identifiers like names and ID numbers, as well as indirect identifiers that can be used to recognize an individual, location data, or IP address. This also includes factors specific to a person’s physical, psychological, or genetic identity, healthcare or financial information, political or religious beliefs, and other factors.
It’s worth noting that the GDPR has a broad interpretation of personal data. This means that even seemingly harmless information can be classified as “personal data” if it can be linked to an individual or used to identify them. This includes items like website cookies, media recordings, biometrics, and GPS data.
Definition of personal data under the CCPA
The CCPA has a similarly broad definition of personal information compared to the GDPR, encompassing data that can directly or indirectly identify or describe a consumer or household.
This includes identifiers like names, email addresses, and Social Security numbers, as well as browsing history, purchasing data, or location information. Also similarly to the GDPR, the CCPA includes indirect identifying factors specific to a person’s physical, physiological, or genetic identity.
However, the CCPA has a few specific exemptions for certain types of personal data that are covered under other US laws. For example, medical information is protected by the Health Insurance Portability and Accountability Act (HIPAA), and financial data is regulated by the Gramm-Leach-Bliley Act (GLBA).
When can companies use personal data?
When comparing the GDPR to the CCPA, the laws have different approaches to regulating how companies use people’s personal information. The GDPR outlines six reasons, aka legal bases, at least one of which companies must follow. The CCPA is more flexible and focuses on giving users more rights and transparency, but fewer requirements for companies regarding being allowed access to data.
Legal bases for data processing under the GDPR
Under the GDPR, companies can only process personal data if they have a legitimate reason to do so. The GDPR lists six legal bases from which companies can choose to enable compliant usage of personal data:
- Consent: An individual must provide voluntary and informed consent prior to the collection and processing of their personal data. For example, a website visitor must give clear GDPR cookie consent for the company to process their personal data for purposes stated in their consent banner (e.g. marketing or analytics).
- Contract: The data processing is necessary to fulfill a contract (e.g. delivering a product or service) with the person, or to take steps before entering a contract.
- Legal obligation: A company needs to use the data to comply with a law or regulation.
- Vital interests: The processing is necessary to protect someone’s life, safety, or well-being.
- Public task: An organization needs the data to perform a task with a clear legal basis that is in the public interest, e.g. by government or law enforcement.
- Legitimate interest: A company (or third party) has a legitimate business interest that requires processing personal data, e.g. an insurance company processing data to prevent fraud that may affect customers.
Companies must be able to justify which of these legal reasons they rely on for each personal data use. Where consent is the legal basis, organizations also need to be able to prove consent was obtained, and also demonstrate that it was obtained in a valid manner, i.e., that the consent was freely given, specific, informed, and unambiguous.
Legal bases for processing under the CCPA
The CCPA doesn’t clearly define when or how companies can use personal data, and in most cases does not require a prior legal basis to collect it, as long as the ability to opt-out is available. However, the law does include some exceptions that override the CCPA, including:
- obeying federal, state, or local laws
- cooperating with law enforcement or regulators
- doing internal research for product development
- conducting public interest research
The CCPA also allows companies to use personal information for “business purposes,” which includes aspects like auditing, security, debugging, and short-term transactions.
How do regulatory requirements impact a company’s marketing efforts?
The GDPR and CCPA can both have a significant impact on how companies can conduct their digital marketing activities.
GDPR compliance and marketing
The GDPR significantly impacts a marketer’s ability to track website visitors, collect data about their browsing patterns and preferences, and tailor their marketing activities. Additionally, it grants individuals the “right to be forgotten,” allowing them to request the deletion of their personal data. This makes it challenging for marketers to maintain complete user profiles and tailor their campaigns accordingly.
To adapt, marketers need to take a more consent-based and transparent approach. This means obtaining clear consent for cookies and tracking, providing detailed privacy and cookie policies, giving website visitors clear information about data processing and revocable consent options, and respecting data subject rights.
For email marketing, marketers can’t use implied consent, so users must explicitly opt-in to sign up for a company’s email newsletter or allow cookie use. Marketers can’t pre-check boxes or present a consent banner with only an “Accept” button. If a company has an email list for one purpose, it can’t be used for another purpose without getting new, explicit user consent.
CCPA compliance and marketing
Similar to the GDPR, CCPA makes it more difficult for marketers to personalize marketing activities. This is because much of the data used by marketers for targeting and personalization is now subject to compliance rules. Under the CCPA and CPRA amendment, users have greater rights to opt out of the use of their data for targeting and profiling.
The CCPA gives users the right to know about processing, access, and have their data deleted, as well as to opt out of data sales or sharing with third parties. This can limit marketers’ access to third-party and second-party data sources previously used for audience expansion.
To comply with the CCPA and maintain consumer trust, marketers must take practical steps. The aim should be to focus on first-party data strategies and consider collecting zero-party data directly from consumers (ideally combined with preference management) to build transparent and privacy-compliant relationships
To achieve this, assess data usage through data mapping and inventory exercises. Additionally, updating privacy policies and disclosures to reflect transparent data practices is crucial.
For email marketing, the CCPA has similar principles to the GDPR. To automatically enroll individuals into an email list would be considered data “sharing”, so users must be able to opt-out. If children are included on the list, advance consent must be obtained from a parent or guardian. Companies must provide individuals with an opt-out option via a “Do Not Sell or Share My Personal Information” link on their website. A company can still process users’ personal data for other purposes if a user makes this opt-out request, however.
How to be privacy-compliant?
To be compliant with relevant privacy laws, there are different steps you need to take depending on which regulation is relevant to your business.
How to be GDPR-compliant?
To achieve and maintain compliance with the GDPR, companies should take several steps.
First and foremost, they must have a clear and transparent privacy policy that openly states how they collect and use data. This policy should be easily accessible to individuals, e.g., on the website, and should contain a cookie policy regarding that form of data collection and processing.
Moreover, companies must obtain explicit consent from individuals before processing any personal data, and must immediately stop collecting and processing an individual’s personal data if they revoke consent later.
Under the GDPR, respecting individual rights is crucial. This means granting people access to their personal data when requested, and deleting it when it’s no longer needed for its original purpose. The GDPR emphasizes the principle of “storage limitation,” meaning companies are obligated to keep personal data only for as long as necessary. They can’t keep it indefinitely for “nice to have” purposes, and if they want to use it for a new purpose, they must obtain new consent for that purpose.
Lastly, being accountable is crucial. Therefore, companies need to maintain thorough documentation of data practices and undertake regular audits to ensure their ongoing compliance.
A consent management platform (CMP) can help companies centralize the process of obtaining explicit user consent and managing individual rights as required by the GDPR. A CMP also maintains records of consent information, which can be used for auditing purposes or data subject access requests.
How to be CCPA compliant?
CCPA compliance focuses on empowering consumers and ensuring responsible data handling practices.
Firstly, it mandates that companies enable consumers to choose whether they want their personal information sold. Organizations can do this by providing a “Do Not Sell My Personal Information” option (now, with the CPRA as well: “Do Not Sell Or Share My Personal Information”). Companies need to disclose the categories of personal information they collect, the purposes for which it will be used, and the categories of third parties with whom it may be shared. However, to do this, companies need to be aware of all the website trackers and cookies in use on their websites.
Secondly, it requires that companies enable consumers to know about, have access to, request deletion of, and prohibit the sale of their personal information.
Similar to the GDPR, the CCPA limits storage length. So companies must avoid retaining personal information longer than needed and inform consumers about how long their data will be stored.
A CMP can also help companies that need to comply with the CCPA by identifying all tracking technologies in use, centralizing the process of enabling consumers to opt out of data sales, and managing consumer rights as required.
Experience how a CMP can help
Determine if your website is compliant with the CCPA or GDPR. Use our free cookie audit tool to check cookie usage on your website and generate a detailed cookie audit report in minutes.
What are privacy policy requirements?
The GDPR and CCPA both have specific requirements when it comes to the privacy policies that companies must have in place on their website.
GDPR privacy policy requirements
Under the GDPR, companies must provide a clear, transparent, and easily accessible privacy policy that discloses the following:
- what personal data is being collected and processed
- the purposes for which the personal data is being used
- how long the personal data will be stored
- who the personal data may be shared with
- the rights individuals have over their personal data and how to exercise them
- the legal basis for processing the personal data, such as consent or legitimate interest
- whether the personal data will be transferred outside the EU and how it will be protected
- contact information for the organization (e.g. data protection officer) and for submitting rights requests
The privacy policy must be easily accessible and written in plain, easy-to-understand language. If companies use cookies, then a cookie policy must also be included. Most importantly, companies must obtain explicit, affirmative consent from individuals before collecting and processing their personal data if the legal basis is consent, which will be the required option for many companies.
CCPA privacy policy requirements
The CCPA has similar privacy policy requirements, though the specifics differ somewhat from the GDPR:
- disclosure of the categories of personal information they collect, how they use it, and whether they sell or share that information
- provide an accessible privacy policy (and cookie policy) to explain, along with data processing information, consumers’ rights and how to exercise them
- explain handling and consent requirements for sensitive data or that of children
- make the policy’s language clear and understandable to the average individual, with no legal jargon included
The CCPA does not require companies to obtain explicit consent before collecting personal information in most cases. The focus is more on providing clear notice and giving consumers the ability to opt out of data sales. However, organizations must still provide clear information on how they collect and use data, and provide accessible options for users to exercise their privacy rights.
How are privacy laws enforced?
The GDPR and CCPA have different approaches when it comes to enforcement.
GDPR enforcement
The GDPR is enforced by the European Commission and national data protection authorities (DPAs) in each European Union member state. These DPAs have significant powers, including the ability to conduct audits, issue warnings, and impose fines.
Individuals who believe their rights under the GDPR have been violated can file complaints with their national DPA, which is then required to investigate and take appropriate action.
CCPA enforcement
The CCPA was enforced solely by the California Attorney General’s Office. There is no centralized enforcement body at the national level like with the GDPR. However, with the CPRA coming into effect, education, investigation, and enforcement have shifted to the California Privacy Protection Agency (CPPA).
The CCPA had a 30-day cure period, where companies had an opportunity to fix any violations before enforcement action was taken, but that ended under the CPRA.
What are the fines and penalties for noncompliance?
Both the GDPR and CCPA include specifics about fines that can be levied on companies that do not comply with their requirements. Penalties are tiered based on the severity of infractions. However, the GDPR carries much heavier potential penalties than the CCPA.
GDPR penalties
The GDPR has some of the highest fines of any data privacy law in the world. Companies found to be in serious or repeated violation of the GDPR can be fined up to 4 percent of their global annual revenue or EUR 20 million, whichever is greater.
Lower-tier fines can be up to 2 percent of global annual revenue or EUR 10 million. The GDPR enables private right of action, enabling individuals to sue companies for damages in the event of a data breach or other relevant violation.
CCPA penalties
If you do not comply with the CCPA, the California Attorney General’s Office (now the CPPA) can pursue civil penalties of up to $2,500 per unintentional violation, or up to $7,500 per intentional violation or those involving minors.
The CCPA also provides consumers with a private right of action, e.g. if their personal information is exposed to a data breach due to a company’s lack of reasonable security measures. Consumers can seek statutory damages between $100 and $750 per incident.
Prepare for the future and implement a data management strategy
The GDPR and CCPA both focus on protecting data and giving consumers control, but they have some key differences. By now, both laws are well enough established that companies should have solid privacy compliance strategies and operations. But if not, it’s never too late to mitigate the risk, and it’s good for consumer relationships and brand reputation in addition to regulatory compliance.
As governments around the world continue to pass and update laws to try to keep pace with technology and digital markets, the best move is to implement data handling practices, compliance policies, and ways to securely store a user’s data. It’s also important to consult with a data privacy expert and qualified legal counsel.
When comparing the rights of the CCPA vs. GDPR, it becomes clear that prior consent – exclusive to the GDPR – really makes all the difference, in that it creates a legal framework across the EU that is based on privacy first through user control.
FAQ
The General Data Protection Regulation (GDPR) is an EU law that governs the processing of personal data on individuals inside the European Union. It came into effect in May 2018. The GDPR requires websites who process personal data on individuals inside the EU to first obtain their consent to do so.
The California Consumer Privacy Act (CCPA) is a state-wide law that governs the collection, use, sharing and selling of personal information of California residents. It came into effect in January 2020. The CCPA requires businesses to inform consumers about their personal information collection and sharing, as well as enabling consumers to opt out of third-party data sales, access and have deleted already collected data.
GDPR stands for General Data Protection Regulation, a law in the European Union aimed at safeguarding the data and privacy of EU residents. CCPA stands for California Consumer Privacy Act, which is a law in the United States specifically for protecting the data and privacy of California residents. Both laws give people more control over how their data and personal information is used by companies.
The most important differences between the GDPR and CCPA is about prior consent versus opting out. The GDPR requires that users give their clear and affirmative consent prior to having their personal data collected and processed, whereas the CCPA requires businesses to make it possible for consumers to opt out of having their data disclosed or sold to third parties. Under the GDPR, you must have a legal basis (e.g. consent) for collecting personal data. Under the CCPA, you must enable users to opt out of your personal information collection practices. The GDPR protects any individual located inside the EU, whereas the CCPA protects California residents.
Under the GDPR, any website, company or organization that processes personal data on individuals inside the EU must comply – also if they are not themselves located inside the EU. Under the CCPA, only companies or for-profit organizations that meet the law’s definition of business are required to comply.
Resources
The final CCPA regulations for enforcement
CCPA compliance with Cookiebot CMP
Future of Privacy Forum’s extensive CCPA vs GDPR comparison
The EU Court of Justice and their ruling on valid consent in the EU