CCPA vs GDPR: What's The Difference?

CCPA vs GDPR: What's The Difference?
By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are the first regulations to have set new global standards on user privacy online.

They both serve the same purpose – to secure users and provide them with a level of control over their privacy. However, they have many significant differences in terms of compliance requirements.

Keep reading to learn the main discrepancies of CCPA vs GDPR that we’ve gathered. We’ll explore how each regulation impacts organizations and what are the main compliance requirements.

Ensure GDPR and CCPA compliance on Shopify

Try TinyCookie free

CCPA vs GDPR: 13 differences to know

The CCPA and GDPR have some similarities among them, such as intent, but they also have many differences. Let’s take a look at the main distinctions between the two laws.

1. Law type

The CCPA is a statutory law, meaning enforcement doesn’t require additional action from the state legislature. So, violations can provide grounds for a civil lawsuit that can be filed in California state court. Meanwhile, the GDPR is regulatory, which means that member states can use its principles to enforce their own national laws.

2. Applicability

The GDPR and the CCPA apply to businesses that process the personal data of EU and California citizens respectively, no matter where the business operates. Let’s take a look at the specific applicability conditions.

GDPR

The GDPR applies to companies of any size that process the personal data of EU residents. Unlike under the CCPA, GDPR even applies to non-profit organizations and charities.

Here are the businesses to which the GDPR applies:

  • Businesses that operate in any of the European Union (EU) member countries and process the personal data of EU residents.
  • Businesses that are located outside the EU but offer goods and services or process the personal data of EU citizens.

That being said, according to the European Commission, if data processing isn’t an integral part of your business and you don’t pose risks to consumers personal data, some requirements may not apply. For example, getting a Data Protection Officer (DPO).

CCPA

The CCPA applies to for-profit companies that are located in California or operate outside of it but still process the personal information of Californians. The only exceptions are non-profit organizations and governmental companies. Plus, the CCPA only applies to companies that meet at least one of these statements:

  • If it makes more than $25 million in gross annual revenue
  • If it buys, sells, or shares the personal information of over 100k Californians
  • If 50% or more of its annual revenue comes from California residents’ personal information selling

3. Scope

The GDPR provides a broader definition of personal data that can identify a consumer. Meanwhile, the CCPA excludes publicly available data that has already been made available by the consumer.

GDPR

Under the GDPR, personal data refers to any information that can be used to identify an individual, including directly or indirectly. For example, name, location data, phone number, number plate, identification number, or physical, mental, cultural, and other types of special identity characteristics.

The data that is excluded from the scope of the GDPR includes:

  • Data of a deceased individual
  • Data of a legal person
  • Data processed outside of trade, business, or professional purposes

CCPA

Under the CCPA, personal information refers to data that can identify or be related or linked to the consumer or their household. Examples of what it includes are name, email address, purchase history, online activity history, fingerprints, geolocation data.

The CCPA extension, called the CPRA (California Privacy Rights Act), also distinguishes sensitive personal information. It defines specific types of personal information that include government identifiers. This can be financial accounts, credit cards, passwords, email or text message contents, and so on.

The personal information that the CCPA excludes is publicly available information accessible from government records or data that a business believes is made available by the consumer. This can include certain medical information, consumer credit reporting information, and more.

4. Legal basis

The CCPA doesn’t require a specific legal basis for data processing if there’s an opt out option available. The GDPR Article 6, however, provides 6 lawful bases:

  • Data subject has provided explicit consent
  • For the performance of a contract when the user is an involved party
  • For legal obligation compliance
  • To protect someone’s life or vital interests
  • To perform a task carried out in the public interest
  • For legitimate interests pursued by the organization or a third party

5. Data collection disclosure

Both the GDPR and CCPA require organizations to disclose their personal data handling practices. This includes communicating what type of data is collected, why, how, and for how long. If a business is selling user data or sharing it with a third party, it must inform users of such practice as well, no matter which regulation applies to it.

However, under the CCPA, there’s a 12-month look-back period, which means that a business cannot automatically collect user data after an opt out request for an entire year. In such cases, a disclosure for that time period is not needed.

6. Consent withdrawal

Both GDPR and CCPA require providing users with an opt out option for data collection. However, there are some specific differences regarding consent withdrawal implementation.

GDPR

The GDPR notes that businesses must include an option to opt in and opt out of data collection. It’s required to gain explicit consent prior to starting data collection. The opt out option should be available at all times, even if prior consent has been given.

CCPA

The CCPA notes that businesses must provide an opt out option for data processing. If the business is selling information to third parties, it must include a “Do not sell or share my personal information” link.

The link should direct consumers to an opt out method or form, and if the user exercises their right, the business cannot collect their personal data for at least a year.

7. Consumer rights

Both the GDPR and CCPA have similar user rights stated, except that the GDPR includes the right to data portability and not be subject to an automated decision.

GDPR

The GDPR user rights include:

  • Right to know. Data subjects have the right to be informed about data collection, including its purpose, legal basis, controller, and data categories.
  • Right of access. Users may request to access their personal data and businesses must comply.
  • Right to correct. Users have the right to request corrections to their personal information.
  • Right to delete. In certain situations listed on the official EU website, data subjects may request companies to delete their personal data.
  • Right to limit. When the user disagrees with their personal data accuracy or suspects unlawful practices, they may request restriction of data collection.
  • Right to data portability. Consumers may request to receive their data in a structured and machine-readable format if they wish to reuse it or send it to another data controller.
  • Right to object. In some cases, like when the company processes data based on the legitimate interest of its or a third party, users may use their right to object data collection.
  • Right not to be subject to a decision based solely on automated processing. Users may not be subject to a decision without human intervention that affects them personally.

According to the GDPR Article 12 (3), companies get one month to respond to user requests. However, it can be extended by two more months if the business provides the reason for the extension and informs the user within one month of the request receipt.

CCPA

There are 6 user rights noted by the CCPA, including:

  • Right to know. A business must inform the user about the data collection and processing on the website.
  • Right to correct. Users can ask to change inaccuracies of their personal information.
  • Right to limit. Users can request to limit the use or sale of their personal data.
  • Right to delete. While there are some exceptions listed in the Civil Code section 1798.105(d), users can request businesses to delete their personal data.
  • Right to opt out. Businesses must provide an option for users to opt out of data sharing or selling, including a “Do not sell or share” link.
  • Right to non-discrimination. Punishment, such as service denial, for users exercising their rights is prohibited.

Under the CCPA, businesses get a 45-day period to respond to user requests which can be extended for the same length if the user is informed. However, if the business doesn’t respond, the user can file a complaint to the California Attorney General here.

8. Age of consent

The age of consent is 13 under the CCPA and varies between 13 and 16 under the GDPR based on the member states.

CCPA

Here’s how the data of children can be handled until 16 years of age:

  • Under 13 – data cannot be automatically collected without the consent of a parent or guardian
  • Between 13 and 16 – children may opt in to data collection themselves
  • Under 16 – businesses can only sell the information if they get authorization to do so

GDPR

The GDPR Article 8 states that processing the personal data of children under 16 can only be done if authorized by a parent or guardian. However, the member states of GDPR may set their own age limit, which can be as low as 13 years old.

Here’s how old a child has to be in specific EU member states to be able to provide their own consent:

13 years old

Belgium, Denmark, Estonia, Finland, Latvia, Malta, Portugal, Sweden, the United Kingdom

14 years old

Austria, Bulgaria, Cyprus, Italy, Lithuania, Spain

15 years old

Czech Republic, France, Greece, Slovenia 

16 years old

Croatia, Germany, Hungary, Ireland, Luxembourg, the Netherlands, Poland, Romania, Slovakia

9. Cookie usage

The difference between GDPR and CCPA is that the CCPA doesn’t require obtaining explicit user consent for the use of cookies, while the GDPR does.

GDPR

Under the GDPR, businesses must inform users about the use of cookies on their websites. They must also obtain explicit consent from their website visitors before they deploy cookies to the users’ browsers.

In case consumers don’t want to consent to cookie usage, a rejection button must be included. GDPR also requires giving users a level of control and allowing them to manage the types of cookies used.

CCPA

The CCPA does not require websites to get active consent from users in order to store cookies on their devices. However, businesses must still inform users about the use of cookies using a cookie banner or pop-up.

Additionally, it’s obligatory to provide cookie management as well as opt out options. If a business is selling the data of consumers, there must be a “Do not sell or share” link included.

Add a cookie consent banner to your Shopify website in one click

Try TinyCookie now

10. International data transfer

The CCPA doesn’t regulate personal information transferring across international borders. Meanwhile, the GDPR requires the non-EU countries that data is being transferred to protect the data of individuals.

The level of data protection in other countries must be as strong as in the European Economic Area (EEA). The European Commission takes into consideration such aspects as the respect for human rights, fundamental freedoms, user rights, and data protection authority existence.

11. Data security requirements

Although the CCPA doesn’t have specific security requirements, it’s obligatory to ensure data encryption, confidentiality, and post-incident restoration under the GDPR.

GDPR

There are a few organizational security measures that the GDPR requires businesses to adopt, depending on what is appropriate taking into account the nature, scope, and purpose of processing. Here are the measures to be taken:

  • Pseudonymization and encryption of personal data
  • Ensuring confidentiality, integrity, and availability of systems
  • Restoring access to personal information in a timely manner when an incident occurs
  • Regular testing and evaluation of applied measure effectiveness

If a company regularly processes specific personal data of users, data processing is an important business activity, or is done at a large scale, the company must appoint a DPO. It can be a member of the company or an external individual under contract.

CCPA

Neither the CCPA nor the CPRA have specific data security requirements for organizations. However, they must ensure data security to prevent breaches as consumers could take legal action in such cases.

The security measures that could be implemented include performing data inventory, auditing agreements with third parties, improving cybersecurity defense, and creating data protocols.

12. Fines and penalties

The GDPR fines can go up to around $22 million, or 4% of the organization’s global annual revenue, while the CCPA fines can reach $7,500 per single violation.

GDPR

First-time minor GDPR violations can result in a simple warning. However, administrative fines can vary in size:

  • Less serious violations: up to €10 million (~$11 million), or 2% of the organization’s global annual revenue from the previous financial year (depending on which one is higher)
  • Serious violations: up to €20 million (~$22 million), or 4% of the organization’s global annual revenue from the previous financial year (depending on which one is higher)

In cases of unlawful data handling practices, organizations may get a temporary or even permanent ban on data processing.

CCPA

In some cases, CCPA authorities may give a company a 30-day cure period to fix their non-compliance, but not necessarily. There are two types of violations and fine sizes:

  • For non-intentional violations, like for a lack of awareness, the fine can go up to $2,500 per single violation.
  • For intentional violations, like a data breach, the fine can be up to $7,500 per single violation.

For certain violations, like a data breach that happened due to poor security measures, consumers may file a class action. They can get $750 per violation in statutory damages.

13. Enforcer

While the CCPA can be enforced by the California Attorney General and the California Privacy Protection Agency, the GDPR has a national data protection authority for each member state.

In terms of the GDPR, if the data processing happens across multiple member states, the DPAs cooperate for a consensus. All of the assigned DPAs can be found on the European Data Protection Board website.

As for the CCPA, ever since the CPRA came into effect, the California Privacy Protection Agency was created to enforce both California privacy laws.

GDPR vs CCPA: compliance requirements

Both GDPR and CCPA have similarities and differences in terms of business compliance requirements.

Similarities

Here are the main requirements under both legislations:

  • Disclose data collection. Both the GDPR and CCPA require disclosing personal data collection to users. This is usually done using a cookie banner on a website.
  • Consent management. Both laws require giving users a level of control over their data and allow managing what specific data or cookie categories they want to consent to.
  • Privacy and cookie policy. Every business must include a privacy policy and a cookie policy (if cookies are used) on their website so users can know what they’re agreeing to.
  • Ensure data security. The GDPR requires businesses to ensure confidentiality, pseudonymization, and encryption of data as well as regularly testing security measures. Meanwhile, the CCPA doesn’t specify security measures to adopt, but in case of a breach, the company will be held accountable.

Differences

Let’s take a look at some of the main requirement differences between CCPA and GDPR compliance:

  • Acquiring consent. Under the GDPR, data cannot be collected until explicit consent is given. The CCPA applies passive consent, meaning the users are automatically involved in data collection once they enter the website unless they’re under 16 years old.
  • Opt out option. Both legislations require providing users with an opt out option at all times. However, the CCPA requires including a “Do not sell” link if the company is selling data.
  • Collecting user consents. The GDPR legally requires businesses to collect and securely store all user consents for easy access and audits. The CCPA doesn’t have this rule but in cases when users exercise their right to opt out, businesses must keep this record for 12 months.
  • Get a data protection officer. Under the GDPR, a business must acquire a DPO if data processing is an important part of the business.

Conclusion

Both the GDPR and CCPA give users some control over their personal data usage, but they have key differences. These include but are not limited to applicability, consumer rights, age of consent, fine size, and security requirements.

The main compliance difference is that the GDPR requires active consent, while consent is given automatically under the CCPA. Additionally, while organizations under any of the regulations must provide an opt out option, the CCPA requires a “Do not sell or share my personal information” link.

Understanding these differences is crucial not just for preventing large fines and reputational damage, but also to ensure user trust and ethical practices no matter where your business operates. And as laws continue to evolve, it’s important to stay ahead and regularly assess business compliance.

Frequently asked questions

The main difference between the CCPA and GDPR is that the GDPR requires obtaining active consent before data collection. Meanwhile, the CCPA doesn’t require explicit consent to collect and process data unless the data subject is under the age of 16.

The GDPR applies to all organizations that process the data of European citizens no matter where it operates, while the CCPA applies to for-profit businesses that process Californian citizen data. If your business processes data of both EU and California users, you’re expected to comply with both regulations.

The CCPA provides consumers with a certain level of control over their privacy rights. These include the right to disclosure, personal data deletion, correction, limitation, consent withdrawal, and non-discrimination. Businesses must ensure at least two methods for request submission.

About the author
Kristina Jaruseviciute
Kristina is a Senior Writer at TinyCookie, where she specializes in providing educational content for readers interested in web cookies and compliance. She covers an extensive scope of subjects, from cookie types, definitions, and tutorials to compliance tips for website owners.