CCPA v GDPR: What’s the Difference?

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two of the world's most critical data privacy laws. Taken together, they govern the data of millions of people and some of the world’s largest technology companies.

In 2023, there were 3,205 data breaches in the US, almost double that of the year prior. As the number of siloed data stores grows year-on-year, so too does the threat of data breaches.  

The GDPR and CCPA put consumer data privacy to the forefront, ensuring that businesses use data lawfully and safeguard information from unauthorized access. However, there are some key differences between the two regulations. In this article, we’ll explain how each legislation works and what you need to do to comply with them.

Understanding the GDPR

The General Data Protection Regulation (GDPR) is the European Union’s (EU) law for data privacy and came into effect on May 25, 2018. The GDPR aims to give EU citizens and residents, known within the legislation as ‘data subjects’, power over the data they choose to share with businesses. It offers individuals several key rights, including:

• Right to be informed about how their data is being used, stored, and processed.
• Right to access personal data that data controllers possess.  
• Right to rectify incorrect personal data that businesses hold.  
• Right to erasure (to have a business delete the data it holds)
• Right to data portability (to use their personal data for different services)
• Right to prior consent

• Right to withdraw consent to information collection at any time.  
• Right to complain to the Information Commissioner.  
• Right to not be subjected to automated decision-making.

For you as a business, the GDPR means you need to adhere to several data privacy regulations whenever you operate within the EU or handle the data of EU data subjects.  

Compliance often involves implementing security measures, creating policies for access requests, implementing consent management protocols, being transparent with your customers, and maintaining accurate documentation about your data privacy procedures.  

Understanding the CCPA

The CCPA (California Consumer Privacy Act) took effect on January 1, 2020. It is the most significant state-specific privacy legislation in the US.  

The CCPA gives consumers several rights, including:

• Right to be informed about how data is being used, stored, and processed.
• Right to access personal information that businesses possess.
• Right to delete information collected about them.
• Right to opt out of selling personal information.  
• Right to non-discrimination when exercising CCPA rights.  

All businesses that meet the CCPA eligibility criteria need to inform consumers about their rights, provide notice when they collect consumer’s personal data, establish processes for data access requests, and honor data deletion requests. Consumers also have the right to request that CCPA businesses refrain from selling their data.  

The Consumer Privacy Rights Act of 2020 (CPRA) amended the CCPA to enforce data privacy laws, giving consumers the right to correct information. The CPRA also added GDPR-style data minimization rules and established the California Privacy Protection Agency.  

The GDPR and CCPA have many similarities and differences. Let’s take a closer look at these differences now.  

What is the Scope of the laws?

While the GDPR and CCPA focus on individual privacy rights, each legislation has some notable differences in scope.

Personal data (GDPR) vs Personal information (CCPA)

The GDPR defines personal data as ‘information related to an identifiable natural person’ (data subject).  

This could include names, email addresses, phone numbers, cookie identifiers, home addresses, or any other data that someone could use to identify an individual directly or indirectly.  

According to the State of California Department of Justice, sensitive personal information can be classified as follows:

• Social security numbers.
• Account log-in information.
• Debit and credit card numbers.
• Password credentials.
• Precise geolocations.
• Content information such as text messages, emails, etc.
• Biometric information.
• Information about a person’s race, ethnicity, health, sex life, sexual orientation, religious and philosophical beliefs.
• Union membership.

Under this sensitive personal information, consumers have the right to limit how a business uses their personal information and discloses this information.

The CCPA protects ‘consumer personal information,’ which it defines as information that describes relates to or could otherwise be used to reasonably identify a consumer or household.

‘Household’ is the key here. While the GDPR is exclusively related to an individual's personal data, the CCPA also protects information related to homes, such as household characteristics, the number of occupants, and income thresholds.  

Prior consent (GDPR) vs Opting out (CCPA)

The most crucial difference between the CCPA and GDPR is the distinction between prior consent (GDPR) and opting out (CCPA).  

The GDPR enforces privacy by default. This means data controllers must obtain explicit prior consent from a data subject before they can process and use that data.

In addition, this consent will only be valid if the data controller has explicitly stated for what purpose they require the data. And, of course, data subjects can also withdraw their consent at any time.  

In contrast, the CCPA doesn’t have any such legal framework. Any company can collect and sell consumer information lawfully without obtaining prior consent. However, consumers have the right to access their information and opt out of selling their data whenever they like.  

In other words, while the GDPR allows consumers to opt in and withdraw consent, the CCPA considers consumers opted-in by default. They will need to opt out after the fact.  

Who do the laws apply to?

Now that we understand the differences in scope between each law, let’s take a moment to explore who the regulations protect and which businesses they impact.  

Protecting ‘Data Subjects’ (GDPR) vs ‘Consumers’ (CCPA)

The GDPR protects ‘data subjects,’ which it defines as ‘identified or identifiable natural persons.’ The regulation is designed to protect the personal information of EU citizens and residents inside the European Union or the European Economic Area (EEA).

The CCPA protects ‘consumers,’ which it defines as ‘a natural person who is a California resident.’ This includes anyone who lives in the state on a permanent basis and any permanent resident of the state who is temporarily outside of California.  

Data Controllers (GDPR) vs For-Profit Businesses (CCPA)

The GDPR law applies to all businesses that collect consumer data from EU citizens or residents. This includes companies, public bodies, not-for-profit organizations and institutions. Under the legislation, all bodies that collect EU consumer data are known collectively as ‘data controllers.’  

Even if your business is based in the US, you’ll still need to adhere to the GDPR regulations if you handle data inside the EU or that belongs to EU residents.  

It doesn’t matter if you’re running a global megacorp or a local eCommerce store. If you collect data related to EU citizens, the GDPR applies to you.  

In contrast, the CCPA regulation applies to for-profit businesses that handle the data of California residents. In addition, the CCPA requires businesses to meet one or more of these criteria for the legislation to apply:

• Their annual turnover (gross) totals more than $25 million.
• They receive 50% or more of their annual revenues from selling consumer information.
• They buy, obtain, or sell personal information from 50,000+ Californian consumers.

If a business doesn’t meet one of these criteria, they aren’t regulated by the CCPA.

How do the laws impact businesses?

While there is some crossover between the GDPR and CCPA, each law impacts eligible businesses in significantly different ways.

Legal basis for processing personal data: GDPR vs CCPA

The GDPR defines six core legal grounds for processing and collecting data in the EU. These are:

• Consent: A consumer has given explicit consent for a business to use their data.
• Contract: The data controller needs to process data to fulfill a legal contract.
• Obligation: The data controller needs to process data for compliance purposes.
• Vital interests: The processing is required to protect the data subject’s life.
• Public interest: The data controller is acting in the legitimate public interest.  
• Legitimate interests: The data controller has legitimate reasons for processing data, except where these interests impede the freedoms and rights of the data subject.

In contrast, the CCPA has no rules for processing personal information. This means businesses can handle and process consumer data however they like until consumers opt out.

Data governance requirements: GDPR vs CCPA

Under the GDPR, all data collectors need to know exactly where their sensitive personal data lies, who can access it, and how it’s being used. This includes data stores siloed in databases, point-of-sale systems, Internet of Things (IoT) devices, and more.

If a data controller is using consumer data, they must have a lawful basis to do so. They must also clearly document precisely why they need to process this data.  

In addition, GDPR data collectors must facilitate all of the rights consumers hold under the legislation. This includes having clear data consent policies and systems for the right to access, erase, restrict, and withdraw consent.  

To find out what the GDPR requires in full, you can view this handy GDPR compliance checklist here.  

CCPA governance

CCPA compliance doesn’t mandate how business data needs to be governed. As long as a consumer hasn’t opted out, the business can use and process data as it wishes within the boundaries of the law.  

That said, all businesses under the CCPA should have well-defined processes to respond to consumer requests promptly. This includes procedures for access and deletion requests. Every business also needs a CCPA-compliant Privacy Policy.  

In addition, any business that sells consumer information under the CCPA must have a button on its website that states “Do Not Sell My Personal Information,” giving an opportunity for a consumer to opt-out if required.  

Security measures: GDPR vs CCPA

Data security is a cornerstone of the GDPR. Data holders must implement several technical and organizational measures to ensure the security of personal data.  

Depending on risk, organizations will need to implement encryption standards, data backup functionalities, data access controls, and more. These measures aim to safeguard consumer data from the risk of a cyber-attack.  

Organizations will also need to perform regular risk assessments and practice data minimization to keep stored data to a minimum.  

In contrast, the CCPA has no formal data security requirements. That said, consumers can always take legal action against your business if you suffer a data breach and don’t maintain adequate security measures, so it’s always best to err on the side of caution.  

How are the data protection laws enforced?  

Finally, let’s contrast the GDPR enforcement measures with those of the CCPA.

Maximum financial penalties: GDPR vs CCPA

The GDPR issues penalties based on the seriousness of the infringement. It currently has a maximum penalty for noncompliance of 4% of a business’s global annual turnover or 20 million Euros—whichever is higher.  

The Attorney General of California issues the CCPA fines. Like the GDPR, businesses can receive penalties for failing to comply. The CCPA has a maximum of $2,500 for each accidental violation and $7,500 for each intentional violation.

These penalties are ‘per consumer.’ Therefore, a violation on 300,000 users could result in a potential penalty of $2.25 billion. Consumers also have the right to pursue civil action if the violation is related to a data breach due to poor data security practices.

Best practices to comply with the CCPA and GDPR

As a general rule of thumb, we recommend basing your data privacy policies on the GDPR. If you can comply with the GDPR, you can comply with anything, including the CCPA.  

With this in mind, here are five best practices that you should adhere to comply with data protection regulations in the current business landscape.  

Know your data

Data collection and data discovery are the cornerstones of great compliance. Before storing and safeguarding your data correctly, you need to know where it is.  

For this reason, you’ll need to build a central data catalog that encompasses every data asset you possess. You could choose to do this manually or partner with a records management solution that can handle this process for you.  

Knowing where all your data lies is crucial because it ensures there are no unprotected assets that are vulnerable to attack. It also makes responding promptly to data portability and access requests easier.  

Create a comprehensive compliance policy

When it comes to maintaining compliance, you’ll want to start by making a high-level document that outlines your policies in regard to data privacy. This could include details like your security measures, access request procedures, and data transferral policies.

Think of this as the overarching procedures that define your business’s stance on data privacy. All of your stakeholders, managers, and staff need to recognize and understand this document.

Implement data security from the ground up

Whether you’re complying with the GDPR, CCPA, or any other regulatory compliance standard, you need to put data security at the forefront.  

For example, you’ll need to ensure you practice data minimization and purpose limitation. You’ll also need to enforce secure access controls and implement encryption standards. Building robust systems keeps your data secure and your business on the right side of compliance.  

Maintain accurate documentation

Whatever you do with your data privacy compliance strategy, make sure you accurately document the whole process. Doing so will help you prove your compliance during audits.  

You may choose to appoint an individual to do this on your behalf. Alternatively, you could opt for a records management system to automate this process.

Partner with a platform that can automate manual work  

Data privacy compliance management can be challenging. Fortunately, there are solutions available to help you through the process.

A records management system (RMS) can help you determine exactly where your data lies, who has access to it, how long it must be retained, and what it’s being used for, no matter where it lives.  

This means you’ll never need to worry whether a piece of sensitive information is vulnerable, and you’ll always have access to every data asset you possess for documentation, audits, and access requests.

How RecordPoint can help with data privacy compliance

Looking to achieve compliance with the GDPR, CCPA, or any other legislation? RecordPoint is here to help. Our data trust platform will provide you with complete visibility over all your data touchpoints.  

Our system connects to 900+ essential business systems and apps, meaning you can manage all of your data in one central place, no matter where it lies. Plus, our ML-powered data discovery model will aid with data classification, tagging sensitive data automatically, so you can always be sure you’re safeguarding your valued assets.  

We’ll help you keep up to date with compliance so you can focus on your core business processes. Find out more about our compliance solution, or reach out and schedule a demo today to learn more.

‍