Published on: Feb 4, 2020
CCPA vs. GDPR: Key Differences and Compliance Requirements
How is your organization keeping up with the GDPR and CCPA requirements? In 2018, Mark Zuckerberg made headlines for all the wrong reasons when he was grilled in a Senate hearing over Facebook's handling of personal data.
It was the most important hearing in the history of online data privacy, highlighting the ever growing issue. Unfortunately for Facebook, consumers today are more informed than ever about the processing and usage of their personally identifiable information (PII). As a result, government authorities have begun to introduce privacy regulations all over the world.
Let's compare two of the most significant privacy reforms in the last two years: GDPR and CCPA.
What Is GDPR?
GDPR stands for General Data Protection Regulation. Put in place by the European Parliament, it came into effect in May 2018 with the intent to regulate how businesses collect and process the personal data of their customers. GDPR is a more extensive privacy reform that is the foundation of the data protection regulatory framework within the EU. It facilitates EU residents to exercise their right to access and erase information and to withdraw consent for the use of their data.
But GDPR goes even further. It’s designed to give individuals significant control over their personal information, emphasizing transparency and accountability for any organization handling that data. Companies must allow people to know what information is being collected, access it upon request, and have it deleted when it’s no longer needed. The principle of “storage limitation” means organizations can’t keep your data indefinitely, if they want to use it for a new purpose, they need fresh consent.
A key requirement is that privacy policies must be easily accessible and written in plain language. If cookies are used, a dedicated cookie policy is required, and explicit, affirmative consent must be obtained before collecting or processing data if consent is the legal basis. These policies must outline what is being collected, how it’s used, and how individuals can exercise their rights.
What Is CCPA?
CCPA stands for California Consumer Privacy Act. It has been in effect since January 1, 2020. The CCPA is smaller in scope and enables California residents to decide how their data is collected, sold or shared by businesses. They can request access to their data and delete it or "opt-out" from the sale of their data to third parties. For the first time, the CCPA provides for an individual's right to sue, permitting class action lawsuits for damages.
Like the GDPR, the CCPA grants consumers the right to know what personal information is collected, to access it, and to request its deletion. However, the CCPA’s approach to consent differs. Rather than requiring explicit consent before data is collected, the law focuses on giving clear notice and easily accessible options to opt out of data sales. Privacy policies must disclose the categories of data collected, how that data is used, and whether it is sold or shared. These notices must be written in clear, straightforward language.
Notably, organizations must also provide details on how they handle sensitive data or information relating to children, and explain how consumers can exercise these rights. While the CCPA doesn’t require affirmative consent in most cases, it places a premium on transparency and user empowerment when it comes to personal data.
This enhanced approach by both regulations signals a new era in data privacy, where individuals. not corporations, are put firmly in control.
How Do GDPR and CCPA Compare?
Category | GDPR | CCPA |
|---|---|---|
Jurisdiction | Applies to organizations processing personal data of EU residents, regardless of location | Applies to for-profit businesses doing business in California that meet certain criteria |
Personal Data Definition | Broad, any information relating to an identified or identifiable person | Broad, but emphasizes information that identifies or could be linked to a consumer or household. |
Consumer Rights | - Right to access | - Right to know what personal information is collected |
Legal Basis for Data Processing | Requires a legal basis (e.g., consent, contract, legal obligation, legitimate interest) | Does not require legal basis for processing, except for sale of data where opt-out is mandated |
Consent Requirements | Must be freely given, specific, informed, and unambiguous; opt-in is standard | Opt-out model—businesses must offer a "Do Not Sell My Personal Information" link |
Penalties for Non-Compliance | Up to €20 million or 4% of global annual revenue, whichever is higher | Up to $7,500 per intentional violation and $2,500 per unintentional violation |
Enforcement Authority | National data protection authorities in each EU member state | California Attorney General (and the California Privacy Protection Agency under CPRA) |
Who Does it Apply To? | Any business that processes EU residents’ personal data | Only if business meets one of the following: |
Data Protection officer (DPO) | Mandatory for certain organizations (e.g., large-scale processing) | Not required |
Private Right of Action | Limited to specific circumstances | Allowed for certain data breaches (limited scope) |
Focus | Broad privacy protection and accountability | Transparency, consumer control, and data monetization practices |
How is Personal Information Defined Under Each Standard?
GDPR
According to the GDPR, personal data is defined as "any information relating to an identified or identifiable natural person." This includes all data subjects that can be identified by reference to an identifier, such as a name, or assigned data, i.e. a phone number. Considering the definition includes "any information" companies must assume that "personal data" should be interpreted as broadly as possible to include less explicit personal information such as when an employee clocks in and out of work.
CCPA
The CCPA also has a broad definition: stating personal information to be "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The CCPA does not apply to employee or public data nor to de-identified or pooled consumer information.
When Are Companies Allowed to Use Personal Data?
GDPR
Under the GDPR, companies can only process personal data if they have a valid legal reason—these are referred to as "legal bases." There are six, and organizations must establish and document at least one before handling any personal information. The legal bases are:
Consent: The individual has freely given specific, informed, and unambiguous permission for their data to be used—think of someone ticking the box to receive marketing emails.
Contract: Processing is necessary to fulfill a contractual obligation or prior to entering into a contract, such as shipping an order or providing a requested service.
Legal Obligation: Companies may need to process personal data to comply with a legal requirement, like tax reporting.
Vital Interests: This comes into play when the processing is needed to protect someone’s life or physical safety.
Public Task: Applies when an organization is carrying out an official function or a task in the public interest, usually relevant to public authorities or entities.
Legitimate Interests: The business (or a third party) has a genuine reason that doesn’t unfairly override the rights of the individual—like preventing fraud or securing systems.
Businesses must be clear on which legal basis they’re using for each activity and be able to show evidence, especially in cases where they rely on consent.
CCPA
In contrast, the CCPA is more permissive about when companies can collect or use data. For most business activities, there is no formal requirement to justify use ahead of time. As long as they provide California consumers with the option to opt out of the sale of their personal information, companies have considerable freedom. However, there are exceptions when specific obligations kick in, such as:
Complying with federal, state, or local laws.
Responding to investigations or requests from law enforcement.
Performing internal research for technological development.
Conducting activities considered to be in the public interest.
In everyday operations, businesses can also process data for "business purposes"—this could cover everything from auditing and security to troubleshooting errors or facilitating transactions.
In summary, GDPR sets a high bar, requiring companies to justify every use of personal data with a documented legal reason. CCPA, on the other hand, gives businesses broader leeway, provided consumers are given transparency and the right to say “no” to the sale of their information.
Handling Children’s Data
GDPR
Under the GDPR, the protection of children’s personal data is a top priority. The regulation requires that parental or guardian consent must be obtained before collecting or processing the personal data of children under the age of 16, although individual EU member states may lower this age threshold to 13. Businesses are expected to take reasonable steps to verify that such consent has truly been given by a parent or guardian. This standard applies across all channels, including email marketing, app registrations, and online services.
CCPA
The CCPA also sets out additional safeguards for children’s data, though with some key distinctions. For children under the age of 13, a business must obtain verifiable parental consent before selling or sharing any personal information. For children aged 13 to 16, the child’s own affirmative consent is required. These provisions aim to give families a stronger say over how their young members’ information is used and ensure those under 16 aren’t automatically swept into data sharing without a clear opt-in process.
What Organizations Do These Apply To?
GDPR
The General Data Protection Regulation (GDPR) has a wide scope that applies to any organization—regardless of where it's based—that processes the personal data of individuals located in the European Union (EU) or European Economic Area (EEA).
You must comply with GDPR if your organization:
Offers goods or services (free or paid) to individuals in the EU/EEA
Monitors the behavior of EU/EEA individuals (e.g., through cookies, analytics, or profiling)
Has a presence in the EU or processes data on behalf of an EU-based company
It applies to organizations of any size, in both the public and private sectors, and covers employees, job applicants, customers, and even website visitors.
GDPR Compliance Essentials
To meet GDPR requirements, organizations must demonstrate a proactive, privacy-by-design approach. Key responsibilities include:
Lawful Basis for Processing: Organizations must identify and document a legal reason for collecting or processing personal data and consent must be freely given, specific, informed, and unambiguous (opt-in, not opt-out).
Data Subject Rights
Individuals (data subjects) have a wide range of rights under GDPR, including:The right to access and correct personal data
The right to erasure (“right to be forgotten”)
The right to data portability
The right to restrict or object to processing
Rights related to automated decision-making and profiling
Privacy Notices and Transparency: Clear and concise privacy notices are mandatory. These must explain why and what data is collected, who it's shared with, how long it will be stored, how individuals can exercise their rights.
Security and Accountability: GDPR requires organizations to implement technical and organizational measures to safeguard data. Organizations must also be able to prove their compliance.
Breach Notification: In the event of a data breach, organizations must report it to the relevant data protection authority within 72 hours—unless the breach is unlikely to pose a risk to individuals’ rights and freedoms.
Data Minimization and Retention: Organizations can only collect the data they truly need, and don’t keep it longer than necessary. Document and communicate retention periods clearly.
CCPA
CCPA maintains a narrower scope. It applies to for-profit entities that fulfill any of the following conditions:
Maintain more than $25 million in annual gross revenue.
Collect, sell, buy, or share data of more than 50,000 devices, consumers, or households in California. This includes online visitors.
Earn at least 50% of annual revenue from the sale of this data.
It protects Californian residents even if they live outside the state. It may or may not apply to employees and job candidates due to Assembly Bill 25.
CCPA Compliance Essentials
To comply with the CCPA, organizations must focus on responsible data handling that empowers consumers and supports transparency. Key requirements include:
Consumer Choice: Companies must allow individuals to opt out of the sale or sharing of their personal data. This is typically achieved through a clear and accessible “Do Not Sell My Personal Information” link on your website.
Disclosure Obligations: Businesses are required to inform consumers about the categories of personal information collected, the intended purposes for this data, and the types of third parties with whom it may be shared.
Consumer Rights: Individuals can request access to their personal data, demand deletion, or prohibit its sale. Companies must have systems in place to honor these requests efficiently.
Data Minimization: Similar to GDPR, CCPA restricts retention—personal information should not be stored longer than necessary, and organizations must communicate retention periods clearly to consumers.
Understanding all website trackers and cookies in use is vital, as is having a centralized process for managing consent and consumer rights requests. These practices are foundational for demonstrating ongoing compliance under the CCPA.
Supervising Authorities
GDPR
Non-compliance with the GDPR results in penalties that are imposed by the national Data Protection Authorities in the EU member states. These authorities are responsible for raising awareness of the regulations and providing guidance on compliance.
They carry investigatory powers and can:
Conduct audits of organizations for GDPR breach.
Issue warnings and instruct data controllers to follow regulations.
Impose bans for data processing.
Issue administrative fines.
Delete wrongfully collected data.
CCPA
The Attorney General of California can enforce the CCPA through monetary penalties. Civil actions form the basis of the assessment of non-compliance and it is at the discretion of the Attorney General to begin any investigation.
Violations
GDPR
Upon being found guilty of a violation, businesses can be fined up to either 4% of their annual global revenue or 20 million Euros. They may also have to compensate victims of a data breach for material or non-material damages. There is no grace period for the offenders.
CCPA
As the CCPA was only introduced at the start of 2020, a six-month grace period has been put in place before enforcement begins. After which fines can range from $2,500 to $7,500 per record violation. After civil action, transgressors must pay $100 to $750 per consumer for an incident. They have 30 days to rectify their errors and communicate the reforms to their consumers. If the issue is not resolved, and the attorney general declines to prosecute, then the affected consumer can begin a class action lawsuit.
The Role of Consent Management Platforms
A consent management platform (CMP) serves as a key tool for businesses aiming to comply with both the GDPR and CCPA. These platforms allow organizations to systematically capture, document, and manage user consents—whether that's for cookies, marketing, or other forms of data collection. With a CMP, companies can not only secure explicit consent from users but also maintain detailed records for future audits or data requests, helping satisfy strict requirements set by EU regulators.
In the context of the CCPA, a CMP enables businesses to identify all tracking technologies in use and streamline the process for users to opt out of data sales. It centralizes management of consumer rights and preferences, which is vital for demonstrating compliance if an issue arises and ensuring users can exercise their rights easily. From managing cookie banners to coordinating consumer access or deletion requests, a robust CMP ensures transparency and keeps businesses accountable in a rapidly evolving privacy landscape.
Key Takeaways
When comparing GDPR and CCPA, it’s clear they reflect different regulatory philosophies. GDPR takes a global, comprehensive approach to personal data protection, emphasizing informed consent, accountability, and a broad range of individual rights, including data portability and the right to object. It applies to any organization handling data from EU residents and enforces strict penalties for non-compliance. In contrast, CCPA focuses more narrowly on consumer rights for California residents, emphasizing transparency and allowing individuals to opt out of data sales or sharing. While CCPA lacks the broad consent requirements and deeper enforcement powers of GDPR, it marks a meaningful shift in U.S. privacy law by requiring businesses to disclose data practices and respond to consumer requests.
Together, these frameworks underscore the growing global demand for greater data control and organizational accountability.
