CCPA vs GDPR: Knowing the Difference

How is your organization keeping up with the GDPR and CCPA requirements? In 2018, Mark Zuckerberg made headlines for all the wrong reasons when he was grilled in a Senate hearing over Facebook’s handling of personal data. It was the most important hearing in the history of online data privacy, highlighting the ever growing issue. Unfortunately for Facebook, consumers today are more informed than ever about the processing and usage of their personally identifiable information (PII). As a result, government authorities have begun to introduce privacy regulations all over the world. Let’s compare two of the most significant privacy reforms in the last two years: GDPR and CCPA.

What Is GDPR?

GDPR stands for General Data Protection Regulation. Put in place by the European Parliament, it came into effect in May 2018 with the intent to regulate how businesses collect and process the personal data of their customers. GDPR is a more extensive privacy reform that is the foundation of the data protection regulatory framework within the EU. It facilitates EU residents to exercise their right to access and erase information and to withdraw consent for the use of their data.

What Is CCPA?

CCPA stands for California Consumer Privacy Act. It has been in effect since January 1, 2020. The CCPA is smaller in scope and enables California residents to decide how their data is collected, sold or shared by businesses. They can request access to their data and delete it or “opt-out” from the sale of their data to third parties. For the first time, the CCPA provides for an individual’s right to sue, permitting class action lawsuits for damages.

Personal Information


According to the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person.” This includes all data subjects that can be identified by reference to an identifier, such as a name, or assigned data, i.e. a phone number. Considering the definition includes “any information” companies must assume that “personal data” should be interpreted as broadly as possible to include less explicit personal information such as when an employee clocks in and out of work.


The CCPA also has a broad definition: stating personal information to be “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA does not apply to employee or public data nor to de-identified or pooled consumer information.

Who Does it Apply to?


Like most data protection regulations, the GDPR applies to both non-profit and for-profit organizations. Any business that stores, manages, or processes personal data of citizens from the European Union (EU) is required to comply with the GDPR. It applies to both employees and potential candidates.


CCPA maintains a narrower scope. It applies to for-profit entities that fulfill any of the following conditions:

  • Maintain more than $25 million in annual gross revenue.
  • Collect, sell, buy, or share data of more than 50,000 devices, consumers, or households in California. This includes online visitors.
  • Earn at least 50% of annual revenue from the sale of this data.

It protects Californian residents even if they live outside the state. It may or may not apply to employees and job candidates due to Assembly Bill 25.

Supervising Authorities


Non-compliance with the GDPR results in penalties that are imposed by the national Data Protection Authorities in the EU member states. These authorities are responsible for raising awareness of the regulations and providing guidance on compliance. They carry investigatory powers and can:

  • Conduct audits of organizations for GDPR breach.
  • Issue warnings and instruct data controllers to follow regulations.
  • Impose bans for data processing.
  • Issue administrative fines.
  • Delete wrongfully collected data.


The Attorney General of California can enforce the CCPA through monetary penalties. Civil actions form the basis of the assessment of non-compliance and it is at the discretion of the Attorney General to begin any investigation.



Upon being found guilty of a violation, businesses can be fined up to either 4% of their annual global revenue or 20 million Euros. They may also have to compensate victims of a data breach for material or non-material damages. There is no grace period for the offenders.


As the CCPA was only introduced at the start of 2020, a six-month grace period has been put in place before enforcement begins. After which fines can range from $2,500 to $7,500 per record violation. After civil action, transgressors must pay $100 to $750 per consumer for an incident. They have 30 days to rectify their errors and communicate the reforms to their consumers. If the issue is not resolved, and the attorney general declines to prosecute, then the affected consumer can begin a class action lawsuit.

How are GDPR and CCPA Similar?

  • GDPR and CCPA protect the same categories and types of information.
  • Both regulations focus on transparency and disclosure requirements.
  • Both are introduced to protect data subjects or consumers.
  • Apply to businesses based anywhere in the world.

How to Comply with CCPA and GDPR?

It is important to take these regulations seriously. A few months ago, a French company had to pay €500,000 for violating GDPR. If you are struggling to comply with GDPR and/or CCPA, you are not alone. If you don’t know where to start, we suggest turning to a consultant for guidance. If your compliance team has the expertise, then we would suggest a dedicated GDPR platform or better, a more encompassing compliance management GRC tool.