How similar are CCPA and GDPR? What does each mean for your business if you serve people in California or the EU?
In this guide, we lay out the basics of each compliance framework so you know if they apply to your business — and how. You’ll also learn what steps are necessary to comply with these laws and what happens if you don’t meet CCPA or GDPR requirements.
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018 and became effective on January 1, 2020. It gives consumers more control over their personally identifiable information — or PII (often used interchangeably with the term personal data) — that businesses collect about them.
PII is defined as information that identifies, describes, relates to, could be reasonably linked to (both directly or indirectly), or is capable of being associated with a particular consumer or household. Examples of PII include employment- and education-related information, geolocation data, internet activity (for example, an individual’s IP address), biometric data, and other personal identifiers. PII is not to be confused with publicly available information, which is information that is lawfully made available from federal, state, or local government records.
CCPA gives California residents the following rights:
- Know whether personal data is collected
- Know which personal information is being collected about you, including the specific categories of data a business collects and the categories of sources of personal data
- Know the business or commercial purpose of collecting personal information
- Know whether that data is sold or disclosed, and to whom, including the categories of third parties with whom personal data is shared
- Access your personal data
- Move or port your personal data
- Opt out of the sale of your personal data
- Request that a business delete any personal information about you as a consumer
- Not be discriminated against for exercising your CCPA rights
- The CCPA and its regulations apply to any entity that engages in transactions with Californians for financial gain or collects any information from California residents. It doesn’t matter if the entity is located in California or not.
The CCPA also applies to any business that meets one or more of the following thresholds:
- Has an annual gross revenue of over $25 million USD
- Derives 50% or more of its annual revenues from selling consumers’ personally identifiable information
- Holds data containing PII of 50,000 or more Californian consumers, households, or devices
The General Data Protection Regulation (GDPR), is Europe’s data privacy and security law that went into effect on May 25, 2018. It’s considered the strongest set of data protection rules in the world.
The GDPR’s regulations pertain to any business that targets, collects and/or manipulates the personal data of EU residents. Personal data is defined as any information relating to an identified or identifiable natural person (also known as the data subject). More specifically, according to the GDPR, “An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Your company is subject to the GDPR if it processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed, or if it was established outside the EU and is offering goods and/or services (paid or for free) to — or is monitoring the behavior of — individuals in the EU.
Depending on what activities you perform, your business will be considered a data controller or a data processor. A data controller controls the procedures and purpose of data usage. It dictates how and why data is going to be used by the organization and can process collected data using its own processes or work with a third-party or external service. A data processor processes the data that the data controller gives them and is bound by the instructions provided by the data controller — it doesn’t own or control the data.
Key similarities between the CCPA and the GDPR
While the details governing their applications differ, the CCPA and the GDPR bear a high degree of similarity in the rationale, core, and scope of the provisions considered.
Let’s take a look at some of these similarities between the CCPA and the GDPR:
- Both only protect natural persons (individuals) and do not cover legal persons.
- Both a covered business (CCPA) and controller (GDPR) are defined by the fact that they establish the means and purposes of data processing.
- Both apply to organizations that may not have a presence in the EU or California, but offer goods, services or monitor the behavior of people in the EU/collect or sell California consumers’ personal information.
- The CCPA’s PII comprises information that directly or indirectly relates to — or could reasonably be linked to — a particular consumer or household. Similarly, the GDPR’s personal data comprises “any information” that directly or indirectly relates to an identified or identifiable individual.
- Both have similar definitions of what qualifies as personal identifiers, including online identifiers (for example, cookies, IP addresses, radio frequency identification tags, email addresses, and account names).
- The CCPA doesn’t apply to “de-identified” or “aggregate” consumer information — information that can’t reasonably identify or be linked, directly or indirectly, to a particular consumer, or information that relates to a group. Similarly, the GDPR doesn’t apply to “anonymized” data, where the data can no longer identify the data subject.
Source: The Future of Privacy Forum
Key differences between the CCPA and the GDPR
The CCPA is essentially a less strict version of the GDPR. Here’s how they differ:
- While only for-profit entities (“businesses”) are covered under the CCPA, businesses, public bodies and institutions, and not-for-profit organizations are all subject to the GDPR with regard to personal scope.
- Whereas the CCPA sets thresholds that determine businesses covered by the law, the GDPR does not — laws apply to all businesses that determine the “purposes and means of the processing” of data.
- The CCPA’s “consumers” must be California residents in order to be protected, while the GDPR doesn’t specify residency or citizenship requirements.
- While the CCPA specifically excludes collecting and sharing of some categories of personal information from its scope of application, the GDPR does not.
- The CCPA’s definition of PII doesn’t cover publicly available information, while the GDPR’s definition of personal data does.
- Whereas the CCPA excludes medical information from its protection — to the extent it is governed by the Confidentiality of Medical Information Act — the GDPR protects personal data related to health to a higher standard, since it’s considered one of the special categories of data.
The legal requirements of CCPA vs. GDPR
The legal frameworks for the CCPA and GDPR differ. Take a look below for details on the CCPA's four rights and the GDPR's seven principles.
The CCPA’s four rights
The CCPA’s legal requirements include the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination. Let’s take a closer look at each.
The Right to Know — The CCPA’s privacy notice, or “notice at collection”, states that businesses must inform customers about the personal information categories collected and the intended use purposes for each category. What’s more, further notice is required to collect additional personal information categories and/or use collected personal information for unrelated purposes.
The Right to Delete — This mandates that if a consumer makes a verified request to a business to delete their personal data, the business is legally required to delete the requestor's personal information from all of its data stores. They also must direct any third-party service providers to delete their personal data as well.
The Right to Opt Out — The CCPA states that businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties and include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on the home page of their website(s).
The Right to Non-Discrimination — This states that businesses can’t deny goods or services, provide a different level or quality of goods or services, or charge customers a different price simply for exercising any of the rights granted to them by the CCPA.
The GDPR’s seven principles
The seven GDPR principles cover protection and accountability and lay out the broad purposes of the law:
1. Lawfulness, fairness, and transparency — Whenever you’re processing personal data, you should have a good reason for doing so (lawfulness). You shouldn’t purposely withhold information about what data you’re collecting or why, and state that you won’t misuse or mishandle the data you collect (fairness). You must be clear, honest, and open about who you are and why and how you’re processing personal data (transparency).
2. Purpose limitation — Data must be “collected for specified, explicit, and legitimate purposes” only. In other words, you must state your purposes for processing data clearly and closely follow those stated purposes.
3. Data minimization — Don’t collect more personal information than you need from your users.
4. Accuracy — Ensure the accuracy of the data you collect by setting up checks and balances to correct, update, or erase it.
5. Storage limitation — You must justify the length of time you keep each piece of data you store and create a standard time period after which you’ll anonymize any data you’re not actively using.
6. Integrity and confidentiality — Personal data must be secure from both external and internal threats, including accidental loss, "unauthorized or unlawful processing," damage, or destruction.
7. Accountability — You must have appropriate measures and records in place as proof of your compliance. Document how personal data is handled and how you ensure only people who need access to information have it.
Penalties and enforcement for CCPA vs. GDPR
Penalties and enforcement mechanisms also differ for the CCPA and the GDPR.
CCPA penalties and enforcement
If there is an apparent violation, the California Office of the Attorney General (OAG) will send a 30-day cure notice to the business. If the business fixes these violations within 30 days, no further action is taken. However, businesses that don’t fix alleged violations within 30 days of receiving a cure notice can face two different forms of enforcement actions: injunctions and civil fines. An injunction will order the business to stop collecting California residents’ personal information — or even to cease all operations in the state — while violations will incur a fine of up to $2,500 per normal violation or $7,500 per intentional violation.
GDPR penalties and enforcement
The GDPR individual data protection authorities (DPAs) that are independent of the government and from the 27 EU member states enforce the GDPR. These DPAs work together as a group on the European Data Protection Board (EDPB). Prior to the application of monetary fines, corrective measures may include reprimands, warnings, demanding the rectification and/or deletion of data, imposing temporary or permanent bans on the processing of data, and suspending the transfer of data for a period of time. When fines are levied, they can be up to 4% of a business’s annual global revenue or 20 million euros, whichever is greater. Additionally, individuals who have suffered any sort of damages also have the right to seek compensation against the company responsible for them.
How to become CCPA and/or GDPR compliant
When seeking GDPR or CCPA compliance, it's important to understand how they differ. But, there are also ways to accomplish both with greater ease by using a compliance platform — like Strike Graph — that allows you to map the same security controls to multiple frameworks (like the CPPA and GDPR).
In order to become CCPA compliant, your business will need to share all privacy information with consumers in a central place on your website. This information should include the following components:
- An opt-out button from sharing some or all aspects of their personal data (including information collected by cookies, pixels, and other tracking technologies)
- A way for consumers to submit a Data Subject Access Request (DSAR)
- A way to capture, validate, and retain DSARs and enact Do Not Sell requests
You’ll also need to create internal reports that demonstrate your compliance and show that you can send deletion requests to third parties (if you use them) and ensure those requests are being executed. Additionally, your business will need to maintain updated suppression lists and demonstrate they are being applied both internally and by third parties.
Becoming GDPR compliant depends on whether your business is considered a data controller or a data processor.
If you’re a data controller, you must take the following actions:
- Obtain consent.
- Govern access.
- Ensure the lawfulness of data processing.
- Ensure the transparency of information.
- Protect accuracy.
- Ensure confidentiality.
If you’re a data processor and/or controller that collects and manipulates data, you need to abide by the following rules:
- Process data only per instructions from the data controller.
- Enter into a binding contract with the processor.
- Do not engage sub-processors without the consent of the controller.
- Ensure the security of the data.
- Notify the controller of data breaches.
- Follow accountability guidelines.
- Follow international transfer protocols.
- Cooperate with authorities.
- Assign roles and responsibilities for a compliance officer, project manager, and possibly a data protection officer (DPO).
To obtain and maintain GDPR compliance, you’ll also need to continuously perform risk assessments, establish data governance, implement the appropriate controls, uphold data subject rights, create and maintain the required documents, train your employees, and regularly perform gap analysis and remediation.