CCPA vs GDPR: Key Similarities & Differences Businesses Must Understand

CCPA vs GDPR: Key Similarities & Differences Businesses Must Understand

Table of Contents

The European Union’s (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have many similarities: they were introduced around the same time, they both give consumers greater rights over their data and they both have impacts on a global scale – but there are important differences too. 


So, what are some of the key differences between GDPR and CCPA? How can you be sure your website is compliant?


ScopeFor-profit business trading in California with gross annual revenue over $25 million, or processing data of over 50,000 consumers, households or devices or deriving over 50% of annual revenue from selling consumer data

Non-profits controlled by a for-profit parent company are also covered
Data controllers and processors either established in the EU or located outside the EU but processing the data of EU data subjects in connection with selling goods or services or monitoring consumer behavior in the EU
Beneficiaries of protectionCalifornia residents, including where they are travelling out of stateData subjects, meaning where data relates to identified or identifiable individuals.
Type of informationPersonal information - this identifies, relates to, describes or is capable of being associated with, or may reasonably be linked (directly or indirectly) to a particular consumer or household. Some categories of personal information are identified as falling within the definitionPersonal data - information relating to an identified or identifiable subject. Some categories of personal data can only be processed if a lawful justification can be found
Privacy noticePrivacy notice must confirm what categories of personal data are collected and for what intended purpose. Third parties must give consumer the opportunity to opt out of their data being re-soldData controllers must provide detailed information about how data is collected and processed, including whether third parties are involved
Right to accessConsumers can request disclosure of their data, which must be provided free of charge in a portable formatData subjects can access their data following a written request, which must be provided in a portable format
Right to deleteConsumers can request the deletion of their data, although there are some grounds for organizations to refuseData subjects can request erasure of personal data if it falls within one of six circumstances
Right to correctConsumers can ask for incorrect data about them to be correctedData subjects can ask for incorrect data about them to be corrected
Right to refuseConsumers can opt out of their data being processed for particular purposes such as direct marketing, profiling and researchConsent must be given before personal data is collected and this can be withdrawn subsequently
Right to opt out of third party salesUsers must be given the opportunity to opt out of consumers’ personal information being sold on to third partiesNo specific right to opt out of third party sales but data subjects can opt out of processing data for marketing and withdraw consent for data processing
Freedom from discriminationIndividuals have the right to freedom from discrimination where they exercise CCPA rights, for example withholding services if an individual opts out of data collectionThe right not to be discriminated against is not explicitly stated
Security controlsData security requirements are not contained in the CCPA but if a business violates its duty to implement reasonable security practices, individuals may be able to seek damagesData controllers and processors are required to select appropriate technical and organizational measures to manage security risk
EnforcementBreaches can be punished by a fine applied by the California Attorney General of up to $2,500 per violation or $7,500 for intentional violations. There is no cap on the total fine amount. Businesses are given 30 days to rectify breaches before fines are assessed. Individuals can only bring a lawsuit privately where businesses can be shown to be in violation of their duty to implement reasonable security procedures and only for a specific category of personal information, which excludes redacted or encrypted dataFines are capped at €20 million or 4% of annual global turnover. Individuals can also take court action seeking compensation from a data controller or processor

The Rights for individuals for the CCPA and GDPR

While the two laws apply to different jurisdictions, they share some similarities in terms of the rights they provide to individuals.

Right to be Informed

Both the CCPA and GDPR require businesses to inform individuals about the collection, use, and sharing of their personal information. This includes providing a privacy notice and specifying the purposes for which the data will be processed.

Right of Access

Individuals have the right to request access to their personal information held by a business under both the CCPA and GDPR. This allows them to see what data is being processed and verify its accuracy.

Right to Rectification

To comply with the GDPR, individuals have the right to request the correction of inaccurate or incomplete personal information. While the CCPA does not explicitly provide this right, businesses may still need to correct inaccurate data to comply with other CCPA requirements.

Right to Erasure/Deletion

Both the CCPA and GDPR grant individuals the right to request the deletion of their personal information in certain circumstances, such as when the data is no longer necessary for the purpose it was collected or if the individual withdraws consent.

Right to Data Portability

The GDPR provides individuals the right to obtain their personal information in a structured, commonly used, and machine-readable format, allowing them to transmit it to another controller. The CCPA does not explicitly offer this right, but it does allow individuals to request their personal information in a readily usable format.

Right to Object/Restrict Processing

Under the GDPR, individuals can object to the processing of their personal information for specific purposes, such as direct marketing, and can request restrictions on processing in certain situations. The CCPA does not provide an equivalent right but does require businesses to honor “Do Not Sell My Personal Information” requests from consumers.

Right to Opt-Out of Sales of Personal Information

The CCPA gives consumers the right to opt-out of the sale of their personal information by a business. GDPR does not have a specific equivalent provision, but individuals can exercise their right to object to processing based on legitimate interests or for direct marketing purposes, which can achieve a similar result.

Right to Non-Discrimination

Both the CCPA and GDPR prohibit businesses from discriminating against individuals who exercise their privacy rights. This includes charging different prices, providing different levels of service, or denying goods and services altogether.

It is important to note that these rights are not absolute and may be subject to exceptions, depending on the specific circumstances and legal requirements.

Do you understand the differences between CCPA and GDPR?

CCPA and GDPR cover a lot of the same territory, but there are some important differences between the two regimes. As more countries prepare their own data legislation, it’s vital to be up to speed on the details of what you need to do to meet CCPA requirements, comply with the GDPR consent requirements and any other rules that apply to your operations. You can also read our ultimate guide to CCPA.

Why not let CookieHub help you manage your cookie policies, so you can be sure you’re meeting requirements in different locations?

Sales & Support