Book a demo
Login to console
  • Country focus

  • Education

CCPA vs. GDPR Compliance: What are the Differences?

Published on December 6, 2021 by Clément Hochedez

Updated on May 27, 2022 by Clément Hochedez

Almost every interaction with an organization — especially online — involves sharing personal data. The shared data might include a name, a location, or even how a user navigates a website.

 

Sharing your personal information with a company has its perks: the website learns the language you speak, your browsing preference, and maybe your purchase history. But, it comes at a price: consumers are increasingly worried about how their data might be used, or misused. 

 

As a result, data protection laws — such as the California Consumer Privacy Act of 2018 (CCPA) and the General Data Protection Regulation (GDPR) — are in place. What are these two laws, how do they differ, and what do they mean for you? Let's dive in. 

 

Summary: 

 

 


 

What is GDPR and CCPA? 

 

Let’s take a look at the overview of these regulations:

 

What is GDPR?

The GDPR launched in April of 2016 to have one set of data privacy laws (with higher levels of protection for individuals) across the European Union (EU). 

 

As a result, the GDPR created protocols for organizations handling personal information. The GDPR also established new definitions for personal data, consent, accountability, and all parts of processing data. 

 

By the end of May 2018, any website that gets EU visitors and processes personal data (or works with a third-party service that does) must comply with the GDPR. Part of complying means asking each user for permission to access and use their data. 

 

From a user's perspective, the GDPR helps them:

 

  • Understand exactly how an organization will use their data before it is collected. 

  • Make an informed decision to share their data.

  • Learn how to raise a complaint related to data privacy. 

 

What is CCPA?

Once the GDPR took effect, the CCPA was the first similar privacy effort to be regulated in the United States (US). The CCPA regulations seek to give users more control over the personal information that businesses collect. 

 

The CCPA established new privacy rights for California consumers, such as:

 

  • The right to know about the personal data an organization collects about them, how it is used and shared. 

  • The right to delete personal data collected from them (with exceptions).

  • The right to opt-out of the sale of their data.

  • The right to non-discrimination while exercising their CCPA rights.

 

The CCPA has been amended by the California Privacy Rights Act (CPRA), which will come into effect in January 2023. From July 2023, it will apply retroactively to processing personal data back to January 2022.

 

CCPA-GDPR

 

How is the CCPA different from the GDPR? 

 

The GDPR and CCPA data privacy regulations are very similar, but they have several differences. 

 

In a CCPA vs. GPPR comparison, the focus of each differs. The GDPR works to establish a legal foundation that puts privacy first for the entire EU. On the other hand, the CCPA focuses on providing data transparency for California consumers. 

 

Think of the GDPR as something that happens before a user looks at the content on a website, while the CCPA helps users see who has their data and how it's used. 

 

As far as the GDPR CCPA differences, Many would say the CCPA is a less-strict version of the GDPR, but it may depend on who you ask. Take a look at this CCPA vs. GDPR chart:

 

Regulation

GDPR

CCPA

Only protects natural persons + not legal persons

Applies to the processing of personal data

Applies to collecting, selling, and sharing personal information 

Excludes specific categories of personal data

Protects personal data related to health

Does not define "child" 

Can only process personal data when there are legal grounds for it 

Impacts third-parties wishing to collect data 

Individuals have the right to be informed about the categories of data process + processing purposes

The privacy policy must be updated every 12 months 

Data subjects/consumers have options for opting out 

Data subjects/consumers have the right to access their data full of charge 

 

Personal info (CCPA) vs. Personal data (GDPR)

According to the CCPA, categories of personal information include any that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

 

In the CCPA's definition, notice that it's not data specific to a single person but a household. 

 

In the GDPR, personal data is "any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier."

 

The GDPR's definition of personal data is strictly related to an individual, not a household. But, the GDPR also has a category of sensitive personal data, and the CCPA does not. 

 

CCPA vs. GDPR: Who's concerned? 

The CCPA affects organizations that fit the description for a business (even if it's not based in California). According to the CCPA, a company is: 

 

  • A for-profit entity, 

  • Collects users' personal information,

  • Determines the reasoning for and the means of processing personal information, 

  • Does business in California, 

  • And meets one the following: annual revenue of more than $25 million, processes personal information for 50,000 California residents annually, or earns 50% of its annual revenue from selling personal information. 

 

Many organizations will still process personal data for many Californians regularly with this definition. Consider a company based in Europe that fits CCPA's definition of a business — it will be obligated to comply with the CCPA.

 

The GDPR applies to data controllers — any entity that processes data. Notice there are no rules for profit, size, public or private, location, etc. As a result, all websites, organizations, and companies that offer goods and services to the EU must comply with the GDPR. 

 

The most significant difference between the GDPR and the CCPA is the scope. The GDPR covers any person in the EU while their data is collected, but the CCPA only protects California consumers. 

 

GDPR vs. CCPA requirements

The GDPR and the CCPA are required to respect users’ data rights. 

 

The main rights of the CCPA and GDPR including:

  • The right to be informed: understanding what data is being collected and how the organization will use it. 

  • The right to access: the ability to easily see their data. 

  • The right to portability: the ability to get a copy of their data. 

 

The CCPA also includes:

  • The right to deletion: erasing the data.

  • The right to opt-out: choose not to have data sold.

 

The GDPR includes: 

  • The right to withdraw consent: cancel permission to collect or sell data at any time. 

  • The right of prior consent: previous consent methods are no longer valid. 

 

While the right to opt-out is similar to the right to withdraw consent, the right of prior consent (GDPR) has no equivalent in the CCPA. In regards to CCPA vs. GDPR data guidance, it’s vital to understand and respect users’ rights. 

 

How can I make my website compliant? 

 

Providing rights to users and regulations for organizations trickles down to requirements for websites. 

 

For any compliance queries, do not hesitate to reach out to Didomi. We help companies build value with trust and ensure data compliance through bespoke consent and preference management technology. 

 

Discover Didomi for Compliance

 

For a CCPA-compliant website 

Before you begin working on CCPA compliance, determine if your organization needs to comply. The CCPA defines a business as one of the following: a for-profit company that: 

 

  1. Has gross annual revenue of more than $25 million. 

  2. Receives, processes, or transfers data from 50,000+ California residents annually (CPRA: 100,000+). 

  3. Earns at least half of its annual revenue from selling or sharing the personal data of California residents. 

 

If at least one of the above describes your organization, you must comply. Here are the steps you’ll need to take to comply: 

 

Create a comprehensive privacy policy

Your privacy policy should do three things:

  • Meet CCPA consent requirements by informing consumers of your intentions at or before the moment of data collection

  • Be available in the languages in which your business provides information in California

  • Be available via a banner or pop-up for when users visit your site using a Consent Management Platform

 

Inform users about their rights

Under the CCPA regulations, users have the:

  • Right to Know

  • Right to Delete 

  • Right to Non-discrimination

  • Right to Opt-Out 

  • Right of Minors 

  • Right to Data Portability

 

There are also four new rights under the CPRA: 

  • Right to correction

  • Right to know about automated decision-making 

  • Right to opt-out of automated decision-making 

  • Right to limit the use of sensitive personal information

 

Update your privacy policy every year

Your privacy policy should: 

  • Reflect any new changes in CCPA regulations

  • Have the date of your most-recent update visible 

  • List all categories of personal information that your business has sold in the last year

 

Re-offer opt-in consent every 12 months

If the consumer has opted out, you can re-present the option to opt-in again after 12 months. 

 

Include a "Do Not Sell" link (opt-out)

Users must be able to choose to opt out, and it should be easily visible and accessible on your website. You'll also have to authenticate consent to collect personal information from minors between 13-16. 

 

Enable consumers to make Data Subject Access Requests (DSARs)

A DSAR gives individuals a right to access information about personal data the organization is processing about them. You should make it as easy as possible for users to submit DSARs. 

 

Do this by providing at least two contact options — a toll-free phone number, a web form, or an email address. Then, set up a system to enable the submission of such requests. 

 

Set up a system to verify DSARs

Users should be able to attach verification documents to their submitted requests. You should have a system that enables these submissions and verifies the customer's identity. If you cannot verify the user's identity, the system should inform the user and explain the reasoning. 

 

Keep track of DSARs

This same system mentioned above should also track all requests and responses for two years. 

 

Fulfill DSARs

Users have a right to a response within 45 days. If necessary, the response period can be extended up to 90 days from the original request. 

 

For a GDPR-compliant website 

Compliance with the GDPR looks a little different than CCPA compliance. Here are the steps you need to take: 

 

Create a comprehensive privacy policy

The privacy policy should:

  • Be easy to find, read, and understand. 

  • Inform about the lifespan of each cookie and whether third parties may have access to those cookies. 

  • Have similar information available in a privacy banner when the user visits your site.

 

Inform users you are using cookies or other tracking technologies

  • Users must know your intentions before or at the moment you start tracking them 

  • This information should be in your privacy policy

 

Explain what your cookies are doing and why

  • Inform users about the purpose of each data type you're collecting so they can consent (or not) to its collection. 

  • This information should be in your privacy policy. 

 

Obtain your users' valid consent to store a cookie on their device

Inform users about the data collection — what are you collecting, why are you collecting it, and how long are you storing it? Asking for users' consent should be easy, such as checking a box. 

 

Remember, you shouldn't collect any data before a user gives consent. Asking for consent should stand alone, so it doesn't get lost in the mix of other information. Ensure opting out at any time is as easy as opting in. 

 

Document all of this information in case the business is audited. 

 

Give users access to your service even if they do not consent to cookies

If a user refuses data processing, ensure users can still access your service.

 

Collect and process data only after obtaining valid consent

Cookies cannot load until a user has provided consent. Once a user provides consent, you can collect and process personal data precisely in the way the user consented. 

 

Document and store consent received from users

Comply with your documentation obligation to ensure you can verify the users' consent in an audit by data protection authorities (DPA).

 

Offer a simple opt-out, as simple as the opt-in

Consent should be easy in and easy out. To do this, ensure that the options for accepting and rejecting are designed similarly.

 

After opt-out, ensure that no further data is collected or forwarded

When a user opts out, you can no longer collect data.

 

No matter if you’re working to comply with CCPA or GDPR, it’s a lot to manage. A Consent Management Platform will help manage the gathering, storing, and synchronizing consent across countries and platforms so you can meet data privacy regulations efficiently. 

 

Discover our CMP

 

CCPA vs. GDPR - FAQ 

 

What are the main differences between CCPA and GDPR?

The main differences between the GDPR vs. U.S. law (CCPA) are:

 

  • The focus. The GDPR focuses on a legal foundation that puts privacy first for the entire EU. On the other hand, the CCPA focuses on providing data transparency for California consumers. 

  • The timing. The GDPR comes into play before a user looks at the content on a website, while the CCPA helps users see who has their data and how it's used (after the fact). 

  • The data. In the CCPA's definition, notice that it's not data specific to a single person but a household. The GDPR's definition of personal data is strictly related to an individual, not a household. But, the GDPR also has a category of sensitive personal data, and the CCPA does not. 

 

What are the data subject rights under CCPA & GDPR?

The main data subject rights of the CCPA and GDPR including:

 

  • The right to be informed: understanding what data is being collected and how the organization will use it. 

  • The right to access: the ability to easily see their data. 

  • The right to portability: the ability to get a copy of their data. 

 

The CCPA also includes:  

 

  • The right to deletion: erasing the data.

  • The right to opt-out: choose not to have data sold.

 

The GDPR includes: 

 

  • The right to withdraw consent: cancel permission to collect or sell data at any time. 

  • The right of prior consent: previous consent methods are no longer valid. 

 

While the right to opt-out is similar to the right to withdraw consent, the right of prior consent (GDPR) has no equivalent in the CCPA.

 

Who should comply with CCPA?

The CCPA defines a business as one of the following: a for-profit company that: 

 

  1. has gross annual revenue of more than $25 million 

  2. receives, processes, or transfers data from 50,000+ California residents annually (CPRA: 100,000+), or 

  3. earns at least half of its annual revenue from selling or sharing the personal data of California residents. 

 

If at least one of the above describes your organization, you must comply. 

 

Is CCPA modeled after GDPR?

Many say the CCPA is the California GDPR equivalent or refer to it as the California Data Protection Regulation. Although the CCPA incorporates some of the same concepts, it is not modeled after the GDPR. The GDPR focuses on creating a legal foundation that puts privacy first for the entire EU. On the other hand, the CCPA focuses on providing data transparency for California consumers. 

 

Think of the GDPR as something that happens before a user looks at the content on a website, while the CCPA helps users see who has their data and how it's used. 

 

How do CCPA and GDPR compare to LGPD?

It’s easy to see this comparison: GDPR vs. CCPA vs. LGPD. Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil’s data protection law. Its official abbreviation is LGPDP, but it is commonly referred to as the LGPD. This law was very closely modeled after the GDPR and focuses on creating a legal foundation for handling personal data in Brazil.

 

How are the GDPR and the CCPA enforced?

The GDPR is enforced via fines from the national data protection authorities in the EU. GPDR-related penalties range from 4% of a business' global revenue or €20 million, whichever is the highest.

 

Fines also enforce the CCPA via California's Attorney General through monetary penalties. These fines have a maximum of $2,500 per violation, with international breaches of $7.500.

 

Ensure you're complying with the CCPA or the GDPR by using a bespoke Didomi consent notice. A commercial Consent Management Platform will ensure compliance in an evolving ecosystem without sacrificing performance or data visualization. 

 

Organizations must understand the implications of cookies and consent, paying particular attention to how they collect, store and deploy personal data through their web trackers and mobile apps. 

 

Contact Didomi for any CCPA or GDPR compliance queries or more information on our solutions. We'll ensure you achieve compliance. 

 

Book a slot now

 

 

avatar Clément Hochedez

Clément Hochedez

Senior SEO Manager at Didomi.

Related articles