California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are the first consumer privacy regulations in the US and EU, accordingly. GDPR was the first data privacy regulation in the EU and in general and took effect on May 25, 2018. The ePrivacy Directive, commonly called the Cookie Law, was passed in 2002 and was amended in 2009. It supplements the GDPR. The ePrivacy Directive along with the GDPR makes up the world’s strictest data privacy regime.
CCPA was the first data privacy law in the US and took effect on January 1, 2020. Some call the CCPA “the California GDPR” since it regulates consumers' privacy rights in the US analogously as GDPR regulates in the EU.
While both laws protect users' privacy rights and regulate personal data processing, there are many differences between them. Read the article to know the differences between the laws and find out GDPR vs CCPA requirements.
Comparing CCPA and GDPR
These are the main differences between GDPR and CCPA:
Effective date
Effective date |
CCPA January 1, 2020 |
GDPR May 25, 2018
|
Who has to comply with GDPR and CCPA?
CCPA | GDPR | |
Applies to | Any business that targets Californian consumers and either:
|
Any entities, including companies, non-profit organizations, and individuals, that collect or process EU consumers' personal data; or the entities are based in the EU. |
Consumers' rights
Consumers' rights | CCPA | GDPR |
Right to be informed | Yes | Yes |
Right to data access | Yes | Yes |
Right to data deletion | Yes | Yes |
Right to data portability | Yes | Yes |
Right to opt-out (withdraw consent) | Yes | Yes |
Right to data rectification | No | Yes |
Right to object | No | Yes |
Rights regarding automated decision-making and profiling | No | Yes |
Right to non-discrimination | Yes | No |
Consumers' rights under GDPR are stricter than under CCPA. However, the California Privacy Rights Act (CPRA), which will take effect on January 1, 2023, will strengthen CCPA by including additional privacy protections for California consumers. After these changes, CCPA together will CPRA will become more similar to GDPR.
Cookie Consent
CCPA | GDPR | |
Cookie Consent type | Implied. It only requires letting visitors opt-out of cookies that sell their personal information. | Explicit |
Cookie information | Websites should disclose what kind of cookies are being used, why, and how to manage them. | Websites should disclose what kind of cookies are being used, why, and how to manage them. |
Explicit cookie consent mode means rejecting permission to track website user's activity and collect personal information. Explicit, or opt-in Cookie Consent mode is used by default because that's a requirement for GDPR. When this mode is used, no cookies are stored on the website user’s computer until the website user agrees with the Cookie Policy. This is also called “the hard way” for Cookie Consent.
Implied cookie consent mode means granting permission to track website users' activity and collect personal information when visiting a website. Implied cookie consent mode is also called opt-in or “the soft way” for cookie consent.
The main difference in the field of cookie consent is that under GDPR, companies must provide options for both opt-in and opt-out, while under CCPA an option just for opt-in is required.
Scan your website for free to see all cookies and trackers in use.
Personal information in the CCPA vs GDPR
CCPA | GDPR | |
What is considered personal information? | The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” | The GDPR defines personal information as “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” |
Exemptions from personal information |
Under the CCPA, this is not considered personal information:
|
Under the GDPR, this is not considered personal information:
|
Sensitive personal information | Not defined | Sensitive information is described as any data that reveals a subject's information. It could be racial or ethnic origin, political or religious beliefs, health status, and other information. |
GDPR contains a special category of data called sensitive personal data. There are increased requirements for the processing of this data. CCPA does not define sensitive personal data. However, CPRA, which will amend CCPA and expand rights for California consumers, already defines sensitive personal data. In the end, CCPA together with CPRA will protect consumers' sensitive personal data similarly to GDPR.
The main difference between GDPR and CCPA is that the personal information under CCPA’s is extra-personal, meaning that it includes information that is not specific to a person but also includes household data, whereas the GDPR defines exclusively a person.
International data transfer
CCPA | GDPR |
No restrictions | Requires non-EU recipient countries to provide adequate protection |
Penalties for non-compliance
CCPA | GDPR | |
Maximum fines |
For unintentional violation- up to $2,500 per violation. For intentional violation- up to $7,500 per violation. |
For the lower level violation- up to €10 million, or 2% of the annual global turnover of the company of the preceding financial year, whichever is higher. For the severe violation- up to €20 million, or 4% of the annual global turnover of the company of the preceding financial year, whichever is higher. |
How to comply with the GDPR and CCPA
CookieScript Consent Management Platform is a consent management solution that can help you to comply with GDPR and CCPA. Our CMP scans your website and finds all cookies and trackers.
It enables multiple compliance solutions on the same website with a geo-targeting function so that visitors from the EU will see a GDPR-compliant Cookie Banner, while visitors from California will see the CCPA-compliant Cookie Banner.
Frequently asked questions
What are GDPR and CCPA?
California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are the first consumer privacy regulations in the US and the EU, accordingly. They regulate personal data collection and management. CookieScript can help to make your website both CCPA-compliant and GDPR-compliant.
What is the difference between GDPR and CCPA?
The GDPR protects individuals located inside the EU, whereas the CCPA protects California consumers. The GDPR is stricter and requires that users give their unambiguous consent prior to having their personal data collected and processed, while under the CCPA the consent is needed just for the data disclosure or selling to third parties. Use CookieScript to be both CCPA and GDPR-compliant.
Who needs to comply with the CCPA and GDPR?
Under the GDPR, any entity, including a company, non-profit organization, or an individual that collects and processes EU consumers' personal data; or the entities based in the EU, must comply with GDPR. Under the CCPA, only companies or for-profit organizations that meet the law’s definition regarding business gross revenue or selling of personal data, are required to comply with CCPA.
What is CCPA compliance?
CCPA compliance is a process of personal data treatment in ways allowed by the California Consumer Privacy Act. The CCPA went into effect on January 1, 2020, and applies to any company that processes California consumers' personal information. Use CookieScript to be CCPA-compliant.
What is GDPR compliance?
GDPR compliance is a process of personal data treatment in ways allowed by Europe's General Data Protection Regulation. Any entity, including a company, non-profit organization, or an individual that collects and processes EU consumers' personal data; or the entities based in the EU, must comply with GDPR. Use CookieScript to be GDPR-compliant.