California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are the first consumer privacy regulations in the US and EU, accordingly. GDPR was the first data privacy regulation in the EU and in general and took effect on May 25, 2018. The ePrivacy Directive, commonly called the Cookie Law, was passed in 2002 and was amended in 2009. It supplements the GDPR. The ePrivacy Directive along with the GDPR makes up the world’s strictest data privacy regime.
CCPA was the first data privacy law in the US and took effect on January 1, 2020. Some call the CCPA “the California GDPR” since it regulates consumers' privacy rights in the US analogously as GDPR regulates in the EU.
While both laws protect users' privacy rights and regulate personal data processing, there are many differences between them. Read the article to know the differences between the laws and find out GDPR vs CCPA requirements.
Comparing CCPA and GDPR
Who has to comply with GDPR and CCPA?
|Applies to||Any business that targets Californian consumers and either:
||Any entities, including companies, non-profit organizations, and individuals, that collect or process EU consumers' personal data; or the entities are based in the EU.|
|Right to informed||Yes||Yes|
|Right to data access||Yes||Yes|
|Right to data deletion||Yes||Yes|
|Right to data portability||Yes||Yes|
|Right to opt-out (withdraw consent)||Yes||Yes|
|Right to data rectification||No||Yes|
|Right to object||No||Yes|
|Rights regarding automated decision-making and profiling||No||Yes|
|Right to non-discrimination||Yes||No|
Consumers' rights under GDPR are stricter than under CCPA. However, the California Privacy Rights Act (CPRA), which will take effect on January 1, 2023, will strengthen CCPA by including additional privacy protections for California consumers. After these changes, CCPA together will CPRA will become more similar to GDPR.
|Do websites require explicit Cookie Consent?||No, it only requires letting visitors opt-out of cookies that sell their personal information.||Yes|
|Do websites require implied Cookie Consent?||Yes||Yes. It should be:
|Cookie information||Websites should disclose what kind of cookies are being used, why, and how to manage them.||Websites should disclose what kind of cookies are being used, why, and how to manage them.|
Implied cookie consent mode means granting permission to track website users' activity and collect personal information when visiting a website. Implied cookie consent mode is also called opt-in or “the soft way” for cookie consent.
The main difference in the field of cookie consent is that under GDPR, companies must provide options for both opt-in and opt-out, while under CCPA an option just for opt-in is required.
Scan your website for free to see all cookies and trackers in use.
Personal information in the CCPA vs GDPR
|What is considered personal information?||The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”||The GDPR defines personal information as “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”|
|Exemptions from personal information||
Under the CCPA, this is not considered personal information:
Under the GDPR, this is not considered personal information:
|Sensitive personal information||Not defined||Sensitive information is described as any data that reveals a subject's information. It could be racial or ethnic origin, political or religious beliefs, health status, and other information.|
GDPR contains a special category of data called sensitive personal data. There are increased requirements for the processing of this data. CCPA does not define sensitive personal data. However, CPRA, which will amend CCPA and expand rights for California consumers, already defines sensitive personal data. In the end, CCPA together with CPRA will protect consumers' sensitive personal data similarly to GDPR.
The main difference between GDPR and CCPA is that the personal information under CCPA’s is extra-personal, meaning that it includes information that is not specific to a person but also includes household data, whereas the GDPR defines exclusively a person.
Penalties for non-compliance
For unintentional violation- up to $2,500 per violation.
For intentional violation- up to $7,500 per violation.
|For the lower level violation- up to €10 million, or 2% of the annual global turnover of the company of the preceding financial year, whichever is higher.
For the severe violation- up to €20 million, or 4% of the annual global turnover of the company of the preceding financial year, whichever is higher.
How to comply with the GDPR and CCPA
It enables multiple compliance solutions on the same website with a geo-targeting function so that visitors from the EU will see a GDPR-compliant Cookie Banner, while visitors from California will see the CCPA-compliant Cookie Banner.
Frequently asked questions
What are GDPR and CCPA?
California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are the first consumer privacy regulations in the US and the EU, accordingly. They regulate personal data collection and management. CookieScript can help to make your website both CCPA-compliant and GDPR-compliant.
What is the difference between GDPR and CCPA?
Who needs to comply with the CCPA and GDPR?
Under the GDPR, any entity, including a company, non-profit organization, or an individual that collects and processes EU consumers' personal data; or the entities based in the EU, must comply with GDPR. Under the CCPA, only companies or for-profit organizations that meet the law’s definition regarding business gross revenue or selling of personal data, are required to comply with CCPA.
What is CCPA compliance?
What is GDPR compliance?