Comparing CCPA and GDPR

ON THIS PAGE

California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are the first consumer privacy regulations in the US and EU, accordingly. GDPR was the first data privacy regulation in the EU and in general and took effect on May 25, 2018. The ePrivacy Directive, commonly called the Cookie Law, was passed in 2002 and was amended in 2009. It supplements the GDPR. The ePrivacy Directive along with the GDPR makes up the world’s strictest data privacy regime.

CCPA was the first data privacy law in the US and took effect on January 1, 2020. Some call the CCPA “the California GDPR” since it regulates consumers' privacy rights in the US analogously as GDPR regulates in the EU.

While both laws protect users' privacy rights and regulate personal data processing, there are many differences between them. Read the article to know the differences between the laws and find out GDPR vs CCPA requirements.

Comparing CCPA and GDPR

These are the main differences between GDPR and CCPA:

Effective date

Effective date                           

   CCPA 

January 1, 2020    

       

   GDPR   

May 25, 2018      

     

Who has to comply with GDPR and CCPA?

                                  CCPA                            GDPR
Applies to Any business that targets Californian consumers and either:                                                                                
  • has annual gross revenues over $25 million,
  • buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes,
  • gets 50% or more of its annual revenues from selling consumers' personal information.

 		 Any entities, including companies, non-profit organizations, and individuals, that collect or process EU consumers' personal data; or the entities are based in the EU.

Consumers' rights

Consumers' rights                                            CCPA       GDPR   
Right to be informed  Yes  Yes
Right to data access  Yes  Yes
Right to data deletion  Yes  Yes
Right to data portability   Yes  Yes
Right to opt-out (withdraw consent)    Yes  Yes
Right to data rectification   No  Yes
Right to object                                  No  Yes
Rights regarding automated decision-making and profiling  No  Yes
Right to non-discrimination Yes No

Consumers' rights under GDPR are stricter than under CCPA. However, the California Privacy Rights Act (CPRA), which will take effect on January 1, 2023, will strengthen CCPA by including additional privacy protections for California consumers. After these changes, CCPA together will CPRA will become more similar to GDPR.

Cookie Consent

  CCPA                         GDPR                    
Cookie Consent type Implied. It only requires letting visitors opt-out of cookies that sell their personal information. Explicit
     
Cookie information Websites should disclose what kind of cookies are being used, why, and how to manage them. Websites should disclose what kind of cookies are being used, why, and how to manage them.

Explicit cookie consent mode means rejecting permission to track website user's activity and collect personal information. Explicit, or opt-in Cookie Consent mode is used by default because that's a requirement for GDPR. When this mode is used, no cookies are stored on the website user’s computer until the website user agrees with the Cookie Policy. This is also called “the hard way” for Cookie Consent.  

Implied cookie consent mode means granting permission to track website users' activity and collect personal information when visiting a website. Implied cookie consent mode is also called opt-in or “the soft way” for cookie consent. 

The main difference in the field of cookie consent is that under GDPR,  companies must provide options for both opt-in and opt-out, while under CCPA an option just for opt-in is required.

Scan your website for free to see all cookies and trackers in use.

Personal information in the CCPA vs GDPR

  CCPA GDPR
What is considered personal information? The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The GDPR defines personal information as “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Exemptions from personal information

Under the CCPA, this is not considered personal information:

  • Medical information protected under CMIA or HIPPA.
  • Information collected for clinical trials
  • Information obtained from consumer reporting agencies.
  • Personal information under the Gramm-Leach-Bliley Act.
  • Information covered by California’s Driver’s Privacy Protection Act.
  • Any publicly available information from federal, state, or local government records.

Under the GDPR, this is not considered personal information:

  • Data related to deceased persons.
  • Data processed through non-automated means.
  • Anonymous data
  • Data processed for personal or houseful purposes.
Sensitive personal information Not defined Sensitive information is described as any data that reveals a subject's information. It could be racial or ethnic origin, political or religious beliefs, health status, and other information.  

GDPR contains a special category of data called sensitive personal data. There are increased requirements for the processing of this data. CCPA does not define sensitive personal data. However, CPRA, which will amend CCPA and expand rights for California consumers, already defines sensitive personal data. In the end, CCPA together with CPRA will protect consumers' sensitive personal data similarly to GDPR.

The main difference between GDPR and CCPA is that the personal information under CCPA’s is extra-personal, meaning that it includes information that is not specific to a person but also includes household data, whereas the GDPR defines exclusively a person.

International data transfer

CCPA                            GDPR                                     
No restrictions Requires non-EU recipient countries to provide adequate protection

Penalties for non-compliance

                                   CCPA           GDPR                                            
Maximum fines

For unintentional violation- up to $2,500 per violation.

For intentional violation- up to $7,500 per violation.

 For the lower level violation- up to €10 million, or 2% of the annual global turnover of the company of the preceding financial year, whichever is higher.
For the severe violation- up to €20 million, or 4% of the annual global turnover of the company of the preceding financial year, whichever is higher.

How to comply with the GDPR and CCPA

CookieScript Consent Management Platform is a consent management solution that can help you to comply with GDPR and CCPA. Our CMP scans your website and finds all cookies and trackers

It enables multiple compliance solutions on the same website with a geo-targeting function so that visitors from the EU will see a GDPR-compliant Cookie Banner, while visitors from California will see the CCPA-compliant Cookie Banner.

Register for free Show pricing plans

Frequently asked questions

What are GDPR and CCPA?

California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are the first consumer privacy regulations in the US and the EU, accordingly. They regulate personal data collection and management.  CookieScript can help to make your website both CCPA-compliant and GDPR-compliant.

What is the difference between GDPR and CCPA?

The GDPR protects individuals located inside the EU, whereas the CCPA protects California consumers. The GDPR is stricter and requires that users give their unambiguous consent prior to having their personal data collected and processed, while under the CCPA the consent is needed just for the data disclosure or selling to third parties. Use CookieScript to be both CCPA and GDPR-compliant.

Who needs to comply with the CCPA and GDPR?

Under the GDPR, any entity, including a company, non-profit organization, or an individual that collects and processes EU consumers' personal data; or the entities based in the EU, must comply with GDPR. Under the CCPA, only companies or for-profit organizations that meet the law’s definition regarding business gross revenue or selling of personal data, are required to comply with CCPA.

What is CCPA compliance?

CCPA compliance is a process of personal data treatment in ways allowed by the California Consumer Privacy Act. The CCPA went into effect on January 1, 2020, and applies to any company that processes California consumers' personal information. Use CookieScript to be CCPA-compliant.

What is GDPR compliance?

GDPR compliance is a process of personal data treatment in ways allowed by Europe's General Data Protection Regulation. Any entity, including a company, non-profit organization, or an individual that collects and processes EU consumers' personal data; or the entities based in the EU, must comply with GDPR. Use CookieScript to be GDPR-compliant.