Home » GDPR and CCPA : Differences You Should Know

GDPR and CCPA : Differences You Should Know

  • Dec 30, 2019
  • Posted By: Robert Duke
  • Category: Articles
GDPR and CCPA : Differences You Should Know

Welcome to the period of legal reformation.

We have two different laws – GDPR and CCPA, both redefining the intact landscape of how the user’s data is to be handled. The General Data Protection Regulation of Europe came into effect last year and was quite a shock for the businesses collecting data on citizens in the European Union (EU) countries.

And, now we are here witnessing another new set of regulations, the California Consumer Privacy Act (CCPA), which is about to go live on January 1, 2020, and it has already sent a wave of tremor to some businesses.

Now companies will have no free rein over our personal data. These new laws are compelling businesses to reel back their data collection practices and thereby put the individual in control of how their personal information is utilized.

That isn’t an end. There are several notable points one needs to consider to comply with these laws and thereby avoid huge penalties. But, before that, understand the key differences and the common principles between the GDPR and CCPA.

Overview of GDPR and CCPA


The General Data Protection Regulation is the core of Europe’s digital privacy legislation. Under the terms of GDPR, the organizations have to ensure that personal data of an individual is gathered legally and under firm conditions. Also, those who collect as well as manage it are obliged to protect it from exploitation and misuse.

GDPR is applicable to all the organizations operating within the European Union, and also the organizations outside of the EU offering goods/services to businesses or customers in the EU.


The California Consumer Privacy Act (dubbed as “California’s Mini-GDPR”) was passed in June 2018, and it implements rules for businesses operating in California regarding how they assemble, utilize, and share consumer data. It provides enhanced privacy rights and consumer protections for California residents and gives them significant rights around their data.

The CCPA is seen as a massive step since there was no federal privacy law in the US for decades. Moreover, if you are familiar with the rules and obligations of GDPR from the European Union, then the newly introduced CCPA will be elementary.

5 Key Differences between GDPR and CCPA

1. Applications

The GDPR law applies to businesses of every kind that deals with personal information from the EU, regardless of their citizenship status or residence. That is, if your company is a small and medium-sized enterprise established outside the EU, but it is offering goods/services or monitoring the behavior of individuals in the EU, then you have to comply with the GDPR.

Meanwhile, the CCPA is limited to individual data subjects that reside in California legally.

2. Requirements

Both the CCPA and GDPR share the requirements on how the data is applied, the rights individuals are entitled to regarding their personal information, and how to contact a data protection officer when desired. The noticeable difference between them is jotted below.

GDPR Requirements

  • Data subjects must be notified when their personal information is collected and shared with other entities.
  • Companies must inform them of how long their data will be retained when it’s applied to automated systems for profiling purposes and also the reason behind this profiling.
  • Data subjects must be reminded about their right to withdraw the consent to the data they have shared.
  • They must be notified in less than one month when their data is processed by a third-party, and also inform them the source from where third-party managed to acquire their data.

CCPA Requirements

  • Companies are required to send reports informing data subjects about when their data was collected, sold, or shared for business drives after a 12-month time-span.
  • Data subjects must be notified by third-parties (who have obtained their personal information) when they intend to sell it to another third-party entity.

3. Data Types

The GDPR includes the processing of all personal data, no matter what it’s intended for or how it’s handled. However, this rule includes two exceptions:

  • Data processing conducted by individuals for their personal purposes.
  • Personally conducted non-automated processing efforts that will not be filed.

The CCPA is much more specific about the kinds of data protected under diverse circumstances. For example, the GDPR requires companies to offer “opt-in” options before accessing their data. In contrast, CCPA requires entities to only supply “opt-out” when the personal data is actively shared or sold.

4. Personal Data

Under both these laws, the term “personal data” signifies any information that directly or indirectly represents any individual. However, they have variances in the prohibition of different data types.

Personal Information in GDPR:

Under GDPR, processing of personal data includes everything from the initial act of collating user’s or visitor’s data, to organizing and storing it, making it presentable for access, and to its ultimate removal or erasure.

Personal Information in CCPA:

The CCPA splits “personal data” into multiple definitions such as –

  • “Collecting” is defined as gathering of personal data in any manner, but unlike the GDPR, this alone isn’t treated as “processing.”
  • “Processing” happens only once the data that has been collected is acted upon further.
  • “Selling” is defined as another separate event which comprises transference, disclosure, and other communications regarding the data subject’s personal data.

Note: Here “selling” doesn’t necessarily mean the involvement of any payment. It can be a valuable and intentional exchange of personal data.

5. Penalties

You might have already heard of major GDPR-related penalty against internet giant Google where the company was fined 50 million euros (£44m) by the French data regulator CNIL.

So, is this a fixed penalty for all firms? NO.

Under GDPR, the penalty can range as high as €20 million (approximately $22 million), or 4% of the company’s annual global turnover—depending on whichever is higher.

On the other hand, the CCPA has separate formality for fines. Here, the non-compliance alone isn’t taken into consideration. Instead, penalties are applied only after the incidence of a data breach.

So, when it happens, the earlier violations pertinent to the current breach are considered individually for fining. The penalty details are given below:

  • $7,500 for intentional violations
  • $2,500 for violations
  • $100 – $750 for recover damage per consumer per incident

So, no matter whether violations of these laws are unintended mistakes stemming from sloppiness, neglect, laziness, or ignorance, you need to comply with the regulation unfailingly. Otherwise, you will pay dearly for arrogance.

Ensure you comply with the GDPR and CCPA

The GDPR has already been helping the customers, and the CCPA is coming up right around the corner. And, this blog demonstrates the things one need to consider when it comes to preserving compliance between the GDPR and CCPA. But, there are still more stipulations to come in the future, and it’s always the wisest choice to keep yourself updated with these laws.

With all that in mind, avoid costly legal repercussions and make your business life easier.

Scroll to Top