The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are legislations that emerged to give consumers greater power over their personal information. Both regulate organizations that collect and use data in a variety of ways.
A brief definition of the CCPA:
- Gives California residents increased transparency and control over how businesses collect and use their data
- Applies to organizations doing business in California, and to those that handle or share the personal information of California residents
A brief definition of the GDPR:
- Requires individuals give consent before an organization can process their data
- Applies to organizations in and out of the European Union (E.U.) that process the personal data of individuals in the E.U.
But there’s more to the story than that. Getting to know both regulations will help you design data privacy policies that inspire customer trust and keep your organization legally compliant.
CCPA vs. GDPR: A closer look at the scope of these data protection laws
The CCPA is about increasing transparency for California residents, allowing them to discover and change how their data is collected and transacted. Meanwhile, the GDPR is a binding regulation for data privacy across the E.U., replacing dozens of national privacy laws with a single framework. It’s important to note, however, that the GDPR does have implications for businesses in the United States, despite originating in Europe.
Side by side, here’s how they compare:
Both regulations arose to protect people in a world of increasing global interconnectivity—where international transfers of personal data are more frequent and elaborate, and forward strides in technology have resulted in data misuse scandals and sophisticated cyber attacks.
The CCPA and GDPR apply to individual organizations in different ways, and while there are some nuances in scope that distinguish both sets of legislation, they share similar goals. By observing how they complement each other, you can create scalable data security policies that agree with both laws.
How do the laws define personal information?
Personal information (CCPA) vs. personal data (GDPR)
While the CCPA deals with the collection and sale of personal information, GDPR law addresses personal data processing.
The CCPA defines personal information as any information that identifies, describes, relates to, or can be linked with a consumer or household. This includes:
- Personally identifiable information (PII), like real names, email addresses, and official document numbers (e.g., passport, driver’s license, social security).
- Internet and electronic activity, such as browsing history, cookies, and interactions with websites and apps.
- Inferences drawn from any information used in profiling, like personality traits, intelligence, predispositions, and beliefs.
Under the GDPR, personal data refers to any information that directly or indirectly identifies someone. While this doesn’t include household identifiers, any identifying personal data that is not anonymized falls under the GDPR. The CCPA, however, exempts specific categories of medical and personal information from its scope.
Who do the laws apply to?
Consumers (CCPA) vs. data subjects (GDPR)
The CCPA protects consumers—legal persons who must be California residents. The GDPR focuses on data subjects—any person who can be identified directly or indirectly, with no E.U. citizenship or residency requirements. Both regulations have a global reach, though under slightly different circumstances.
Businesses (CCPA) vs. data controllers (GDPR)
The CCPA regulates businesses—for-profit organizations that do business in California, collect personal information from California-based consumers, and determine how and why it’ll be processed. One or more of the following must also apply:
- Has $25 million dollars or more in annual gross revenues
- Buys, receives, sells, or shares the personal information of at least 50,000 consumers, households, or devices
- Derives at least 50% of annual revenue from selling consumers’ personal information
The GDPR, on the other hand, targets data controllers—organizations that decide how and why they’ll process personal data. The GDPR applies when the data controller or its processor is established in the E.U., or when non-E.U. controllers process the personal data of E.U. residents when offering commercial goods and services or monitoring their behavior.
While the GDPR regulates a broader set of organizations than the CCPA, they both impact swathes of globally operating enterprises, so it’s worth evaluating how you collect and use personal data in different territories.
What rights do the CCPA and GDPR give people?
The two regulations overlap when it comes to some rights—so if you’re already compliant with GDPR, you’re well on your way to meeting CCPA requirements. Knowing the similarities can help you create replicable policies across geographies, and set you up for compliance with future regulations that will likely mirror these existing ones.
Here’s what the CCPA and GDPR have in common:
- The right to know: Under the CCPA, businesses must disclose to consumers (upon request) what personal information they’ve collected, used, disclosed, and sold. Organizations under the GDPR must notify individuals at the time of collection and inform them of the purpose, how long they’ll retain this data, and who it will be shared with.
- The right to access: Individuals are entitled to access their personal data, and can request copies of their personal information verbally or in writing. Businesses have a month to respond to requests under the GDPR and—most of the time—can’t charge fees to deal with them.
- The right to portability: Individuals protected by the CCPA and GDPR have the right to request their personal information in accessible, machine-readable formats such as CSV, XML, and JSON.
- The right to erasure: Consumers have the right to request the deletion of any personal information that an organization has collected or stored. In instances where the GDPR applies, individuals have the right to have their personal data erased under a variety of circumstances.
Of course, each regulation also has its own unique rights.
Rights specific to the CCPA:
- The right to opt out: Under California privacy law, consumers have the right to opt out of businesses disclosing their personal information to third parties, both in monetary sales and in other transactions that benefit the business.
- The right to non-discrimination: Companies can’t discriminate against consumers based on their decisions to exercise privacy rights. They can’t, for instance, deny goods and services, charge different rates, or provide lower quality services to consumers who’ve opted out or requested that their personal information be deleted.
- Authorized agents: Consumers are entitled to have an authorized agent make CCPA-related requests to companies on their behalf.
- Financial incentives: Businesses must let customers know if they provide financial incentives tied to the collection, sale, or deletion of personal information.
Rights specific to the GDPR:
- The right to rectification: Individuals can request that organizations rectify inaccurate or incomplete records of personal data.
- The right to restrict processing: People have the right to request that organizations restrict the processing of their personal data if said information is inaccurate, has been unlawfully processed, or the organization no longer needs it. When processing is restricted, organizations can store personal data without using it.
- The right to object: Individuals have an absolute right to stop organizations using their data for direct marketing. In other circumstances, organizations can only keep processing this data if they have a compelling reason.
- Automated decision-making and profiling: Decisions made solely by automated means (e.g., algorithms), including processing data to profile people, are only permissible under certain conditions.
Under what circumstances can businesses use consumer data?
For the CCPA, this is where the right to opt out comes into play. Regulated organizations can process data by default, but they must provide a clear option (e.g., a banner or form with a “do not sell my personal information” link) for consumers to opt out of having their personal information sold or shared.
Under the GDPR, organizations can only process data when at least one of six legal grounds for data processing applies:
- Consent: Unlike with the CCPA, consent here means people must clearly opt in before an organization can process personal data.
- Contract: This means processing data is necessary to honor a contract between the individual and organization, or it’s a necessary preliminary step before entering the contract.
- Legal obligation: When processing an individual’s data is needed to comply with the law.
- Vital interests: When processing data is needed to protect someone’s life.
- Public task: If data processing is required to perform a task in the public interest, with a clear basis in law.
- Legitimate interests: When processing data is necessary for the organization’s legitimate interests, or that of a third party. This is the most open-ended lawful basis for processing data, and is worth exploring further.
To comply with both the GDPR and CCPA, it’s important to consider the lawful bases for processing data while providing both opt-in and opt-out consent.
How are these laws enforced?
The Attorney General of California can issue organizations with financial penalties if they don’t comply with the CCPA. The maximum charge per violation is $7,500 for intentional violations, and $2,500 otherwise. Legislators in the E.U. can similarly enforce the GDPR through fines. While these fines depend on the nature of each infringement, they can go up to €20 million, or up to 4% of a company’s global annual turnover.
The GDPR is administered by the E.U.’s national data protection authorities. These entities advise organizations on complying with the GDPR, and can use investigatory powers to audit organizations suspected of breaches, erase wrongfully obtained data, and issue warnings, fines, and bans on data processing. Supervisory authority for the CCPA lies solely with the state’s Attorney General, but it’s expected that by the end of 2020, they will create more specific regulations for enforcing and monitoring California data privacy law.
CCPA vs. GDPR in summary
The CCPA specifically provides California residents with greater decision-making power over how businesses collect and use their data. They may exercise their rights to access data that businesses have collected, have it deleted, and opt out from having a business sell this data to third parties.
By comparison, the GDPR is broader in scope and creates a regulatory environment where privacy is the default. Data processing is allowed only after the individual has given approval, and people in the E.U. have the right to withdraw their consent.
Both the GDPR and CCPA are leading pieces of legislation when it comes to data privacy and transparency, but the compliance landscape is always evolving. As legislators around the globe continue to keep pace with technology, the best move is to implement data handling practices and compliance policies that you can scale and adapt when necessary.
Wondering how to get compliant with the CCPA and GDPR?
- Learn about the critical steps you need to take to comply with the CCPA (Webinar)
- Find out how Okta can help organizations on their CCPA journeys (Blog post)
- Determine if your organization is prepared for the GDPR (Whitepaper)
- Discover how Okta can support the GDPR—and your CIAM requirements (Blog post)
- Understand how compliance helps build customer trust (Blog post)