Important Similarities and Differences Between CCPA & GDPR

These days there are a lot of ways in which companies can use the technology to collect people’s personal data and information without full consent. Obviously, this isn’t exactly ideal.

Individuals should have the right to privacy, and they should have the power to limit what companies can and can’t do with the information they gathered.

In order to protect people’s right to privacy, laws like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) were instituted. These laws seek to protect people’s private information and prevent businesses from exploiting this information for monetary interests.

To help you understand these laws, their similarities, and differences, we’ve laid down the basics you should know when it comes to CCPA and GDPR.

What are CCPA and GDPR?

CCPA and GDPR are privacy laws that help protect people’s rights to their own private information. While these two do have similarities, it can be useful to know what makes CCPA and GDPR unique from each other.

However, before making a comparison between the two, it would first be helpful to know each of these privacy laws individually.

California Consumer Privacy Act (CCPA)


The California Consumer Privacy Act is a statute introduced to improve the current state of privacy rights and consumer protection for people residing in the state of California. It was signed into law last 2018 and took effect in January 2020.

The California Consumer Privacy Act seeks to cover a broad scope when it comes to privacy rights and consumer protection. Here are some of the most important goals of this law:

  • People have the right to know what type of personal data and information companies are collecting about them.
  • They should know if their personal information is being sold or disclosed to another party. They also have the right to know to whom their information is being disclosed.
  • People have the right to refuse the sale of their personal data and private information.
  • They should be able to access their own personal data.
  • They have the right to request businesses to remove and delete any information related to them as a consumer.
  • They should not be discriminated against for exercising their right to privacy and private information.

This law is applicable to companies that have annual gross revenue of more than $25 million, those that buy or sell private information of more than 50,000 residents of California, and those that earn more than half of their yearly revenue from selling such information to third parties.

General Data Protection Regulation (GDPR)


The General Data Protection Regulation is one of the European Union’s efforts to enhance its residents’ right to privacy, especially when it comes to their personal data and information. This regulation also seeks to address the transfer of such data outside of the European Union and their area of responsibility.

In the GDPR, companies cannot gather private information without informed consent except in the following circumstances:

  • If individuals have explicitly given their consent regarding the use and processing of their private information.
  • To fulfill the contractual obligations of individuals or those in the process of entering a contract.
  • For compliance with the data controller’s legal obligations.
  • To safeguard the interest of individuals.
  • To perform a task that is in line with public interests.
  • For the interest of data controllers or third parties, unless overridden by the interests of the private individuals and their rights.

GDPR is one of the pioneers when it comes to safeguarding their people’s right to privacy and data protection. In fact, countries like South Korea, Japan, Brazil, and Argentina have patterned their own national laws about data privacy after GDPR.

Comparing CCPA vs GDPR

As mentioned, GDPR and CCPA both seek to address the protection for personal information, the right of individuals to protect their own data, and limit what companies can and can’t disclose when it comes to the information they gathered about their subjects.

The similarities between the CCPA and GDPR

The GDPR and CCPA share a few similarities, especially when it comes to their principles and expectations. Here are some of the significant things both laws have in common:

They provide individuals the right to view and access the information companies have gathered and collected about them.

Both the GDPR and CCPA want to empower their residents by making sure that they know exactly what type of data is being collected about them. It is incredibly vital, as individuals must understand what those data are, to begin with, to see if they’re comfortable with leaving it for the use of third-party companies or not.

In the CCPA, businesses and companies are required to show this information in an easy-to-digest format within a 12-month window. Individuals can request anything that has to do with their data (how those are stored, collected, used, and sold) up to 2 times within that period.

The GDPR also requires businesses to present such data in a user-friendly format. EU citizens can access their personal information within the last 30 days (and even longer under special circumstances). They can even request those in an unlimited number of times.

People 16 years old or younger are also empowered in both privacy laws, as they seek to add even more protection for the private data of these people. That is probably because this section of the population is still in a vulnerable age, easy targets for data exploitation.

Businesses should disclose how they handle the personal data of their subjects.

The GDPR and CCPA require businesses to inform their subjects how their data are being gathered, shared, and used.

For example, CCPA wants businesses to provide information as to whether the information is going to be shared or sold to third parties, what type of data they collect, and what rights the subjects have regarding the removal of those data from their collection.

This information should be available and delivered to the subjects without charge within 45 days after the request was made.

The GDPR also needs the subjects to be reasonably-informed about how their data will be used. If the data was obtained directly from the subject, they need to be informed immediately when their data are being collected.

If the information is obtained from another source, they should still inform the subject of the information. Still, the period of disclosure extends to a month.

Businesses should delete the personal data upon the request of the subject.

Both regulations allow individuals to request the removal of their personal data from companies’ roster of data. In the CCPA, this is permitted except for cases when a consumer’s personal data is necessary for specific operations. For GDPR, subjects have the right to be forgotten outlined in Article 17.

Some businesses are not required to comply with both laws.

It is only applicable under special circumstances, mostly because of law enforcement, judicial proceedings, and public safety. If it is deemed that the person’s right to privacy can disrupt the peace and impinge upon public safety, then businesses will have the right to not comply with these privacy laws.

Both laws require cybersecurity measures

The GDPR and CCPA require companies to invest in cybersecurity to protect the data of the consumers who have consented or willingly participated in the use of their data. Note that both laws do not specifically outline standards on how these cybersecurity measures should be met, as technology often evolves faster than legislation.

There’s a fine for non-compliance.

Businesses that fail to comply with these regulations can be sued for civil penalties.

The differences between the CCPA and GDPR

Now, it’s time to see how these two regulations differ from each other. Here are some of the main differences between GDPR and CCPA:

GDPR needs companies to have at least 1 of 6 legal bases before they are allowed to process any data regarding their subjects.

The GDPR focuses on obligations related to accountability, and it requires businesses to have a legal basis before they can start to process the data of those covered under GDPR.

These legal bases were listed down earlier in the article detailing the basics of GDPR. The CCPA, on the other hand, requires no justification before the processing of data.

CCPA gives individuals the right to disallow companies from selling their private information.

In CCPA, there should be an easy-to-read “do not sell my personal information” link on the businesses’ pages to give consumers an opt-out mechanism regarding the sale of their information. It is unlike GDPR, which doesn’t have a clear statement on the sale of such information to third parties.

The GDPR covers the personal data of anyone in the EU, whereas the CCPA only covers the data of Californians.

GDPR applies to any organization that has access and uses private data virtually in any way. As long as you’re within the EU (regardless if you’re a citizen or not) or if you’re outside the EU (but still an EU citizen), then this law will apply to you.

In general, this applies to all publicly-available data, unlike CCPA, which only covers the personal information of people considered as a resident of California.

There are additional requirements for companies handling health-related information in the GDPR.

In GDPR, there’s a greater coverage and protection when it comes to the protection of personal data related to health information compared to CCPA. It is because it is more specific, separating personal data between terms like “genetic data” and “biometric data.” In CCPA, those are lumped together under a general umbrella term.

GDPR is more specific when it comes to addressing health information. In contrast, CCPA heavily relies on existing US frameworks for processing data related to public health like the HIPAA.

CCPA mostly applies to big for-profit businesses.

As mentioned earlier, CCPA there’s a specific criterion that must be met for a company to be considered under the control of CCPA. One of those is having an annual gross revenue of more than $25 million.

That means that if you are a small business, you are technically exempted from CCPA. GDRP, on the other hand, applies to all public information as long as it meets 1 of the six legal bases mentioned.

The CCPA is better in terms of providing protection against discrimination.

In CCPA, it is explicitly stated that individuals who have exercised their right to privacy should not be discriminated against for doing so. That means that businesses still need to charge the same service fee and offer the same quality of service to customers regardless if they allowed the use of their data or not. In GDPR, no statement directly addresses discrimination.

GDPR has a higher average fine compared to CCPA.

As mentioned, both GDPR and CCPA fine businesses that do not comply with the law. However, the monetary implications for those found to not comply with GDPR are much higher. Organizations and businesses can be fined with as much as €50 million, like what Google experienced for data privacy violations related to French users.

CCPA has fewer teeth when it comes to fines. Non-compliance will cost companies around $2,500-$7,500 for each violation, depending on whether the violation was intentional or not.

Which is better: GDPR or CCPA?

Depending on your priorities, either of the two can be better than the other. That will be apparent if you read the similarities and the differences of GDPR and CCPA.

However, as a business, you want to make sure that you comply with all of the necessary laws and regulations to help your customers feel secure and avoid unnecessary fines.