Almost every interaction with an organization — especially online — involves sharing personal data. The shared data might include a name, a location, or even how a user navigates a website.
Sharing your personal information with a company has its perks: the website learns the language you speak, your browsing preference, and maybe your purchase history. But, it comes at a price: consumers are increasingly worried about how their data might be used, or misused.
As a result, data protection laws — such as the California Consumer Privacy Act of 2018 (CCPA) and the General Data Protection Regulation (GDPR) — are in place. What are these two laws, how do they differ, and what do they mean for you? Let's dive in.
Note: The successor to the CCPA, the California Privacy Rights Act (CPRA) went into effect on January 1, 2023.
Learn more in our latest blog post on CPRA, and download your CPRA compliance checklist:
Summary:
- What are the GDPR and CCPA?
- How is the CCPA different from the GDPR?
- How can I make my website compliant?
- CCPA vs. GDPR FAQ
What is GDPR and CCPA?
Let’s take a look at the overview of these regulations:
What is GDPR?
The GDPR launched in April of 2016 to have one set of data privacy laws (with higher levels of protection for individuals) across the European Union (EU).
As a result, the GDPR created protocols for organizations handling personal information. The GDPR also established new definitions for personal data, consent, accountability, and all parts of processing data.
By the end of May 2018, any website that gets EU visitors and processes personal data (or works with a third-party service that does) must comply with the GDPR. Part of complying means asking each user for permission to access and use their data.
From a user's perspective, the GDPR helps them:
- Understand exactly how an organization will use their data before it is collected.
- Make an informed decision to share their data.
- Learn how to raise a complaint related to data privacy.
What is CCPA?
Once the GDPR took effect, the CCPA was the first similar privacy effort to be regulated in the United States (US). The CCPA regulations seek to give users more control over the personal information that businesses collect.
The CCPA established new privacy rights for California consumers, such as:
- The right to know about the personal data an organization collects about them, how it is used and shared.
- The right to delete personal data collected from them (with exceptions).
- The right to opt-out of the sale of their data.
- The right to non-discrimination while exercising their CCPA rights.
The CCPA has been amended by the California Privacy Rights Act (CPRA), which will come into effect in January 2023. From July 2023, it will apply retroactively to processing personal data back to January 2022.
How is the CCPA different from the GDPR?
The GDPR and CCPA data privacy regulations are very similar, but they have several differences.
In a CCPA vs. GPPR comparison, the focus of each differs. The GDPR works to establish a legal foundation that puts privacy first for the entire EU. On the other hand, the CCPA focuses on providing data transparency for California consumers.
Think of the GDPR as something that happens before a user looks at the content on a website, while the CCPA helps users see who has their data and how it's used.
As far as the GDPR CCPA differences, Many would say the CCPA is a less strict version of the GDPR, but it may depend on who you ask. Take a look at this CCPA vs. GDPR chart:
Regulation
GDPR
CCPA
Only protects natural persons + not legal persons
✓
✓
Applies to the processing of personal data
✓
✗
Applies to collecting, selling, and sharing personal information
✗
✓
Excludes specific categories of personal data
✗
✓
Protects personal data related to health
✓
✗
Does not define "child"
✓
✓
Can only process personal data when there are legal grounds for it
✓
✗
Impacts third-parties wishing to collect data
✓
✓
Individuals have the right to be informed about the categories of data process + processing purposes
✓
✓
The privacy policy must be updated every 12 months
✗
✓
Data subjects/consumers have options for opting out
✓
✓
Data subjects/consumers have the right to access their data full of charge
✓
✓
Personal info (CCPA) vs. Personal data (GDPR)
According to the CCPA, categories of personal information include any that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
In the CCPA's definition, notice that it's not data specific to a single person but a household.
In the GDPR, personal data is "any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier."
The GDPR's definition of personal data is strictly related to an individual, not a household. But, the GDPR also has a category of sensitive personal data, and the CCPA does not.
CCPA vs. GDPR: Who's concerned?
The CCPA affects organizations that fit the description of a business (even if it's not based in California). According to the CCPA, a company is:
- A for-profit entity,
- Collects users' personal information,
- Determines the reasoning for and the means of processing personal information,
- Does business in California,
- And meets one of the following: annual revenue of more than $25 million, processing personal information for 50,000 California residents annually, or earning 50% of its annual revenue from selling personal information.
Many organizations will still process personal data for many Californians regularly with this definition. Consider a company based in Europe that fits the CCPA's definition of a business — it will be obligated to comply with the CCPA.
The GDPR applies to data controllers — any entity that processes data. Notice there are no rules for profit, size, public or private, location, etc. As a result, all websites, organizations, and companies that offer goods and services to the EU must comply with the GDPR.
The most significant difference between the GDPR and the CCPA is the scope. The GDPR covers any person in the EU while their data is collected, but the CCPA only protects California consumers.
GDPR vs. CCPA requirements
The GDPR and the CCPA are required to respect users’ data rights.
The main rights of the CCPA and GDPR including:
- The right to be informed: understanding what data is being collected and how the organization will use it.
- The right to access: the ability to easily see their data.
- The right to portability: the ability to get a copy of their data.
The CCPA also includes:
- The right to deletion: erasing the data.
- The right to opt-out: choose not to have data sold.
The GDPR includes:
- The right to withdraw consent: cancel permission to collect or sell data at any time.
- The right of prior consent: previous consent methods are no longer valid.
While the right to opt out is similar to the right to withdraw consent, the right of prior consent (GDPR) has no equivalent in the CCPA. Regarding CCPA vs. GDPR data guidance, it’s vital to understand and respect users’ rights.
How can I make my website compliant?
Providing rights to users and regulations for organizations trickles down to requirements for websites.
For any compliance queries, do not hesitate to reach out to Didomi. We help companies build value with trust and ensure data compliance through bespoke consent and preference management technology.
{{discover-didomi-for-compliance}}
For a CCPA-compliant website
Before working on CCPA compliance, determine if your organization needs to comply. The CCPA defines a business as one of the following: a for-profit company that:
- Has gross annual revenue of more than $25 million.
- Receives, processes, or transfers data from 50,000+ California residents annually (CPRA: 100,000+).
- Earns at least half of its annual revenue from selling or sharing the personal data of California residents.
You must comply if at least one of the above describes your organization. Here are the steps you’ll need to follow:
1) Create a comprehensive privacy policy
Your privacy policy should do three things:
- Meet CCPA consent requirements by informing consumers of your intentions at or before the moment of data collection
- Be available in the languages in which your business provides information in California
- Be available via a banner or pop-up for when users visit your site using a Consent Management Platform
2) Inform users about their rights
Under the CCPA regulations, users have the:
- Right to Know
- Right to Delete
- Right to Non-discrimination
- Right to Opt-Out
- Right of Minors
- Right to Data Portability
There are also four new rights under the CPRA:
- Right to correction
- Right to know about automated decision-making
- Right to opt-out of automated decision-making
- Right to limit the use of sensitive personal information
3) Update your privacy policy every year
Your privacy policy should:
- Reflect any new changes in CCPA regulations
- Have the date of your most-recent update visible
- List all categories of personal information that your business has sold in the last year
4) Re-offer opt-in consent every 12 months
If the consumer has opted out, you can re-present the option to opt-in again after 12 months.
5) Include a "Do Not Sell" link (opt-out)
Users must be able to choose to opt out, and it should be easily visible and accessible on your website. You'll also have to authenticate consent to collect personal information from minors between 13-16.
Enable consumers to make Data Subject Access Requests (DSARs)
A DSAR gives individuals a right to access information about personal data the organization is processing about them. You should make it as easy as possible for users to submit DSARs.
Do this by providing at least two contact options — a toll-free phone number, a web form, or an email address. Then, set up a system to enable the submission of such requests.
6) Set up a system to verify, keep track of and fulfill DSARs
Users should be able to attach verification documents to their submitted requests. You should have a system that enables these submissions and verifies the customer's identity. If you cannot verify the user's identity, the system should inform the user and explain the reasoning.
The system should also track all requests and responses for two years.
Users have a right to a response within 45 days. If necessary, the response period can be extended to 90 days from the original request.
For a GDPR-compliant website
Compliance with the GDPR looks a little different than CCPA compliance. Here are the steps you need to take:
1) Create a comprehensive privacy policy
The privacy policy should:
- Be easy to find, read, and understand.
- Inform about the lifespan of each cookie and whether third parties may have access to those cookies.
- Have similar information available in a privacy banner when the user visits your site.
2) Inform users you are using cookies or other tracking technologies
- Users must know your intentions before or at the moment you start tracking them
- This information should be in your privacy policy
3) Explain what your cookies are doing and why
- Inform users about the purpose of each data type you're collecting so they can consent (or not) to its collection.
- This information should be in your privacy policy.
4) Obtain your users' valid consent to store a cookie on their device
Inform users about the data collection — what are you collecting, why are you collecting it, and how long are you storing it? Asking for users' consent should be easy, such as checking a box.
Remember, you shouldn't collect any data before a user gives consent. Asking for consent should stand alone, so it doesn't get lost in the mix of other information. Ensure opting out at any time is as easy as opting in.
Document all of this information in case the business is audited.
5) Give users access to your service even if they do not consent to cookies
If a user refuses data processing, ensure users can still access your service.
6) Collect and process data only after obtaining valid consent
Cookies cannot load until a user has provided consent. Once a user consents, you can collect and process personal data precisely how the user consented.
7) Document and store consent received from users
Comply with your documentation obligation to ensure you can verify the users' consent in an audit by data protection authorities (DPA).
8) Offer a simple opt-out, as simple as the opt-in
Consent should be easy in and easy out. To do this, ensure that the options for accepting and rejecting are designed similarly.
After opt-out, ensure that no further data is collected or forwarded
When a user opts out, you can no longer collect data.
Whether you’re working to comply with CCPA or GDPR, it’s a lot to manage. A Consent Management Platform (CMP) will help gather, store, and synchronize consent across countries and platforms so you can meet data privacy regulations efficiently.
{{discover-our-cmp}}
CCPA vs. GDPR - FAQ
What are the main differences between CCPA and GDPR?
The main differences between the GDPR vs. U.S. law (CCPA) are:
- The focus. The GDPR focuses on a legal foundation that puts privacy first for the entire EU. On the other hand, the CCPA focuses on providing data transparency for California consumers.
- The timing. The GDPR comes into play before a user looks at the content on a website, while the CCPA helps users see who has their data and how it's used (after the fact).
- The data. In the CCPA's definition, notice that it's not data specific to a single person but a household. The GDPR's definition of personal data is strictly related to an individual, not a household. But, the GDPR also has a category of sensitive personal data, and the CCPA does not.
What are the data subject rights under CCPA & GDPR?
The main data subject rights of the CCPA and GDPR include the following:
- The right to be informed: understanding what data is being collected and how the organization will use it.
- The right to access: the ability to easily see their data.
- The right to portability: the ability to get a copy of their data.
The CCPA also includes:
- The right to deletion: erasing the data.
- The right to opt-out: choose not to have data sold.
The GDPR includes:
- The right to withdraw consent: cancel permission to collect or sell data anytime.
- The right of prior consent: previous consent methods are no longer valid.
While the right to opt out is similar to the right to withdraw consent, the right of prior consent (GDPR) has no equivalent in the CCPA.
Who should comply with CCPA?
The CCPA defines a business as one of the following: a for-profit company that:
- has gross annual revenue of more than $25 million
- receives, processes, or transfers data from 50,000+ California residents annually (CPRA: 100,000+), or
- earns at least half of its annual revenue from selling or sharing the personal data of California residents.
You must comply if at least one of the above describes your organization.
Is CCPA modeled after GDPR?
Many say the CCPA is the California GDPR equivalent or refer to it as the California Data Protection Regulation. Although the CCPA incorporates some of the same concepts, it is not modeled after the GDPR. The GDPR focuses on creating a legal foundation that puts privacy first for the entire EU. On the other hand, the CCPA focuses on providing data transparency for California consumers.
Think of the GDPR as something that happens before a user looks at the content on a website, while the CCPA helps users see who has their data and how it's used.
How do CCPA and GDPR compare to LGPD?
It’s easy to see this comparison: GDPR vs. CCPA vs. LGPD. Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil’s data protection law. Its official abbreviation is LGPDP, which is commonly called the LGPD. This law was closely modeled after the GDPR and focused on creating a legal foundation for handling personal data in Brazil.
How are the GDPR and the CCPA enforced?
The GDPR is enforced via fines from the national data protection authorities in the EU. GPDR-related penalties range from 4% of a business' global revenue or €20 million, whichever is the highest.
Fines also enforce the CCPA via California's Attorney General through monetary penalties. These fines are a maximum of $2,500 per violation, with international breaches of $7.500.