Tags
Read time
8 min read
Last updated
August 26, 2024
🆕  2025 U.S. State Privacy Laws: what you need to know
The EU General Data Protection Regulation (GDPR), which took effect in May 2018, revolutionized global data privacy practices. It paved the way for other privacy laws, including the California Consumer Privacy Act (CCPA), enacted on January 1, 2020. The CCPA has since been expanded by the California Privacy Rights Act (CPRA), effective January 1, 2023.
The first law of its kind in the United States, CCPA/CPRA is often equated to GDPR. While GDPRÂ and CCPAÂ compliance both aim to give consumers control over how their personal information is collected, used, and shared, there are several differences between these two regulations. It impacts who is affected, what companies need to do to comply, and the risks associated with noncompliance of data privacy laws.
Understanding the differences between CCPA and GDPR is crucial for global businesses navigating data protection laws. If your business is global and online, there’s a good chance that you’re subject to both CCPA/CPRA and GDPR privacy policy regulations. However, just because you comply with one, doesn’t necessarily mean you comply with both privacy laws.
GDPR requires an "opt-in" for data collection, meaning businesses must get explicit consent from EU users. CCPA, however, allows data collection by default but mandates an "opt-out" option for California residents to prevent the sale of their personal data. This highlights GDPR's stricter consent requirements compared to CCPA's focus on data sales.
GDPR protects any identifiable person in the EU, covering all personal data with strict compliance rules. CCPA/CPRA, aimed at California residents, focuses on personal and household data with specific rights and penalties. Both enhance privacy but differ in scope, rights, and enforcement.
There are 5 key differences between CCPA/CPRA and GDPR:
‍
Let's take a look at each of these differences in detail.
‍
‍
The CCPA/CPRA data privacy law was established specifically to protect the rights of California residents, which the law defines as “a natural person who is a California resident” living in the state for any reason other than temporary or transitory purposes, as well as anyone living outside of the state who is considered a legal California resident. The law is aimed at consumers of household goods and services, employees, and anyone involved in business-to-business transactions.
In contrast, GDPR states that it protects ANY living identified or identifiable natural person, and that person does not need to be considered a resident of the EU or located within the EU. This is a much broader scope aimed more at companies offering goods and services in the EU rather than those only doing business with EU citizens.
CCPA/CPRA and GDPR both have broad definitions as to what constitutes personal data, which includes any information that can identify a consumer such as name, IP address, email, social security number, online cookie identifiers, etc. While similar in scope, CCPA/CPRA is more specific in clarifying the various categories of personal information and also clearly states that it includes anything that can be linked to a household as well as a consumer. GDPR does not specifically address households, but enforcement under GDPR’s governing authority has shown the law to include households since in reality, any personal information that can identify a household can also identify a consumer.
It was previously thought that the two regulations varied greatly when it came to sensitive information since CCPA did not originally fully address this category of data privacy. However, CPRA now clearly addresses such information as geolocation, biometric data, health information, race or ethnic origin, sexual orientation and the likes. With that change in the privacy policy, the only real significant difference in terms of what information is protected is that GDPR covers publicly available data while CCPA/CPRA does not.
‍
‍
According to CCPA/CPRA, any for-profit entity doing business in California that meets any one of the following thresholds is required to comply with the consumer privacy act if they intend to collect personal information:
Read more: Who does the CCPA apply to?
Under this definition, your business does not need to be physically located in California, or even in the U.S. for that matter to comply with these data protection laws. The revenue threshold of $25 million also applies to ALL revenue, not just revenue attributed to California residents. Additionally, the definition of “selling personal information” is not confined to the classic sense of the word but rather includes disseminating or disclosing information in any way across websites, apps, web networks, and more (read more: what constitutes a sale under CCPA/CPRA).
Read more: CCPA compliance checklist
‍
‍
Unlike CCPA/CPRA, GDPR does not define specific policy thresholds but applies to ALL companies that offer goods or services in the EU, or that monitors the behavior of persons in the EU, irrespective of the company’s location. This essentially means that even if your company has minimal presence in the region with no established EU location, if you do any business in the EU, you need to comply with the general data protection laws. And don’t assume that you’re safe just because you aren’t selling into EU markets—if your website is accessible from the EU, you may be collecting data about Europeans, even if you never receive a single euro from those digital visitors.
‍
‍
Under the right to be informed, CCPA/CPRA and GDPR both require businesses to provide information in advance about the personal data it collects and how it will be used via a privacy notice. Both regulations also establish the right of access, allowing consumers to know what personal information an organization holds and allowing consumers the right to submit data subject requests. Right of access also requires you to provide the means for consumers to request access, disclose all categories of personal data and deliver the information to the consumer. There are some differences on the timing of information requests when comparing the GDPR vs CCPA—the right to access under CCPA/CPRA applies only to information collected in the 12 months prior to the request with a deadline of 45 days to respond, while GDPR applies to all information with one month to respond. Both regulations do allow for extensions with notice.
CCPA/CPRA and GDPR opt-out rights are similar in their overriding objective, but there is a substantial difference between each data protection regulation. CCPA/CPRA requires the right to opt out of the sale of personal information to third parties and requires a clear and conspicuous “Do Not Sell My Personal Information” link on a website’s homepage. GDPR isn’t quite as absolute, providing consumers with the right to opt-out of “processing data for marketing purposes” and withdraw consent to process personal data, as well as giving businesses an exception if they can demonstrate compelling legitimate grounds of collecting personal data.
While both privacy regulations also give consumers the right to have their personal information deleted, one key difference is that GDPR also gives consumers the right to request that an organization corrects any inaccurate or incomplete personal information. CCPA/CPRA does not cover any rights of personal data rectification.
‍
‍
CCPA/CPRA and GDPR are similar in that businesses need to ensure an appropriate level of security for privacy information, but while GDPR requires technical and organizational measures to comply (i.e., encryption), CCPA/CPRA shifts this requirement more to consumer rights. Under CCPA/CPRA, consumers have a right to action for unauthorized access and exfiltration, theft, or disclosure of personal information as a result of a business’s inability to maintain appropriate security measures. To stay compliant with the CCPA and GDPR data privacy standards, you will need to maintain secure websites and protect consumers’ personal data.
‍
‍
Penalties for noncompliance of CCPA/CPRA and GDPR both aim to hit where it hurts—your bottom line. Depending on the severity of the violation, GDPR fines can be up to 4% of annual global revenue or 20 million euros ($24 million USD), whichever is higher. CCPA/CPRA places their penalty fee on individual policy violations—$2500 per violation, with $7500 per violation for those concerning minors personal data.
CCPA/CPRA has no ceiling on the number of privacy violations, so depending on your annual revenue, penalties can add up beyond those of GDPR. An online retailer doing business with a million Californians could quickly find themselves faced with $2.5 billion USD in fines if a data breach or other policy violation hits the company’s entire data set of customers.
Meeting your obligations under both GDPR and CCPA/CPRA can seem daunting—especially given the differences between the two and the seemingly ever-changing rules. Get in touch today to learn how Ketch can help make your company fully GDPR and CCPA/CPRA compliant.
‍
The US equivalent of the GDPR is the CCPA (California Consumer Privacy Act). While not as comprehensive as GDPR, CCPA focuses on data privacy for California residents, with rules on data collection, transparency, and sales, and it has been expanded by the CPRA (California Privacy Rights Act).
CCPA and GDPR have different focuses. GDPR is stricter on consent and data rights across the EU, while CCPA is more lenient but has strong rules on data sales and applies to California residents. Neither is universally stricter; it depends on the specific area of compliance.
Yes, GDPR influenced the creation of CCPA. GDPR's focus on data privacy and consumer rights inspired California to implement similar regulations with CCPA, aiming to protect residents' personal information and enhance privacy rights.
Ketch helps companies comply with every law, now and in the future. Check out our easy templates and banners.
Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.
