2. / Resources
  3. / Articles

GDPR vs CCPA: Key Differences and Similarities

Privacy and Data Protection 2022-07-26

In recent years, the advancement of technology is drastically influencing the customer experience. While all parties—organizations, customers, and third parties—have more benefits in terms of communication, profits, information, and efficiency, there are many concerns that come with these new development opportunities. Concerns are mainly focused on personal data, a sensitive area of data protection.

As organizations collect and store customer personal data, they are responsible for their protection as well. Protecting customers’ data is mostly important because organizations depend on it. 

Different territories have established specific laws to protect the personal data of their citizens. Not complying with them can result in fines. Two of the most globally well-known and powerful regulations are California Consumer Privacy Act and the European Union’s General Data Protection Regulation. Both these regulations address similar issues, however, they still differ in many aspects which will be explained in this GDPR vs CCPA comparison.

GDPR vs CCPA

The General Data Protection Regulation (GDPR) is a European law on data protection and privacy that aims to enforce stronger protection and give individuals more control over their data. 

GDPR was put into effect on May 25, 2018, and it applies to all organizations that operate as members of the EU, Iceland, Lichtenstein, Norway, and Switzerland, and handle the data of these countries’ citizens.

GDPR affects the way organizations handle and process their data and contributes to their success. Organizations can benefit a lot by complying with GDPR. Some of these GDPR benefits include data process standardization, reputation protection, increased customer loyalty, trust, etc.

CCPA stands for the California Consumer Privacy Act and is one of the most comprehensive privacy legislation intended to enhance privacy rights and customer protection for the citizens of California, United States. 

This legislation promotes transparency and enables consumers to find more information in a business’s privacy policy regarding their personal data collection.

The CCPA was passed in 2018 and came into effect on January 1, 2020.  

GDPR personal data vs CCPA personal information

The GDPR personal data term include:

  1. Identification number
  2. Online identifiers (e.g. IP address)
  3. Geolocation data
  4. Name
  5. Physical attributes
  6. Health information
  7. Economic, cultural, or social identity

Personal information under the CCPA include:

  1. Real name, postal address, alias, social security numbers, driver’s license, passport information, and signature which are considered as direct identifiers
  2. Cookies, beacons, pixel tags, phone numbers, IP addresses, account names, and other indirect identifiers
  3. Biometric data 
  4. Geolocation data
  5. Internet activity
  6. Sensitive information

GDPR vs CCPA principles

The GDPR established key principles of data protection:

  1. Lawfulness, Fairness, and Transparency 
  2. Purpose Limitation 
  3. Data Minimization
  4. Accuracy 
  5. Storage Limitations 
  6. Integrity and Confidentiality 
  7. Accountability

The CCPA is based on three principles:

  1. Transparency
  2. Accountability
  3. Control

GDPR vs CCPA fines

The GDPR requires that all organizations that sell to EU consumers or collect their data, to fully comply with the regulation. Because it is a very complicated process, organizations should have qualified and professional staff who review the process and ensure compliance with the GDPR requirements. 

Not being able to comply with GDPR can result in damaged credibility, reputation, and financial status. 

Furthermore, organizations should be aware of the GDPR fines following violations. Fines for minor GDPR violations cost 10,000,000€ or 2% of annual revenue, depends which one has a higher value. For bigger violations cost can be at least 20,000,000€ or 4% of annual revenue, whichever is higher.

Fortunately, organizations can prevent data breaches and other threats by hiring a data protection officer and implementing security measures.

Any organization selling to California residents and managing personal information must comply with the CCPA requirements. Otherwise, there can be consequences.

The CCPA fines depend on the violation, however, it can include fines from $100 to $700 per consumer, in cases of breaches, or civil penalties up to $7,500.

What are some GDPR vs CCPA similarities and differences? 

Both the GDPR and the CCPA laws are concerned with data protection and information privacy. They share many similarities regarding certain terminology, protection regulations for individuals under 16 years, and the right to access more information.

However, they seem to also have some notable differences from one another. Here are some of the main GDPR vs CCPA differences:

GDPR CCPA
  • Protects citizens and residents of the EU
  • Protects permanent California residents
  • Refers to a protected citizen as a data subject which is defined as “an identified or identifiable natural person
  • Refers to the protected party as a consumer which is defined as a person who is a California resident
  • Applies to data controllers who are entities that determine the purpose and means of personal data processing and collection
  • Applies to and only affects businesses defined as entities that is “for-profit”, collects consumers’ personal information, and determines how data will be used.
  • Applies to the processing of all personal data regardless of what is intended for or how it is processed. GDPR applies to all categories of  personal data except processing conducted through non-automated and personally conducted data processing, and data processing undertaken for personal individuals’ purposes
  • Excludes from its scope many categories, such as medical information, information collected as part of clinical trial, publicly available personal information, information covered by the Driver’s Privacy Protection Act, etc.
  • Refers to the term ‘collecting’ to any personal data related action – for example collecting, selling, and storing
  • Splits all data management actions
  • Requires organizations to implement proper technical and organizational security measures
  • Allows individuals whose data is compromised to sue the responsible organization, however, it does not define any specific requirement for protecting consumer data
  • Requires parental consent for the processing of personal information of children under 16. Some states have the right to lower this age to 13
  • Only addresses the sale of children’s information and not the processing. Organizations are required to obtain opt-in parental consent for children under 13. Children aged 13-15 can provide their own consent.

GDPR vs CCPA rights 

GDPR and CCPA give customers certain rights.

GDPR rights: 

  1. Right to be informed
  2. Right of access
  3. Right to rectification
  4. Rights to erasure
  5. Right to restrict processes
  6. Right to data portability
  7. Right to object to processing
  8. Rights in relation to automated decision-making and profiling

CCPA rights:

  1. Right to request information
  2. Right to data portability
  3. Right to opt-out
  4. Right to access data
  5. Right of disclosure
  6. Right to deletion

ISO/IEC 27701, GDPR, and CCPA

ISO/IEC 27701 is a standard that deals with privacy information management and helps organizations in establishing, maintaining, and improving their Privacy Information Management System (PIMS). 

Together with ISO/IEC 27001, ISO/IEC 27701 assists organizations to boost their data privacy protection and information security. It also provides guidance for complying with GDPR and CCPA as it includes some of their main principles. 

Conclusion

In general, when analyzing GDPR vs CCPA differences and similarities, we can see that they clearly differ in many aspects like personal scope, territorial scope, and material scope. However, they both give consumers many rights and protect their citizens. All things considered, we can conclude that it is of the utmost importance to comply with the GDPR and CCPA requirements in order to collect data safely, have better reputation, and be legally protected.

About the Author

Vlerë Hyseni is the Digital Content Specialist at PECB. She is in charge of doing research, creating, and developing digital content for a variety of industries. If you have any questions, please do not hesitate to contact: support@pecb.com.


SUBSCRIBE TO OUR NEWSLETTER

Subscribe
Help Center

Training & Certification

Resources

Network

Examination

Certification

Company

Terms, Conditions, and Policies | Privacy Statement

© 2024 Professional Evaluation and Certification Board. All rights reserved.

Scroll to Top