GDPR vs CCPA: What's the Difference?

What is GDPR?

GDPR stands for General Data Protection Regulation and is a European law that aims to give individuals more control and rights over data protection and privacy. The regulation dragged decades-old laws up-to-date to provide better protection of personal information in the digital age.

GDPR came into effect on May 25, 2018, reforming how businesses and organizations collect, store, and use personal data. It's the reason behind all those cookie consent banners that pop up on almost every single website you visit.

It applies to all organizations within the EU, the European Economic Area (EEA), and member states of the European Free Trade Association (EFTA), including non-profits and businesses of any size.

It also applies to any international organization that interacts with citizens of these regions, either by processing their data or by offering goods or services (paid or free).

The EU's GDPR became a model for other countries and regions to follow suit and introduce their own data protection laws. One such follower was the State of California which we'll go into later.

Key definitions of GDPR

Some of the main differences between GDPR and CCPA come down to semantics. So, let's get some of the GDPR jargon out of the way.

Data subjects: This can be a consumer or any person who visits a website.

Personal data: Refers to any information relating to an identifiable person. Examples of such data include names, ID numbers, physical addresses, and email addresses. It also extends to sensitive data, which is a broad scope and includes:

• any information that could reveal an individual's race, ethnic origin, religious beliefs, or political opinions;
• data that refers to genetic or biometric data that would concern a person's sexual orientation, their physical or mental health;
• or data relating to criminal convictions and offenses.

According to GDPR, personal data is anything that relates to an individual directly or indirectly (in combination with other data). It can also be in various formats, including images, video, audio, numerals, and words. Even if the data collected is inaccurate, it still counts, as it is linked to an identity.

Data controllers: The natural or legal person, public authority, agency, or other body that decides on the purpose and means of processing personal data. If you're a business owner or the employee in your organization responsible for handling data, then this is you.

Data processing: This is an umbrella term that refers to any operation (automated or not) performed on personal data. This can include the collection, recording, organization, or structuring of, storage, adaptation, retrieval, consultation, use, deletion, or disclosure.

Data processors: The person or legal entity that processes personal data on behalf of the controller. The processor may decide how the personal data is processed, but will never decide why it's processed.

GDPR data protection and privacy rights

GDPR describes eight “guarantees” or core user protections as the right to:

• be informed on how personal data is used
• access the personal data organizations are holding
• correct personal data that is inaccurate or incomplete
• request the deletion of personal data under certain circumstances
• restrict or pause the processing of data if there are irregularities
• have an organization send personal data it holds to other companies
• object to data processing
• protection from harmful automated decision-making processes

GDPR and cookies

Some website cookies are essential for the proper functioning of a website, while others are used by advertisers to track users' online activity and target them with highly personalized ads. The amount of data these cookies store is enough to potentially identify you makes them subject to the GDPR.

In order to comply with GDPR and cookie law, an organization must:

• Obtain users' consent BEFORE using any cookies (except those that are strictly necessary)
• Provide specific and accurate information about the data each cookie tracks and its purpose in plain language before consent can be obtained
• Document and store consent (or non-consent) received from users
• Allow users to access their service even if they reject the use of certain cookies
• Make it just as easy for users to refuse consent as it is to give consent

The practical implication of this for websites is the cookie consent banner.

Fines for GDPR non-compliance

The EU GDPR website has a compliance checklist to help organizations secure and protect their customers' data, and avoid hefty fines for non-compliance. In a worst-case scenario, a non-compliant entity could be fined up to 20 million Euros or 4% of their annual global turnover of the previous year, whichever is greater.

For less severe violations, the fines could still be hefty— up to 10 million Euros, or 2% of its global turnover of the preceding fiscal year, again, whichever is higher.

Although big brand names such as Google, British Airways, and Marriot Hotels have all faced penalties for breaching GDPR rules, the biggest fine was handed out to Amazon in 2021. The online retailing giant was fined a whopping $886.6m when it was found to be tracking user data without appropriate user consent or providing a tracking opt-out.

Check out our article on the Biggest GDPR Fines Ever to see the worst offenders (so far!).

What is CCPA?

The California Consumer Privacy Act (CCPA) was passed in May 2018 and came into effect on January 1st, 2020. With no single federal data protection law, the CCPA legislation is the first of its kind in the States. It's due to be updated in January 2023 with the California Consumer Privacy Act (CCPA), but until then, the CCPA is in force.

CCPA was designed to give data protection and privacy rights to consumers who are natural persons and residents of California.

It applies to for-profit businesses and entities that meet at least one of three thresholds:

• They should either have a gross annual revenue exceeding $25 million;
• process the data of 50,000 or more California consumers, devices, or households for commercial purposes;
• or make at least 50% of their annual revenue from selling personal information.

CCPA data protection and privacy rights

CCPA empowers California residents and consumers with certain privacy rights, including the right to:

• Know about the personal information a business collects about them, how it is used, and how it is shared
• Delete personal information collected about them
• Opt out of the sale of their personal information
• Non-discrimination for exercising their CCPA rights
• Contact information. Companies must inform consumers where they can find more information about their privacy policy and CCPA compliance
• To be forgotten. Should a consumer requests their personal data be deleted, the company is legally mandated to do so

Key definitions of CCPA

Consumers: The concept of “consumer” in the CCPA is restricted to customers (or visitors to a website) who are natural persons or residents of California. This doesn't extend to people who are passing through California, on vacation, or there for any temporary or transitory purpose.

Personal information: Personal information (PI) according to CCPA is any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Examples include names or aliases, account names, mailing or email addresses, social security numbers, credit card info, driver's license, passport numbers, geolocation, biometric data, and any other uniquely identifiable information.

Business: Where GDPR uses the term “data controllers” to describe those who determine the purposes and means of processing a consumer's personal information, CCPA simply uses “business”.

Service provider: This is the legal entity that processes the collected data on behalf of a business and to which the business discloses a consumer's PI for a business purpose.

Data collecting, processing, selling: Where GDPR lumps all data actions under “processing”, CCPA separates them out into their own definitions. Data collecting refers to the gathering of personal information through any method; data processing happens only when the collected is acted upon further, and data selling is a separate event that means the intentional sharing, transference, or disclosure of a data subject's personal information.

CCPA and cookies

Website cookies and tracking scripts collect IP addresses and are classed as a “unique identifier”, putting it within the scope of CCPA.

The CCPA doesn't require websites to ask for a user's consent to track their cookies unless their consumers are under the age of 16 years old.

What the website must do, however, is inform visitors that the website uses cookies. Additionally, if any of those cookies are used to collect and sell data to third parties, then they must also provide users with the ability to “opt-out” of the sale of their personal data.

Fines for CCPA non-compliance

Violations of the CCPA can see companies hit with civil penalties which can easily add up to millions of dollars. Normal violations can be levied a fine of $2,500 per violation. If the violations are deemed “intentional”, perhaps a repeat offense, then the company could be charged up to $7,500 per violation.

The first CCPA fine was handed out in August 2022 to Sephora. The cosmetic giant was fined $1.2 million for failing to inform consumers it was selling their personal information, and not processing user requests to opt out of the sale of personal information.

Differences between GDPR and CCPA (and similarities)

Both GDPR and CCPA arose out of the need to give greater data protection and privacy to people in a digital world where personal data has become a valuable asset. Although there is a high degree of similarity in the rationale and core provision, there are key differences between GDPR and CCPA namely in scope, cookie consent, and the bass for collecting data.

Scope

While GDPR protects “data subjects” within the EU and EEA, CCPA protects “consumers” in the state of California. GDPR applies to all businesses, large and small, profit and non-profit that collect information from EU residents, no matter where the business is located. With CCPA, business location also doesn't matter, but for CCPA to apply, the business must be for-profit and meet one of the three criteria described above.

Cookies

Perhaps the most notable difference between GDPR and CCPA is in how the regulations deal with cookies. GDPR requires businesses to gain customer consent for the use of cookies with a clearly defined “opt-in” BEFORE accessing any of their data. CCPA on the other hand only requires entities to supply an “opt-out” option when user data will be sold or shared.

The basis for data collection

GDPR requires any business that processes personal data to have a valid legal basis for doing so. Article 6 of the GDPR describes the six possible legal basis:

• Consent
• To fulfill a contract
• Legal obligation
• Vital interests
• Public interests
• Legitimate interests

CCPA has no such stipulations written into the law, leaving room for the presumption that businesses can process data for any purpose (as long as those processes aren't unfair or deceptive).

Summing up the difference between GDPR and CCPA

Generally, GDPR is considered to be the more strict law with more stringent requirements relating to data privacy. So if your business is GDPR-compliant, then becoming CCPA-compliant will be an easy adjustment.

While both GDPR and CCPA have good intentions regarding data protection and privacy, they are far from perfect or even effective in providing data protection or privacy.

CCPA has been accused of not going far enough to protect California's citizens while GDPR is considered too complex for small businesses to implement. It also has been criticized from the user's perspective for the use of cookie banners that results in consent being given without thought or that has been manipulated. To find out more, read our Hoody article: The Ugly Truth About GDPR.