2nd May 2022 
16 Min Read
What is CCPA?
California Consumer Privacy Act (CCPA) is a consumer data protection act in the US and applies to all California residents. Signed on June 28, 2018, in effect on January 1, 2020, it is the most robust consumer data privacy law in the US to date. The law gives Californians more control and power over their personal data. Organizations that meet one of the below criteria are subject to the CCPA:
- Annual gross revenue is over twenty-five million dollars ($25,000,000).
- Buy, receive, sell, or share, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Earns 50% or more of the annual revenues from selling consumers’ personal information.
Read this article for more info.
What is GDPR?
General Data Protection Regulation (GDPR) is a data protection regulation introduced by the Information Commissioner’s Office (ICO) in the European Union (EU) in April 2016 and then came into effect on May 25, 2018. The law applies to all bodies, regardless of their location, that deal with the data of EU member state residents. For example, even if a website is not based in the EU but has visitors from EU member states, it must take the necessary steps to become GDPR compliant. Read more about GDPR here.
CCPA vs. GDPR: Key Similarities and Differences
Let’s look at some of the key similarities and differences between CCPA and GDPR.
Scope
| CCPA | GDPR |
|---|---|
| Organizations that meet one of the below criteria are subject to the CCPA: – Annual gross revenue is more than 25 million dollars. – Buy, receive, sell, or share, alone or in combination, the personal information of 50,000 or more consumers, households, or devices. – 50% or more of the annual revenues obtained from selling consumers’ personal information. They also must meet the following conditions to fall under the scope of CCPA: – For-profit business – Collects personal information from Californian residents and determines the purposes and means of processing the information. |
Any organization (in and outside the EU) that handles personal data of people in the EU. |
Personal Information
| CCPA | GDPR |
|---|---|
| Information that identifies, directly or indirectly, with a particular consumer or household. Personal information” does not include “publicly available” that is lawfully made available from federal, state, or local government records. |
Any information that can identify a data subject, alone or with other data, for example, name, age, phone number, bank details, e-Mail, login credentials, IP addresses, location, identification numbers, etc. It also includes ‘sensitive’ data such as information about data subject’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation. |
Rights
| CCPA | GDPR |
|---|---|
| – The right to access. – The right to portability. – The right to deletion. – The right to notice. – The right to opt-out. – The right to non-discrimination. |
– The right to be informed. – The right of access. – The right to rectification. – The right to erasure (Right to be forgotten). – The right to restriction of the processing. – The right to data portability. – The right to object. – Automated individual decision-making, including profiling. |
Fines and Penalties
| CCPA | GDPR |
|---|---|
| Up to $7500 per intentional violation. Organizations have 30 days to fix any alleged violations. |
Severe violation will subject to 4% of annual global turnover or €20 million – whichever is higher. Less severe violation will subject to 2% of annual global turnover or €10 million – whichever is higher Other actions include written warning, temporary or permanent ban, data deletion, and restriction on data transfers. |
Consent
| CCPA | GDPR |
|---|---|
| The act does not specify prior consent. Opt-out option to be made available to consumers on the website to opt-out of the sale of personal information. |
Organizations must obtain prior consent from the data subjects before processing their personal data. Data subjects should be able to withdraw their consent at any time. |
Opt-out
| CCPA | GDPR |
|---|---|
| Provide a link on the websites, titled “Do Not Sell My Personal Information,” for consumers to opt-out of the sale of the consumer’s personal information. | Data subjects should be able to withdraw or refuse consent through a practical and easily accessible opt-out option at any time. |
Children
| CCPA | GDPR |
|---|---|
| An opt-in requirement for selling the personal information of minors between 13 and 16 years old, while parental consent required for children under 13. | Parental consent is required for children under 16, with EU Member States being allowed to lower that age to 13. |
Breach
| CCPA | GDPR |
|---|---|
| Organizations must notify any California resident whose personal information was affected. Organizations that are required to notify more than 500 California residents must also submit a single sample copy of that notification to California’s Attorney General. Organizations have the opportunity to fix the alleged violation within 30 days. Consumers can claim statutory damages up to $750 per incident or they can seek legal action against the organization if the court deems right. |
Organizations must notify the respective Supervisory Authority within 72 hours. If there is a high risk to the rights and freedom of the data subjects, then organizations must inform and advise them about an action plan. |
Complying with GDPR will make the organization CCPA-compliant as well, as GDPR is more extensive. However, if an organization falls under the scope of both CCPA and GDPR, then it must ensure that it does assessments for both laws. Certain disclosures of CCPA require organizations to be ready to disclose information (if requested) dating back to one year,. So, they should already be well prepared. Check out this checklist for CCPA Compliance.
Frequently asked questions
How is CCPA different from GDPR?
CCPA is different from GDPR in a number of ways. For starters, CCPA is a US law and GDPR is a European law. Both laws are in response to large data breaches that have received national attention (Equifax and the Marriott breach respectively). Both laws require companies to protect consumer data from theft and provide recourse for consumers whose data has been stolen or improperly accessed. The main difference comes in enforcement. CCPA gives enforcement jurisdiction to states, whereas GDPR gives enforcement jurisdiction to EU member countries. This results in more potential penalties under GDPR because of the greater number of parties involved in enforcement (EU member states). In addition, GDPR has some more detailed requirements for more aspects of data security, including written security policies and documentation of the data breach.
Does GDPR cover CCPA?
No, GDPR does not cover CCPA. CCPA is a state-level law, passed to protect consumers who live in California. The law provides them with more rights and options when it comes to handling their personal information.
GDPR, on the other hand, is an EU regulation. It’s not just a law, but an entire framework for data protection that applies to all member countries within the EU.
What is GDPR & CCPA compliance?
GDPR and CCPA compliance means that you are following the rules for data protection set by the General Data Protection Regulation (GDPR) and California’s Consumer Protection Act (CCPA). The regulations are designed to give consumers more control over how their information is used and ensure that companies are accountable for protecting the rights of their customers. These laws govern how companies collect, use, and store data from EU citizens or residents (GDPR), and Californians (CCPA).
What is the California equivalent of GDPR?
The California equivalent of the European Union’s General Data Protection Regulation (GDPR) is the California Consumer Privacy Act (CCPA). It requires businesses to disclose what personal information they collect and share and gives California consumers more control over their data. It also requires companies to notify consumers in the event of a data breach.
Disclaimer: This article does not represent any legal advice. The sole purpose of this article is to share general information. Hence, for any legal counsel, please contact a lawyer specialized in the area.
