CCPA versus GDPR: Similarities and Differences

What is CCPA?

California Consumer Privacy Act (CCPA) is a soon to be implemented consumer data protection act in the US and applies to all the California residents. Signed on June 28, 2018, in effect January 1, 2020, it is the most robust consumer data privacy law in the U.S. to date. The law gives Californians more control and power over their personal data. Organizations that meet one of the below criteria are subject to the CCPA:

  1. Annual gross revenue is over twenty-five million dollars ($25,000,000).
  2. Buy, receive, sell, or share, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
  3. Earns 50% or more of the annual revenues from selling consumers’ personal information.

Read this article for more info.

What is GDPR?

General Data Protection Regulation (GDPR) is a data protection regulation introduced by the Information Commissioner’s Office (ICO) in the European Union (EU) in April 2016 and came into effect on 25 May 2018. The law applies to all bodies, regardless of their location, that deal with the data of EU member states citizens or residents. For example, even if a website is not based in the EU but has visitors from the EU member states, it must take the necessary steps to become GDPR compliant. Read more about GDPR here.

CCPA vs. GDPR: Key Similarities and Differences

GDPR’s reach is broader, and all organizations, regardless of their size and territory, are subject to compliance with the Regulation. CCPA seems to focus more on big for-profit organizations operating in California. Let’s look at some of the key similarities and differences between CCPA and GDPR.





Organizations that meet one of the below criteria are subject to the CCPA:

  • Annual gross revenue is more than 25 million dollars.
  • Buy, receive, sell, or share, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
  • 50% or more of the annual revenues are obtained from selling consumers’ personal information.

They also must meet the following conditions to fall under the scope of CCPA:

  • For-profit business
  • Collects personal information from Californian residents and determines the purposes and means of processing the information.
  • Operate in California.

Any organization (in and outside the EU) that handles personal data of EU citizens or residents.


Personal Information



Information that identifies, directly or indirectly, with a particular consumer or household.

Personal information” does not include “publicly available” that is lawfully made available from federal, state, or local government records.

Any information that is used to identify a data subject, alone or with other data, for example, name, age, phone number, bank details, e-Mail, login credentials, IP addresses, location, identification numbers, etc.

It also includes ‘sensitive’ data such as information about data subject’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation.





  • The right to access.
  • The right to portability.
  • the right to deletion.
  • The right to notice.
  • The right to opt-out.
  • The right to non-discrimination.
  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure (Right to be forgotten).
  • The right to restriction of the processing.
  • The right to data portability.
  • The right to object.
  • Automated individual decision-making, including profiling.


Fines and Penalties



Up to $7500 per intentional violation.

Organizations have 30 days to fix any alleged violations.

Severe violation will subject to 4% of annual global turnover or €20 million - whichever is higher.

Less severe violation will subject to 2% of annual global turnover or €10 million – whichever is higher

Other actions include written warning, temporary or permanent ban, data deletion, and restriction on data transfers.





The act does not specify prior consent.

Opt-out option to be made available to consumers on the website to opt-out of the sale of personal information.

Organizations must obtain prior consent from the data subjects before processing their personal data.

Data subjects should be able to withdraw their consent at any time.





Provide a link on the websites, titled “Do Not Sell My Personal Information,” for consumers to opt-out of the sale of the consumer’s personal information.

Data subjects should be able to withdraw or refuse consent through a practical and easily accessible opt-out option at any time.





An opt-in requirement for selling personal information of minors between 13 and 16 years old, while parental consent is required for children under 13.

Parental consent required for children under 16, with the EU Member States being allowed to lower that age to 13.





Organizations must notify any California resident whose personal information was affected.

Organizations that are required to notify more than 500 California residents must also submit a single sample copy of that notification to California’s Attorney General.

Organizations have the opportunity to fix the alleged violation within 30 days.

Consumers can claim statutory damages up to $750 per incident or they can seek legal action against the organization if the court deems right.

Organizations must notify the respective Supervisory Authority within 72 hours.

If there is a high risk to the rights and freedom of the data subjects, they must also be informed and advised about an action plan.


Complying with GDPR will make the organization CCPA-compliant as well, as GDPR is more extensive. However, if an organization falls under the scope of both CCPA and GDPR, it must ensure that it does assessments for both laws. Certain disclosures of CCPA require organizations to be ready to disclose information (if requested) dating back to one year, i.e., January 1, 2019. So, they should already be well prepared to welcome the new Act. Check out this checklist for CCPA Compliance.


Disclaimer: This article is not meant to be legal advice. It is written solely to share general information. For any legal counsel, please contact a lawyer specialized in the area.

Make Your Website GDPR Compliant With CookieYes

CookieYes is a new and easy solution to make your website comply with the GDPR Cookie Law from Cookie Law Info. Join the 600,000+ website using our solutions now!

Share this post