There are a lot of data privacy laws being discussed and put into effect recently, two of the biggest being the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). But what are these regulations and acts and how do they affect you? If you are curious to know about how your data is being used then read on below where I will discuss CCPA vs GDPR and all you need to know about both.

CCPA vs GDPR – What Do the Laws Deal With?

Both of these laws deal with the collection of data on consumers. The California consumer protection act specifically deals with personal information whereas the GDPR act deals with personal data. The two types of data are very similar but each act has slightly different definitions regarding them.
For a consumer, they are roughly the same thing, information about you that identifies you as an individual, like your name, phone number, email, and address. For a business, it is more complicated because they must comply with these regulations and that means they have to understand the differences between the two types of data and ensure that they are covering all of it.
In the case of GDPR vs CCPA, the GDPR is much broader in their definitions and scope. Being in compliance with one does not necessarily ensure that you are compliant with the other.
woman hiding behind a panel

Personal Information (CCPA) vs Personal Data (GDPR)

The “personal data” covered by the GDPR is a much wider range of data types than the “personal information” covered by the CCPA. This means that, effectively, all personal information is personal data, but not all personal data is considered personal information.
The CCPA considers personal information to be information that identifies you as an individual. For instance, if my name were John Smith and you knew that I used the email then that would separate me from any other John Smith and would be considered personal information.
The GDPR defines personal data as any information that relates to an identifiable person. This covers a lot of the same information as “personal information” from the CCPA, but it also covers other things like your IP address or what type of browser you are using.

Do Not Sell My Personal Information (CCPA) vs Legal Grounds for Data Processing (GDPR)

A fingerprint on the face
The CCPA law allows businesses to process personal information as they please except for if a California resident chooses to "opt-out" of having their data sold. If a California resident does not do this then their data is free to be sold and processed however a business likes.
The GDPR, on the other hand, provides 6 different legal grounds that allow a business to process data and all other situations are considered non-compliant. This means that as long as a business is processing data for one of these 6 situations, they are still compliant with the GDPR, but if they process data outside of those specific circumstances they are subject to penalties.

CCPA vs GDPR – Who do the Laws Apply To?

The CCPA strictly governs California residents. Any business that collects data on residents of the state of California or is based out of California is beholden to comply with the CCPA.
The GDPR governs a wider variety of people. It covers the entirety of the European Union and any person that lives within it. Any business that is collecting data on a member of the EU is subject to the GDPR and must be operating in compliance with it or face consequences.
Neither of these laws are affected by where the company or business is based, only what people they are interacting with.

Consumers (CCPA) vs Data Subjects (GDPR)

the lawsThe CCPA only protects “consumers” which they define as being residents of the state of California. This does not include citizens of the United States that are simply traveling through California, but it does include residents of California that are in other places as long as their domicile (their home) is in California.
The gdpr meaning covers any person, not just those that are residents of the EU. It defines “data subjects” as any identifiable person. This is a much more vast and wider variety of people that are protected by the GDPR. This means that you do not have to be a resident of the EU to be protected, someone traveling through the EU that does not live there is still covered by the GDPR.

Businesses (CCPA) vs Data Controllers (GDPR) The Businesses that Must Comply

The definition of a "business" regarding the CCPA applies to a narrow range of companies. Any organization of people that have income, collect data on people, process that data, and operate in California in some way that meets certain thresholds are considered a "business" by the CCPA. These thresholds concern how much money the business makes, how many people they are collecting data on, and how much of their profits come from selling that data.

The gdpr articles continue the trend of using a much broader qualifier for their definitions, a “data controller” includes any organization that processes data. There are no other requirements, it does not matter how much money the company makes, nor how many people they are collecting data on. If the business is collecting and processing data in the EU then it is considered a “data controller” and is subject to regulation by the GDPR.

Financial Penalties

Failing to comply with the CCPA compliance checklist results in fines being levied against your business. If your business is found to be non-compliant with the CCPA then you could be fined up to $2,500 for each violation that is found or $7,500 each if you are operating internationally.

The GDPR has a much higher financial penalty at 4% of your business’ annual income globally or 20 million euros, whichever is the higher amount. This is a hefty fee and could absolutely ruin a business which makes it especially important that your business is compliant with both the ccpa requirements and the gdpr requirements list.

Consumer Rights

locked data

Both regulations provide the right for a consumer or data subject to be informed of how their data is used, access data collected on them at any time, and the right to receive data that has been collected on them. There is also the right, provided by both regulations with minor differences, to have your personal data deleted except under very specific circumstances.
Those are not the only rights provided by each regulation, however, just the ones that they have in common. The CCPA also provides the right to opt-out, which essentially means that a resident of California can tell a business that has collected their data that they do not want it to be sold to a third-party. The gdpr rights include the right of prior consent which essentially means that you must meet the gdpr consent requirements to having your data collected before a business is legally allowed to do so.

Enactment and Enforcement

The CCPA is enacted and enforced by the Attorney General of California in the United States. The GDPR is enacted and enforced by the National Data Protection Authorities which are also allowed the power to investigate companies that they suspect are not in compliance with the GDPR.

The Use of Encryption Is Addressed in Both Laws

Both the CCPA and the GDPR call for collected data to be encrypted. As long as the data is not able to be used by unauthorized users then the organization in question suffers lesser penalties and is required to react to a breach of their data in different ways.