Legislative Updates

Key Differences between CCPA and GDPR


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

CCPA GDPR Differences Data Privacy Protection

Due to the growing number of data breaches around the globe, there have been drastic changes in the way businesses collect and manage personal data. Accordingly, the protection of consumer data has become a key area of concern.

While the General Data Protection Regulation (GDPR) set the precedent for the new data privacy standards within the EU regulation, the California Consumer Privacy Act (CCPA) is considered to be one of the most significant legislative privacy developments in the U.S. Both the CCPA and GDPR are designed to protect consumer information and give them power over what happened to their data. However, while the CCPA bears a lot of resemblance to the GDPR, they are different, and GDPR compliance does not equal CCPA compliance.

CCPA and GDPR Overview

The California Consumer Privacy Act was enacted in June 2018 and went into effect on January 1, 2020. It protects the rights of consumers in California, promotes stronger privacy, and improves transparency in general. The CCPA creates a set of new consumer privacy rights that require companies to reassess the collection and use of personal information, and adapt their business procedures to accommodate the new rights. In a world in which technology and the collection and sale of personal information drive commerce, the CCPA responds to growing concerns of California residents regarding proper protection of their privacy. Also, it aims to prevent any further data breach incidents.

As the most comprehensive piece of legislation passed by the EU in recent history, the GDPR came into effect on May 25th, 2018. It was introduced to align existing data protection protocols and help consumers gain a greater level of control over their data while offering more transparency throughout the process of data collection and use. The GDPR plays a pivotal role in the way businesses manage customer data because it lays out responsibilities for organizations necessary to ensure the privacy and protection of personal data. In addition to this, it assigns powers to regulators to ask for demonstrations of accountability or even impose fines in cases where an organization does not comply with requirements.


Both CCPA and GDPR aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline. However, the CCPA is different from the GDPR in some significant ways, especially when it comes to the scope of application, the nature and extent of collection limitations, and accountability rules. Here are some of the notable differences:

Consumer vs. Data Subject

Under the CCPA, a consumer is a natural person who has to be a California resident. On the other hand, according to the GDPR, a data subject is any identifiable natural person. While the CCPA covers residents of California only, a data subject under the GDPR does not necessarily need to be an EU citizen or resident. Also, the CCPA offers protection of data linked to a specific household, and the GDPR is concerned about the information related to individuals only.

Store your data on a secure cloud system and ensure maximum security for your company and your employees while eliminating security risks.

Covered Entities

According to the GDPR, all organizations, such as businesses, public institutions, and non-profit companies, need to comply. The CCPA applies to for-profit companies that meet at least one of the following criteria:

  • Has an annual gross revenue of $25 million or more,
  • Buys, uses, sells or shares the personal information of at least 50,000 consumers, households or devices within California, or
  • Receives at least half of its annual revenue by selling consumers’ personal information.


All categories of personal data come under the scope of the GDPR. On the other hand, the following types of personal information are exceptions from the CCPA’s requirements:


Both the GDPR and the CCPA demand that organizations reveal what they do with the consumer’s personal data they have collected. However, the CCPA requires that businesses disclose information about data sales and the data processing activities of the last 12 months, and the GDPR does not bind organizations by such a limitation.

Rights of the Consumers

CCPA’s right to delete personal data applies only to the data collected from the consumer, but the GDPR includes all data concerning a subject matter, no matter where it came from.

According to the GDPR, businesses have to obtain prior permission from data subjects for data processing and allowing third-party access to their data. Meanwhile, under the CCPA, Californian residents can opt-out of the data sale if they wish, and businesses have to share a visible link on their homepage for this purpose.

Penalties for Non-Compliance

Penalties are different for CCPA violations compared to GDPR. Under the CCPA, the Attorney General can bring an action to recover fines of $2500 per violation, and $7500 for intentional violations, with a 30-day notice. However, under the GDPR, companies can be fined up to $20 million or 4% of annual global turnover and they are directed through an assigned data protection authority.

Staying Ahead of Data Privacy Laws

CCPA and GDPR have broad-reaching implications for businesses around the world. There is no doubt that the recent surge in the area of privacy and data rights will incur a wave of new data privacy legislation across the U.S. Some even predict global online privacy laws. Either way, it is imperative for every business to pay attention to their data-handling practices, and make the necessary changes to comply.

Both the CCPA and GDPR draw attention to the importance of taking personal data and consumer rights to data privacy more seriously. Since there are many similarities between the CCPA and GDPR, many organizations are under the false impression that by complying with the GDPR, they also ensure compliance with the CCPA. However, the rules are different for both and there are some clear differences worth noting in each legislation.

Whether for the GDPR, CCPA, or another regulation, businesses need to prepare, ensure compliance, and take necessary steps to avoid costly enforcement actions. Meeting compliance requirements can be difficult to achieve. That is why businesses should integrate appropriate programs and technologies and simplify the process of data discovery, security, and classification. This allows them to achieve compliance with the existing data privacy regulations, prepare for those that are yet to come, and protect their organizations from potential penalties.

Get a set of cloud solutions to ensure constant data protection and focus on growing your business while staying up-to-date with current regulations.
The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.