The EU introduced the General Data Protection Regulation (GDPR) in May 2018. In California, the CCPA or the California Consumer Privacy Act quickly followed suit and came into effect at the start of 2020.
Both laws cover user data and its safety and security. Every organization dealing with citizens of the EU and California needs to be compliant with the regulations set by the GDPR and CCPA, respectively. With that in mind, and since both laws are quite similar, we wanted to cover all the important similarities and differences between the two laws so you can ensure your organization is compliant with both.
The Main Similarities and Differences of GDPR and CCPA
- Both GDPR and CCPA were created in an attempt to secure the rights consumers have with their data. When these laws came into effect, consumers’ data in the EU and California obtained proper protection. Organizations are no longer able to do what they want with user data but have to start following specific rules and regulations.
- One significant similarity between the two laws is the fact that they protect consumer data no matter where its location is or where the organization dealing with it is located. This means that if you are working in any way with people who are residents of either EU or California, you have to comply with the rules set in the GDPR and CCPA, respectively. However, the CCPA only applies to organizations of a specific size (having either $25 million annual revenue, personal data of more than 50,000 consumers or devices, or earning more than half of its yearly revenues selling data).
- GDPR focuses on becoming a so-called ‘privacy by default’ framework for the entire EU. On the other hand, the CCPA strives to create transparency and ensure organizations respect the rights consumers have with their data.
- If an organization breaks the rules set in either the CCPA or GDPR, it has to pay a specific fine. With GDPR, the penalty is based on the annual revenues of the organization, while with CCPA, the fine is determined on a case by case basis and has no upper limit.
- Both laws have rules on opt-in/out, meaning that consumers have the right to opt-out of or allow organizations to collect their data. However, the slight difference is that with GDPR, businesses have to ask users to opt-in, while with CCPA, people only need to have the option to opt-out if they choose. Furthermore, with CCPA, you only need to give notice to the user that you are going to sell or transfer their data, while with GDPR, you have to get explicit consent.
- If a consumer wants to gain access to their data or have it deleted, you have to comply under both the GDPR and the CCPA.