Updated April 1, 2020.
The California Consumer Privacy Act (CCPA) empowers Californians with new rights to autonomy over the data they generate every day.
The CCPA is the first major US privacy legislation to be enforced in the wake of the European General Data Protection Regulation (GDPR), that took effect in May 2018.
Some have called the CCPA “the California GDPR”, but how do the two laws actually compare?
In this blogpost, we make a detailed comparison of CCPA vs GDPR. What are the main differences? How do they overlap? And how do you make your website compliant?
Come with us.
The California Consumer Privacy Act (CCPA) is the first big state-wide privacy legislation in the US.
It entered into force on January 1, 2020 in the US after the European GDPR reshaped how data privacy law looks on May 25, 2018.
Sure, Maine and Nevada have also passed new privacy legislation or amendments to existing laws, and Nevada’s privacy law actually took effect on October 1, 2019.
However, the CCPA is of a different magnitude altogether.
The CCPA changes the way Californians can handle their own data, as it empowers them with new rights to request businesses to disclose or delete the data they have already collected, or to opt out completely of third-party data sales.
CCPA opt out banner from Cookiebot for compliance in California.
The CCPA requirements create new obligations for commercial entities doing business in California. Whether your business falls under the CCPA’s obligations depends on a set of definitions, which we will look at later in the article.
Important to know is that the CCPA requirements for businesses are to provide consumers with information about the data collected, processed and sold in the past twelve months.
The General Data Protection Regulation is an EU law that came into effect in May 2018 and is uniformly binding in all 27 member states.
It controls how websites, companies and organizations are allowed to handle personal data, which is anything from names, e-mail addresses, location data, browser history and many other things.
If your website has visitors from the EU and you – or embedded third party services like Google or Facebook – process any kind of personal data, the GDPR says that you must first obtain prior consent from the user.
GPDR consent banner from Cookiebot for compliance in Europe.
For this consent to be valid, it must be based on a clear information about the purpose, extent, and duration of your data processing.
GDPR vs CCPA: EU has a different privacy framework than California.
If you do this through a cookie consent banner on your website, the EU Court of Justice (CJEU) has ruled that your banner cannot have pre-checked checkboxes on any cookie category apart from the ones strictly necessary for the operation of your website.
This applies to any website regardless of where in the world it is located and operated from, as long as it has visitors from the European Union.
For a website in California, GDPR applies if it has visitors from the EU.
If you are based in the US (or elsewhere in the world) and offer services to the EU and process data in the EU, you can try Cookiebot, the consent management platform for free today to ensure GDPR compliance for your website.
The GDPR is focused on creating a “privacy by default” legal framework for the entire EU, whereas the CCPA is about creating transparency in California’s huge data economy and rights to its consumers.
Where the GDPR creates a door for the EU user to lock prior to any data processing, the CCPA creates a window for the Californian consumer to open, in order to find out what of their data has already been obtained by a business or sold to a third party.
This metaphor spells out the main difference between the CCPA vs GDPR – namely that of prior consent versus opt out.
Where the GDPR requires websites, companies and businesses to have a legal basis for processing personal data in the EU (under which the first legal basis is consent), the CCPA does not have any framework as such.
In fact, according to the CCPA, a business does not need prior consent from a user before processing their data, nor does a website need prior consent from a user before selling their data to third parties.
The main rights of the CCPA and GDPR include the right to be informed, the right of access, and the right to portability.
They also include the right to deletion (CCPA) and the right to erasure (GDPR), with very minor differences between the two, also the right to opt-out (CCPA) and the right of prior consent (GDPR).
The latter two are in a sense incomparable, since the right to opt-out (CCPA) is best likened to the right to withdraw consent (GDPR), whereas the fundamental right of prior consent (GDPR) has no equivalent in the CCPA.
For an extensive comparison between the rights of the CCPA vs GDPR, have a look at page 26 in FPF’s privacy law comparison.
GDPR vs CCPA: prior consent vs right to opt-out.
When comparing the rights of the CCPA vs. GDPR, it becomes clear that prior consent – exclusive to the GDPR – really makes all the difference, in that it creates a legal framework across the EU that is based on privacy first through user control.
In this section, we'll have a look at the subject matter and area of the CCPA and the GDPR.
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier.”
The difference between GDPR and CCPA is that the CCPA’s definition is extra-personal, meaning that it includes data that is not specific to an individual, but is categorized as household data, whereas the GDPR remains exclusively individual.
Unlike the CCPA, however, the GDPR creates a special category of data called sensitive personal data, which it prohibits processing of unless one of the specific requirements are met.
This means that businesses can process data on Californians as they please, unless consumers exercise their right to opt out of having their data sold.
This is evident in the CCPA’s requirement to businesses to provide a button or a link on businesses’ website that expressly says - “Do Not Sell My Personal Information” - which allows consumers to swiftly opt out of third-party data sales.
So, if your company falls under the CCPA definition of a business (see definition below), to be compliant with the law, you must have a Do Not Sell My Personal Information-button clear, visible and accessible on your website for your users.
In this section, we'll have a look at the scope of California's and EU's data protection laws.
The GDPR protects data subjects, defined as “an identified or identifiable natural person,” whereas the CCPA gives certain rights to consumers, defined as “a natural person who is a California resident.”
A data subject, according to the GDPR, can be any person and not only EU residents or citizens, unlike a consumer that is defined in the CCPA as either an individual “who is in the State for other than a temporary or transitory purpose” or an individual “who is domiciled in the State who is outside the State for a temporary or transitory purpose.”
All other individuals are non-residents, the CCPA decides.
The GDPR protects data subjects, not citizens or residents, unlike the CCPA.
If an American tourist is traveling in the EU, and their data is processed while in the Union, they will be protected by the GDPR. The companies who process their data, even if based in the US, will have to comply, so long as they offer services to data subjects inside the EU.
In other words, data subject are any natural individuals who have data processed inside the EU by companies offering services and/or products to the Union.
Both the CCPA and the GDPR has extraterritorial scope.
The CCPA applies to companies that fit under the definition of a business (see below), regardless of whether the company is itself located in California.
As an example, a company based in Europe that fits under the definition of a business in the CCPA (e.g. trades in the data of more than 50,000 Californians annually) will be obligated to comply with the CCPA.
Similarly, the GDPR applies to all websites, companies and organizations (data controllers) in the world, if they offer goods or services to individuals within the EU.
The difference in scope is, though, that the GDPR protects any individual (data subject) who happens to be in the European Union at the time of collection or processing, where the CCPA only protects individuals that fall under its definition of a consumer as being a California resident (i.e. in the state for other than a temporary or transitory purpose).
The CCPA controls the conditions for businesses and their data processing activities and defines these with a set of narrow classifications.
A business, according to the CCPA, is an entity that is for-profit, collects consumers’ personal information, determines the purpose and means of processing, does business in California and meets at least one of the following thresholds:
This obviously excludes myriads of companies, organizations and websites, who process personal data of Californians every day, and will be allowed to keep on doing so after the CCPA’s effective date.
CCPA vs GDPR: California sets the bear lower than the EU.
The GDPR requirements, on the other hand, apply to data controllers, defined as any kind of entity with data processing activities.
The GDPR sets no restrictions as to size, for profit or not, public or private, inside or outside of the EU, or any of the other thresholds that are found in the CCPA.
A data controller, according to the GDPR, is simply any entity that collects and/or processes data in the EU.
This includes any company, business, organization and – last but not least! – any website, regardless of size, shape and purpose. Unlike the CCPA, if you process any data, you are GDPR obliged.
This underscores a big difference between the CCPA vs GDPR: namely that the latter has a much broader scope in who and what it applies to, since it does not discriminate based on e.g. the amount of money a company or organization makes a year.
Summing it up, the GDPR simply protects more people from more data processing practices than the CCPA does.
When it comes to the enforcement of the CCPA vs. GDPR, the two data privacy laws are similar in type, but again different in their scope.
The GDPR can be enforced through monetary penalties issued by the national data protection authorities in the EU member states. These can go all the way up to 4% of a company’s global annual turnover or €20 million, whichever is highest.
GDPR fines are determined by the nature, gravity and duration of the infringement. The highest fines issued so far for GDPR violations are €50 million by the French data protection authority CNIL.
The CCPA can be enforced by the Attorney General of California through monetary penalties, though these are much smaller than the ones issued for non-compliance with the GDPR.
They have a maximum of $2.500 per violation, with international violations of up to $7.500.
Violations and non-compliance with the CCPA are to be assessed and issued through civil actions by the Attorney General of California.
In the EU, according to the GDPR, is it the national data protection authorities that bear the task of promoting awareness and offering guidance to companies, organizations and websites as to how they can be GDPR compliant.
The EU data protection authorities also have investigatory powers, meaning that they can conduct audits of companies suspected of being in breach with the GDPR. They can issue warnings and order data controllers to comply with the GDPR, as well as impose bans on processing, issue administrative fines and erasure of wrongfully obtained data.
The CCPA, on the other hand, has much narrower supervisory possibilities. It is solely up to the Attorney General to start investigations.
It is, however, expected that no later than July 2020, the Attorney General will have created regulations to the specific areas of the CCPA that deals with its enforcement and supervision.
The GDPR is a bigger, broader privacy law that forms a data protection framework under the EU, where privacy is the default, based on prior consent of EU users. It empowers individuals in the EU with rights to access, erasure, information and the right to withdraw consent.
The CCPA, in comparison, is a smaller, more specific sectoral law that creates rights for Californian residents to gain decision rights over the data that certain businesses (that meet the CCPA’s definition) have obtained, by way of requesting access to it, having it deleted or opting out completely from having a business sell collected data to third parties.
The two laws are different on a fundamental level and creates two very different legal frameworks for privacy and data autonomy in Europe and California.
Cookiebot can help you obtain GDPR and CCPA compliance on your website.
Cookiebot is a consent management solution that scans your site, finds all cookies and trackers, and automatically pauses them until your end-users give their consent to which specific categories of cookies they will allow to be placed on their devices.
Cookiebot enables multiple compliance solutions on the same website with a geotargeting function, so that visitors from the EU will be presented with a GDPR compliant banner, while visitors from California will meet the CCPA compliant cookie declaration.
This way, your website can protect its end-users in ways compliant with their own country or state's data privacy laws.