{"id":949,"date":"2024-05-24T12:05:00","date_gmt":"2024-05-24T10:05:00","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?p=949"},"modified":"2026-03-12T09:14:56","modified_gmt":"2026-03-12T08:14:56","slug":"ccpa-vs-gdpr","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/en\/ccpa-vs-gdpr\/","title":{"rendered":"CCPA vs GDPR"},"content":{"rendered":"\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"770\" height=\"2110\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/Infografic.png\" alt=\"\" class=\"wp-image-14205\" srcset=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/Infografic.png 770w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/Infografic-109x300.png 109w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/Infografic-374x1024.png 374w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/Infografic-768x2105.png 768w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/Infografic-561x1536.png 561w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/Infografic-747x2048.png 747w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/figure>\n\n\n\n<p>The <a href=\"https:\/\/www.cookiebot.com\/en\/what-is-ccpa\/\">California Consumer Privacy Act (CCPA) <\/a>and the <a href=\"https:\/\/www.cookiebot.com\/en\/gdpr\/\">General Data Protection Regulation (GDPR)<\/a> were created to give people greater power over their personal information. Both regulate how companies collect and use individuals\u2019 personal data.<\/p>\n\n\n\n<p>While both laws are focused on user privacy rights and putting control over one\u2019s data back into the users\u2019 hands, there are a few crucial differences between the two regulations beyond just their jurisdiction.\u00a0<\/p>\n\n\n\n<p>Here is a comparison of the key differences between CCPA vs GDPR and an overview of how organizations can comply with both.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-gdpr\">What is GDPR?<\/h2>\n\n\n\n<p>The General Data Protection Regulation is a European Union-wide regulation that controls how companies and other organizations handle personal data. It's designed to give EU residents, regardless of their citizenship, more control over their personal data while simplifying rules for global businesses. It applies to companies that process the data of EU residents, even if the companies are not located in the EU, also known as extraterritoriality. The law went into effect on May 25th, 2018.<\/p>\n\n\n\n<p>Some key aspects of the GDPR include:\u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Organizations must only gather personal data for a particular, explicitly stated reason (purpose), which they must record.\u00a0<\/li>\n\n\n\n<li>In most cases, organizations must get explicit, informed, voluntary consent from individuals for the stated purpose before collecting or using their data. If the purpose for collecting and processing data changes, organizations must get new consent from users.\u00a0<\/li>\n\n\n\n<li>Data should be deleted, returned, or anonymized when it's no longer needed.<\/li>\n\n\n\n<li>Individuals have rights regarding their data, including access to it, having it corrected or deleted, and receiving a copy of it.<\/li>\n\n\n\n<li>Companies require a documented legal reason to handle personal data (legal basis) and should openly share with users what that reason is and how they handle collected data.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-ccpa\">What is CCPA?<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.cookiebot.com\/en\/ccpa\/\">The California Consumer Privacy Act (CCPA)<\/a>, also known as \u201cthe California GDPR\u201d is a <a href=\"https:\/\/www.cookiebot.com\/en\/ccpa-regulations\/\">state-wide data privacy law<\/a> that regulates how organizations handle the personal information of California residents.<\/p>\n\n\n\n<p>The CCPA was passed in 2018 and went into effect on January 1, 2020. It was the first of the modern and comprehensive data privacy laws passed in the United States. Several states have passed laws since, and California has expanded and amended the CCPA with the <a href=\"https:\/\/www.cookiebot.com\/en\/cpra\/\">California Privacy Rights Act (CPRA)<\/a>.<\/p>\n\n\n\n<p>Some <a href=\"https:\/\/www.cookiebot.com\/en\/what-is-ccpa\/\">key aspects of the CCPA<\/a> include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>giving California residents the right to know what personal information, including <a href=\"https:\/\/www.cookiebot.com\/en\/ccpa-cookies\/\">data collected through cookies<\/a>, a business has collected about them and how it is being used and shared<\/li>\n\n\n\n<li>enabling consumers to opt out of the sale of or sharing of their personal information with third parties<\/li>\n\n\n\n<li>requiring companies to obtain consumers\u2019 consent to collect and use personal data if it is categorized as sensitive or belongs to a child<\/li>\n\n\n\n<li>requiring businesses to delete a consumer's personal information upon request<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-needs-to-comply-with-gdpr-vs-ccpa-privacy-regulations\">Who needs to comply with GDPR vs CCPA privacy regulations?<\/h2>\n\n\n\n<p>Both the CCPA and the GDPR have global reach. The CCPA applies to businesses collecting data from California residents, regardless of the business\u2019 location, while the GDPR applies to any entity worldwide offering goods or services to and collecting and using the personal data of EU residents.<\/p>\n\n\n\n<p>The GDPR protects any individual in the EU during data processing. The CCPA specifically safeguards California residents who are not just temporarily in the state. Therefore, the CCPA does not apply to tourists.<\/p>\n\n\n\n<p>However, the development of case law will likely have to make the definition of \u201cresident\u201d more granular, e.g., is a college student who resides in California for only part of the year a resident?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-who-has-to-comply-with-the-gdpr\">Who has to comply with the GDPR?<\/h3>\n\n\n\n<p>All organizations and their properties, including websites and mobile applications, that process data of people in the European Union, must comply with the GDPR. The law doesn\u2019t have compliance thresholds, as the CCPA does.<\/p>\n\n\n\n<p>This includes nonprofit organizations, community groups, e-commerce companies, etc. Compliance is also required if companies use third-party services like Google\u2019s or Facebook\u2019s (e.g., for advertising) to process personal data, though the initial company, the data controller, is ultimately responsible for privacy compliance by third-party processors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-who-has-to-comply-with-the-ccpa\">Who has to comply with the CCPA?<\/h3>\n\n\n\n<p>The CCPA defines the term \u201cbusiness\u201d broadly. It applies to any for-profit organization, regardless of its location, that collects personal information from California consumers and meets at least one of the following criteria:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>has annual gross revenues above $25 million<\/li>\n\n\n\n<li>buys, receives, sells, or shares the personal information of 50,000 or more California residents, households, or devices<\/li>\n\n\n\n<li>gets 50% or more of its annual revenue from selling California residents' personal information\n<ul class=\"wp-block-list\">\n<li>IP addresses are considered personal data. So this would apply to any website with at least 50,000 website visitors from California<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>It should be noted that with the CPRA coming into effect, these thresholds have been updated. The requirements now specify that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>revenue is from the preceding calendar year<\/li>\n\n\n\n<li>50,000 consumers has been updated to 100,000<\/li>\n\n\n\n<li>\u201cdevices\u201d has been removed from the threshold<\/li>\n\n\n\n<li>sharing is included alongside the selling of personal data<\/li>\n<\/ul>\n\n\n<div class=\"cta-block cta-block--size-s cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Learn more about how the CPRA expands California\u2019s privacy laws and discover the 11 steps you need to follow for CPRA compliance.<\/p>\n                    <\/div>\n                                                                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"a0fe3106-8216-42f3-902b-e1ab89d14053\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"https:\/\/usercentrics.com\/resources\/cpra-checklist\/\" target=\"_blank\">\n<span>Download the CPRA checklist<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                                                <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-do-gdpr-and-ccpa-differ-in-their-consent-requirements\">How do GDPR and CCPA differ in their consent requirements?<\/h2>\n\n\n\n<p>Both CCPA and GDPR focus on obtaining <a href=\"https:\/\/www.cookiebot.com\/en\/cookie-consent\/\">cookie consent<\/a> from users. But each law does this differently.<\/p>\n\n\n\n<p>The GDPR emphasizes obtaining explicit consent before the collection of any data, whereas the CCPA focuses on enabling consumers to opt out later, and in most cases does not require prior consent to collect and process individuals\u2019 personal data.<\/p>\n\n\n\n<p>Additionally, the GDPR has wider coverage and stricter data protection rules than the CCPA.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consent-requirements-under-the-gdpr\">Consent requirements under the GDPR<\/h3>\n\n\n\n<p>Under the GDPR, businesses must obtain explicit, unambiguous consent from individuals before collecting and processing their personal data, i.e., an \u201copt-in model\u201d. The consent must be a clear affirmative action, and can not be assumed by an unrelated action or lack of one. Users also have the right to change or withdraw consent at any time.<\/p>\n\n\n\n<p><span id=\"docs-internal-guid-70b482f4-7fff-5ccd-24aa-8571b004f739\"><p dir=\"ltr\" style=\"line-height:1.38;margin-top:0pt;margin-bottom:0pt;\">This requirement extends to <a href=\"https:\/\/www.cookiebot.com\/en\/tracking-cookies\/\">tracking cookies<\/a>, which are considered a form of personal data for processing under the GDPR.<\/p><\/span><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter is-resized\"><img decoding=\"async\" src=\"\/media\/4333\/consent_en.png?width=500&amp;\" alt=\"Cookieboot Pop Up Banner - Cookiebot\" width=\"770px\" height=\"449px\"\/><figcaption class=\"wp-element-caption\">GPDR consent banner for compliance in Europe.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consent-requirements-under-the-ccpa\">Consent requirements under the CCPA<\/h3>\n\n\n\n<p>The CCPA does not require explicit opt-in consent to collect personal data, except if the data is categorized as sensitive (because it poses a greater risk of harming a person if misused) or the data belongs to a child.<\/p>\n\n\n\n<p>Instead, it gives consumers the right to opt out of the sale of their personal information to third parties (and also sharing with the passing of the CPRA). Businesses can collect and use most personal data without consent but must provide a \u201cDo Not Sell My Personal Information\u201d link on their website to allow consumers to exercise this opt-out right.<\/p>\n\n\n\n<p>With the CPRA, this link is now required to be updated to say, \u201cDo Not Sell Or Share My Personal Information\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter is-resized\"><img decoding=\"async\" src=\"\/media\/4337\/ccpa_main_en.png?width=500&amp;\" alt=\"Cookiebot CCPA compliant cookie declaration screenshot - Cookiebot\" width=\"770px\" height=\"353px\"\/><figcaption class=\"wp-element-caption\">CCPA opt out banner<\/figcaption><\/figure>\n\n\n<div class=\"cta-block cta-block--size-s cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Determine if your website is compliant with the CCPA or GDPR. Use our free cookie audit tool to check cookie usage on your website and generate a detailed cookie audit report in minutes.<\/p>\n                    <\/div>\n                                                                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"b9f74511-8471-4ae4-a2f1-1bbd4d222453\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"\/en\/cookie-checker\/\" target=\"\">\n<span>Check your compliance<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                                                <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-data-is-protected-under-gdpr-vs-ccpa\">What data is protected under GDPR vs CCPA?<\/h2>\n\n\n\n<p>Both the CCPA and GDPR aim to protect people\u2019s personal information that could make them identifiable, either via individual data points or in aggregate. So their definitions of personal data are very similar apart from a few small differences.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-style-cb-rounded\"><img loading=\"lazy\" decoding=\"async\" width=\"770\" height=\"625\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/cb_blog_body_770px_ccpa_vs_gdpr_202405_1.png\" alt=\"\" class=\"wp-image-14208\" srcset=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/cb_blog_body_770px_ccpa_vs_gdpr_202405_1.png 770w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/cb_blog_body_770px_ccpa_vs_gdpr_202405_1-300x244.png 300w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/cb_blog_body_770px_ccpa_vs_gdpr_202405_1-768x623.png 768w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-definition-of-personal-data-under-the-gdpr\">Definition of personal data under the GDPR<\/h3>\n\n\n\n<p>Under the GDPR, <a href=\"https:\/\/gdpr-info.eu\/issues\/personal-data\/\">personal data is defined<\/a> very broadly as \u201cany information relating to an identified or identifiable natural person.\u201d This includes direct identifiers like names and ID numbers, as well as indirect identifiers that can be used to recognize an individual, location data, or IP address. This also includes factors specific to a person's physical, psychological, or genetic identity, healthcare or financial information, political or religious beliefs, and other factors.<\/p>\n\n\n\n<p>It\u2019s worth noting that the GDPR has a broad interpretation of personal data. This means that even seemingly harmless information can be classified as \u201cpersonal data\u201d if it can be linked to an individual or used to identify them. This includes items like website cookies, media recordings, biometrics, and GPS data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-definition-of-personal-data-under-the-ccpa\">Definition of personal data under the CCPA<\/h3>\n\n\n\n<p>The CCPA has a similarly <a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/codes_displayText.xhtml?division=3.&amp;part=4.&amp;lawCode=CIV&amp;title=1.81.5\">broad definition<\/a> of <a href=\"https:\/\/www.cookiebot.com\/en\/ccpa-personal-information-ccpa-compliance-with-cookiebot-cmp\/\">personal information<\/a> compared to the GDPR, encompassing data that can directly or indirectly identify or describe a consumer or household.<\/p>\n\n\n\n<p>This includes identifiers like names, email addresses, and Social Security numbers, as well as browsing history, purchasing data, or location information. Also similarly to the GDPR, the CCPA includes indirect identifying factors specific to a person's physical, physiological, or genetic identity.<\/p>\n\n\n\n<p>However, the CCPA has a few specific exemptions for certain types of personal data that are covered under other US laws. For example, medical information is protected by the Health Insurance Portability and Accountability Act (HIPAA), and financial data is regulated by the Gramm-Leach-Bliley Act (GLBA).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-when-can-companies-use-personal-data\">When can companies use personal data?<\/h2>\n\n\n\n<p>When comparing the GDPR to the CCPA, the laws have different approaches to regulating how companies use people's personal information. The GDPR outlines six reasons, aka legal bases, at least one of which companies must follow. The CCPA is more flexible and focuses on giving users more rights and transparency, but fewer requirements for companies regarding being allowed access to data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-legal-bases-for-data-processing-under-the-gdpr\">Legal bases for data processing under the GDPR<\/h3>\n\n\n\n<p>Under the GDPR, companies can only process personal data if they have a legitimate reason to do so. The GDPR lists six legal bases from which companies can choose to enable compliant usage of personal data:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Consent:<\/strong> An individual must provide voluntary and informed consent prior to the collection and processing of their personal data. For example, a website visitor must give clear GDPR cookie consent for the company to process their personal data for purposes stated in their consent banner (e.g. marketing or analytics).<\/li>\n\n\n\n<li><strong>Contract: <\/strong>The data processing is necessary to fulfill a contract (e.g. delivering a product or service) with the person, or to take steps before entering a contract.<\/li>\n\n\n\n<li><strong>Legal obligation: <\/strong>A company needs to use the data to comply with a law or regulation.<\/li>\n\n\n\n<li><strong>Vital interests:<\/strong> The processing is necessary to protect someone's life, safety, or well-being.<\/li>\n\n\n\n<li><strong>Public task:<\/strong> An organization needs the data to perform a task with a clear legal basis that is in the public interest, e.g. by government or law enforcement.<\/li>\n\n\n\n<li><strong>Legitimate interest:<\/strong> A company (or third party) has a legitimate business interest that requires processing personal data, e.g. an insurance company processing data to prevent fraud that may affect customers.<\/li>\n<\/ul>\n\n\n\n<p>Companies must be able to justify which of these legal reasons they rely on for each personal data use. Where consent is the legal basis, organizations also need to be able to prove consent was obtained, and also demonstrate that it was obtained in a valid manner, i.e., that the consent was freely given, specific, informed, and unambiguous.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-legal-bases-for-processing-under-the-ccpa\">Legal bases for processing under the CCPA<\/h3>\n\n\n\n<p>The CCPA doesn't clearly define when or how companies can use personal data, and in most cases does not require a prior legal basis to collect it, as long as the ability to opt-out is available. However, the law does include some exceptions that override the CCPA, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>obeying federal, state, or local laws<\/li>\n\n\n\n<li>cooperating with law enforcement or regulators<\/li>\n\n\n\n<li>doing internal research for product development<\/li>\n\n\n\n<li>conducting public interest research<\/li>\n<\/ul>\n\n\n\n<p>The CCPA also allows companies to use personal information for \"business purposes,\" which includes aspects like auditing, security, debugging, and short-term transactions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-do-regulatory-requirements-impact-a-company-s-marketing-efforts\">How do regulatory requirements impact a company\u2019s marketing efforts?<\/h2>\n\n\n\n<p>The GDPR and CCPA can both have a significant impact on how companies can conduct their digital marketing activities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-gdpr-compliance-and-marketing\">GDPR compliance and marketing<\/h3>\n\n\n\n<p>The GDPR significantly impacts a marketer\u2019s ability to <a href=\"https:\/\/www.cookiebot.com\/en\/website-tracking\/\">track website visitors<\/a>, collect data about their browsing patterns and preferences, and tailor their marketing activities. Additionally, it grants individuals the \u201cright to be forgotten,\u201d allowing them to request the deletion of their personal data. This makes it challenging for marketers to maintain complete user profiles and tailor their campaigns accordingly.\u00a0<\/p>\n\n\n\n<p>To adapt, marketers need to take a more <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/consent-based-marketing\/\">consent-based<\/a> and transparent approach. This means obtaining clear consent for cookies and tracking, providing detailed privacy and <a href=\"https:\/\/www.cookiebot.com\/en\/cookie-policy\/\">cookie policies<\/a>, giving website visitors clear information about data processing and revocable consent options, and respecting data subject rights.<\/p>\n\n\n\n<p>For email marketing, marketers can\u2019t use implied consent, so users must explicitly opt-in to sign up for a company\u2019s email newsletter or allow cookie use. Marketers can\u2019t pre-check boxes or present a consent banner with only an \u201cAccept\u201d button. If a company has an email list for one purpose, it can\u2019t be used for another purpose without getting new, explicit user consent.\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-compliance-and-marketing\">CCPA compliance and marketing<\/h3>\n\n\n\n<p>Similar to the GDPR, CCPA makes it more difficult for marketers to personalize marketing activities. This is because much of the data used by marketers for targeting and personalization is now subject to compliance rules. Under the CCPA and CPRA amendment, users have greater rights to opt out of the use of their data for targeting and profiling.<\/p>\n\n\n\n<p>The CCPA gives users the right to know about processing, access, and have their data deleted, as well as to opt out of data sales or sharing with third parties. This can limit marketers' access to <a href=\"https:\/\/www.cookiebot.com\/en\/google-third-party-cookies\/\">third-party<\/a> and second-party data sources previously used for audience expansion.<\/p>\n\n\n\n<p>To comply with the CCPA and maintain consumer trust, marketers must take practical steps. The aim should be to focus on first-party data strategies and consider collecting zero-party data directly from consumers (ideally combined with preference management) to build transparent and privacy-compliant relationships<\/p>\n\n\n\n<p>To achieve this, assess data usage through data mapping and inventory exercises. Additionally, updating privacy policies and disclosures to reflect transparent data practices is crucial.<\/p>\n\n\n\n<p>For email marketing, the CCPA has similar principles to the GDPR. To automatically enroll individuals into an email list would be considered data \u201csharing\u201d, so users must be able to opt-out. If children are included on the list, advance consent must be obtained from a parent or guardian. Companies must provide individuals with an opt-out option via a \"Do Not Sell or Share My Personal Information\" link on their website. A company can still process users\u2019 personal data for other purposes if a user makes this opt-out request, however.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-to-be-privacy-compliant\">How to be privacy-compliant?<\/h2>\n\n\n\n<p>To be compliant with relevant privacy laws, there are different steps you need to take depending on which regulation is relevant to your business.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-to-be-gdpr-compliant\">How to be GDPR-compliant?<\/h3>\n\n\n\n<p>To achieve and maintain compliance with the GDPR, companies should take several steps.<\/p>\n\n\n\n<p>First and foremost, they must have a clear and transparent privacy policy that openly states how they collect and use data. This policy should be easily accessible to individuals, e.g., on the website, and should contain a cookie policy regarding that form of data collection and processing.\u00a0<\/p>\n\n\n\n<p>Moreover, companies must obtain explicit consent from individuals before processing any personal data, and must immediately stop collecting and processing an individual\u2019s personal data if they revoke consent later.<\/p>\n\n\n\n<p>Under the GDPR, respecting individual rights is crucial. This means granting people access to their personal data when requested, and deleting it when it's no longer needed for its original purpose. The GDPR emphasizes the principle of \"storage limitation,\" meaning companies are obligated to keep personal data only for as long as necessary. They can't keep it indefinitely for \u201cnice to have\u201d purposes, and if they want to use it for a new purpose, they must obtain new consent for that purpose.\u00a0<\/p>\n\n\n\n<p>Lastly, being accountable is crucial. Therefore, companies need to maintain thorough documentation of data practices and undertake regular audits to ensure their ongoing compliance.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.cookiebot.com\/en\/cookie-consent-solution\/\">A consent management platform (CMP)<\/a> can help companies centralize the process of obtaining explicit user consent and managing individual rights as required by the GDPR. A CMP also maintains records of consent information, which can be used for auditing purposes or data subject access requests.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-style-cb-rounded\"><img loading=\"lazy\" decoding=\"async\" width=\"770\" height=\"513\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/05\/cb_blog_body_770x513_ccpa_202405_2.svg\" alt=\"\" class=\"wp-image-14207\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-to-be-ccpa-compliant\">How to be CCPA compliant?<\/h3>\n\n\n\n<p>CCPA compliance focuses on empowering consumers and ensuring responsible data handling practices.<\/p>\n\n\n\n<p>Firstly, it mandates that companies enable consumers to choose whether they want their personal information sold. Organizations can do this by providing a \"Do Not Sell My Personal Information\" option (now, with the CPRA as well: \u201cDo Not Sell Or Share My Personal Information\u201d). Companies need to disclose the categories of personal information they collect, the purposes for which it will be used, and the categories of third parties with whom it may be shared. However, to do this, companies need to be aware of all the website trackers and cookies in use on their websites.<\/p>\n\n\n\n<p>Secondly, it requires that companies enable consumers to know about, have access to, request deletion of, and prohibit the sale of their personal information.<\/p>\n\n\n\n<p>Similar to the GDPR, the CCPA limits storage length. So companies must avoid retaining personal information longer than needed and inform consumers about how long their data will be stored.<\/p>\n\n\n\n<p>A CMP can also help companies that need to comply with the CCPA by identifying all tracking technologies in use, centralizing the process of enabling consumers to opt out of data sales, and managing consumer rights as required.<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Experience how a CMP can help                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Determine if your website is compliant with the CCPA or GDPR. Use our free cookie audit tool to check cookie usage on your website and generate a detailed cookie audit report in minutes.<\/p>\n                    <\/div>\n                                                                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"188f4de2-c75b-47e0-a2bd-88c6c3488ab5\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"https:\/\/admin.cookiebot.com\/signup\" target=\"_blank\">\n<span>Start your free trial today<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                                                <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-privacy-policy-requirements\">What are privacy policy requirements?<\/h2>\n\n\n\n<p>The GDPR and CCPA both have specific requirements when it comes to the privacy policies that companies must have in place on their website.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-gdpr-privacy-policy-requirements\">GDPR privacy policy requirements<\/h3>\n\n\n\n<p>Under the GDPR, companies must provide a clear, transparent, and easily accessible <a href=\"\/en\/privacy-policy-generator-gdpr\/\">privacy policy<\/a> that discloses the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>what personal data is being collected and processed<\/li>\n\n\n\n<li>the purposes for which the personal data is being used<\/li>\n\n\n\n<li>how long the personal data will be stored<\/li>\n\n\n\n<li>who the personal data may be shared with<\/li>\n\n\n\n<li>the rights individuals have over their personal data and how to exercise them<\/li>\n\n\n\n<li>the legal basis for processing the personal data, such as consent or legitimate interest<\/li>\n\n\n\n<li>whether the personal data will be transferred outside the EU and how it will be protected<\/li>\n\n\n\n<li>contact information for the organization (e.g. data protection officer) and for submitting rights requests<\/li>\n<\/ul>\n\n\n\n<p>The privacy policy must be easily accessible and written in plain, easy-to-understand language. If companies use cookies, then a cookie policy must also be included. Most importantly, companies must obtain explicit, affirmative consent from individuals before collecting and processing their personal data if the legal basis is consent, which will be the required option for many companies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-privacy-policy-requirements\">CCPA privacy policy requirements<\/h3>\n\n\n\n<p>The CCPA has similar privacy policy requirements, though the specifics differ somewhat from the GDPR:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>disclosure of the categories of personal information they collect, how they use it, and whether they sell or share that information<\/li>\n\n\n\n<li>provide an accessible privacy policy (and cookie policy) to explain, along with data processing information, consumers' rights and how to exercise them<\/li>\n\n\n\n<li>explain handling and consent requirements for sensitive data or that of children<\/li>\n\n\n\n<li>make the policy\u2019s language clear and understandable to the average individual, with no legal jargon included<\/li>\n<\/ul>\n\n\n\n<p>The CCPA does not require companies to obtain explicit consent before collecting personal information in most cases. The focus is more on providing clear notice and giving consumers the ability to opt out of data sales. However, organizations must still provide clear information on how they collect and use data, and provide accessible options for users to exercise their privacy rights.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-are-privacy-laws-enforced\">How are privacy laws enforced?<\/h2>\n\n\n\n<p>The GDPR and CCPA have different approaches when it comes to enforcement.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-gdpr-enforcement\">GDPR enforcement<\/h3>\n\n\n\n<p>The GDPR is enforced by the European Commission and national data protection authorities (DPAs) in each European Union member state. These DPAs have significant powers, including the ability to conduct audits, issue warnings, and impose fines.<\/p>\n\n\n\n<p>Individuals who believe their rights under the GDPR have been violated can file complaints with their national DPA, which is then required to investigate and take appropriate action.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-enforcement\">CCPA enforcement<\/h3>\n\n\n\n<p>The CCPA was enforced solely by the California Attorney General's Office. There is no centralized enforcement body at the national level like with the GDPR. However, with the CPRA coming into effect, education, investigation, and enforcement have shifted to the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/california-privacy-rights-act-cpra-enforcement-begins\/\">California Privacy Protection Agency (CPPA)<\/a>.\u00a0<\/p>\n\n\n\n<p>The CCPA had a 30-day cure period, where companies had an opportunity to fix any violations before enforcement action was taken, but that ended under the CPRA.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-the-fines-and-penalties-for-noncompliance\">What are the fines and penalties for noncompliance?<\/h2>\n\n\n\n<p>Both the GDPR and CCPA include specifics about fines that can be levied on companies that do not comply with their requirements. Penalties are tiered based on the severity of infractions. However, the GDPR carries much heavier potential penalties than the CCPA.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-gdpr-penalties\">GDPR penalties<\/h3>\n\n\n\n<p>The GDPR has some of the highest fines of any data privacy law in the world. Companies found to be in serious or repeated violation of the GDPR can be fined up to 4 percent of their global annual revenue or EUR 20 million, whichever is greater.<\/p>\n\n\n\n<p>Lower-tier fines can be up to 2 percent of global annual revenue or EUR 10 million. The GDPR enables private right of action, enabling individuals to sue companies for damages in the event of a data breach or other relevant violation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-penalties\">CCPA penalties<\/h3>\n\n\n\n<p>If you do not comply with the CCPA, the California Attorney General's Office (now the CPPA) can pursue civil penalties of up to $2,500 per unintentional violation, or up to $7,500 per intentional violation or those involving minors.<\/p>\n\n\n\n<p>The CCPA also provides consumers with a private right of action, e.g. if their personal information is exposed to a data breach due to a company's lack of reasonable security measures. Consumers can seek statutory damages between $100 and $750 per incident.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-prepare-for-the-future-and-implement-a-data-management-strategy\">Prepare for the future and implement a data management strategy<\/h2>\n\n\n\n<p>The GDPR and CCPA both focus on protecting data and giving consumers control, but they have some key differences. By now, both laws are well enough established that companies should have solid privacy compliance strategies and operations. But if not, it\u2019s never too late to mitigate the risk, and it\u2019s good for consumer relationships and brand reputation in addition to regulatory compliance.<\/p>\n\n\n\n<p>As governments around the world continue to pass and update laws to try to keep pace with technology and digital markets, the best move is to implement data handling practices, compliance policies, and ways to securely store a user\u2019s data. It\u2019s also important to consult with a data privacy expert and qualified legal counsel.<\/p>\n\n\n\n<p>When comparing the rights of the CCPA vs. GDPR, it becomes clear that prior consent \u2013 exclusive to the GDPR \u2013 really makes all the difference, in that it creates a legal framework across the EU that is based on privacy first through user control.<\/p>\n\n\n\n\n\n\n","protected":false},"excerpt":{"rendered":"<p>The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) were created to give people greater power over their personal information. Both regulate how companies collect and use individuals\u2019 personal data. While both laws are focused on user privacy rights and putting control over one\u2019s data back into the users\u2019 hands, there [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":14209,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"inline_featured_image":false,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-949","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2020\/11\/cb_blog_hero_770x513_ccpa_202405_1200x630_ffffff.png","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/comments?post=949"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/949\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media\/14209"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media?parent=949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/categories?post=949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/tags?post=949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}