Comparing CCPA and GDPR: 8 Key Differences Between the Privacy Laws

  • by Noah Ramirez, JD / CIPP
Comparing CCPA and GDPR: 8 Key Differences Between the Privacy Laws

Getting It Straight

The European Union’s General Data Protection Regulation (GDPR) kicked off what would be a rolling introduction to more data privacy regulations across the globe. While countries and states can pass their own standards to protect their residents, the new and changing policies make it difficult for organizations to keep track of their responsibilities. 

We’re going to break down two of the most well-known and pressing regulations, the GDPR and the California Consumer Privacy Act (CCPA) to give you a bit more clarity. What you need to know is that the general premise of these regulations is the same - to protect consumers’ right to privacy - but they can differ in their requirements and who is affected. There are detailed nuances to both, but the following chart should give you a good overview of their key differences.

All Data Privacy Laws Are Not The Same

 

GDPR

CCPA

Date

Implemented on May 25, 2018

Implemented on January 1, 2020

Affected entities

Affects any organization inside or outside of the EU that offers goods or services to or monitors the behavior of EU subjects.

Affects certain organizations inside or outside of California that do business with a California company, has California resident customers, or collects any personal data of a California resident for any purpose. Regulated companies have gross revenue greater than $25M, handles personal data of more than 50,000 consumers for commercial purposes, or derives 50% or more of its annual revenues from selling consumers’ personal data.

Representation

Requires most companies outside of the EU to designate an EU representative if they don’t have a presence in the EU and process personal data of EU residents.

There is no similar representative requirement.

Fines

Lesser violations result in up to 10 million euros ($10.8M USD) or up to 2% of the firm’s worldwide annual revenue from the previous fiscal year, whichever is higher. More severe violations can be up to 20 million euros ($21.6M USD) or up to 4% of the firm’s worldwide annual revenue from the preceding fiscal year, whichever is higher.

Civil penalties (violations lacking intent) are $2,500 for each violation. Intentional violations are $7,500 each after notice and a 30-day opportunity to remedy.

Security

Requires data controllers and processors to implement satisfactory technical and organizational measures to ensure adequate security of data.

Does not define or impose data security requirements, but it does give consumers the right to take legal  establish a right of action if a security breach occurs.

Opt-out Rights

No right to opt-out of personal data sales, but it does provide consumers the right to opt-out of processing data for marketing purposes and withdraw consent to process personal data.

Organizations must provide a clearly visible option for consumers to opt-out of the sale of their personal data and if they request “Do Not Sell My Personal Information”, the organization cannot ask again for another 12 months.

Rectification Rights

Data subjects have the right to request that an organization corrects any incorrect or incomplete personal data.

No right of rectification.

Age of consent

Age for consent is 16 and parents must consent for children under 16. Organizations must still provide an age appropriate privacy notice to the child and implement increased security measures to protect their personal data.

Age of consent is 13 and parents must consent for children under 16. All provisions in the federal Children’s Online Privacy Protection Act (COPPA) still apply.

Make It Simple Through Automation

We only highlighted the most contrasting requirements between the GDPR and the CCPA, but there are other factors that play into how your organization may or may not need to comply. There are also more data privacy regulations on the horizon. Not only will there likely be ongoing modifications to the GDPR and the CCPA, but other countries and states are poised to introduce their own set of standards in the near future. 

This growing web of laws puts organizations in a precarious situation of having to keep track of not only where and with whom they do business but also understanding all of the new and changing privacy laws across the board. Without a global data privacy regulation that offers consistent regulations, it will continue to be a continuous battle to comply.

Fortunately, organizations can automate consent management, vendor risk monitoring, privacy policy change management, and privacy law changes across the globe - all with only a single line of JavaScript. Osano makes compliance to data privacy laws simple, while also providing you with a way to monitor your vendors to ensure your supply chain isn’t putting you at risk. From subject rights to GDPR representatives, Osano is here to help you get and stay compliant.

For more detailed information about GDPR, check out our guide and  https://gdpr.eu/. If you'd like to learn more about the CCPA, we have a guide for that too.

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.