How Is CCPA Different From GDPR?
Posted by Jenna Tsui ● 5/13/20 7:53 AM

How Is CCPA Different From GDPR?

The California Consumer Privacy Act (CCPA) is a piece of landmark data privacy legislation — the first of its kind in the United States — that went into effect at the beginning of this year.

Some privacy experts have drawn comparisons between CCPA and the General Data Protection Regulation (GDPR) — the major EU privacy standard that companies have been working to comply with since it took effect in May of 2018.

The two pieces of legislation, however, aren't exactly the same, and businesses that handle sensitive customer data should understand the differences between them. While they have similar goals — giving consumers stronger control over how their data is collected and used — the CCPA and GDPR have different requirements. 

Here is how CCPA is different from GDPR, and what businesses will need to know as California begins to enforce CCPA.

What is the CCPA?

The California Consumer Privacy Act passed in 2018 and went into effect at the start of this year.

Like GDPR, CCPA is a landmark piece of data security legislation. It's the first of its kind in the U.S.

CCPA grants Californians more control over how their data is used. Under the bill, they are entitled to know how their information is utilized and request that companies stop collecting, selling or storing it. Businesses bound by the CCPA need to provide customers with some way to make those requests. They also can't discriminate against those who exercise their data privacy rights.

The bill is already in effect, but the California Attorney General will only begin enforcing it on July 1 — meaning companies should be preparing for compliance if they haven't already.

Despite how close we are to the July 1 deadline, some aspects of how the bill will be enforced aren't entirely clear. The AG's regulations regarding compliance parameters have already undergone multiple revisions and still aren't finalized as of April 28, 2020. The latest proposed draft regulations were published on March 11 and were open for comments until March 27.

Because of this confusion and additional pressure created by COVID-19, many businesses had pushed for a delay on CCPA enforcement. The AG's office, however, has said it will move forward as planned and enforce the law "upon finalizing the rules or [by] July 1, whichever comes first." The AG also released a statement reminding consumers of their data privacy rights during the outbreak, a sign that the office will likely take enforcement seriously, regardless of current circumstances.


The General Data Protection Regulation took effect in 2018 and governs the entire European Union. It provides similar privacy rights to EU citizens as the CCPA does to Californians.

While the two pieces of legislation have similar goals, they are not identical. They pursue their objectives in different ways.

Under GDPR, businesses must obtain prior consent if they want to get any kind of personal data from users. This is in contrast to CCPA, which states collecting information is acceptable, so long as users haven't decided to opt-out.

The GDPR and CCPA also define personal data in slightly different ways. Most importantly, CCPA protects household and personal stats, while the GDPR does not. Under the CCPA, household data is defined as any information that could be linked, indirectly or directly, to a specific household.  

Under CCPA, businesses can use personal data for any purpose, so long as customers haven't opted out. The GDPR, by contrast, limits the situations in which collection is acceptable. Most importantly, GDPR requires that customers opt-in to having their information collected. While a CCPA-compliant business can get away with gathering it and only stopping if people have opted out, businesses bound by GDPR need to actively request prior consent from users. 

Some other elements of GDPR and CCPA are parallel in function — like the CCPA right to deletion and the GDPR right to erasure. While the names differ, the two rights are almost the same.

If you want a more specific break-down of how GDPR and CCPA differ and overlap, the Future of Privacy Forum has authored a 27-page comparison of the two laws that covers almost every nuance and subtle difference.

CTA Banner - ebook - 9 reasons for public cloud
Why Your Business Needs to Know the Difference

Because GDPR and CCPA differ in some aspects, complying with one doesn't necessarily mean you're in compliance with the other.

Your business, if it holds on to customers' data, will likely need to take steps to comply with CCPA — even if it's already GDPR-compliant.

Businesses operating in certain sectors — especially those that rely heavily on user data collection — will likely need to make the biggest changes to stay compliant and avoid the potential consequences.

Companies that provide cloud document management will need to create systems that allow users to exercise their CCPA rights. If yours collects user data, you should already be figuring out how to store it so you can correctly inform users what you have. And remember: Clients are allowed to delete that data, if necessary.

Finally, GDPR and CCPA do not necessarily affect all businesses. Both pieces of legislation have provisions that limit their scope. For example, CCPA doesn't even govern all companies that operate in California. If your business makes less than $25 million in annual revenue, possesses personal data on less than 50,000 customers and earns less than half its income from selling customer data, it almost certainly isn't bound by CCPA regulations.

Whether or not you are bound to GDPR and/or CCPA depends entirely on the size of your business and where your customers are located. 

What Businesses Should Know About GDPR and CCPA Compliance

Very soon, many businesses with customers in California will need to provide them with a slew of new data-related privacy rights. While the CCPA ensures rights similar to those granted by GDPR, companies that are already GDPR-compliant will likely need to be compliant with both.

As a result, businesses should know the major differences between the two pieces of legislation — like CCPA's protections on household data and GDPR's opt-in approach to data privacy. Then, companies can operate with confidence, knowing they are operating in compliance with the rules.

Strengthen Your Compliance Management with AODocs

AODocs is a content services platform designed to modernize the way businesses work - offering a low code environment to build content-rich applications, powerful automation and workflows, and business applications with comprehensive security and compliance capabilities.

Learn More

About the Author

Jenna Tsui is a cybersecurity and technology writer with bylines on sites such as Technology Networks, Uniwebb, Triple Pundit, and more. To read more of her posts, please visit The Byte Beat or follow her on Twitter.

Tags: Compliance