The GDPR vs. CCPA: Two major privacy laws impacting your business

September 8, 2021
The GDPR vs. CCPA: Two major privacy laws impacting your business

Data privacy continues to be a major topic of interest for consumers and businesses around the world. It almost feels like there is a discussion over a new privacy regulation or law going into effect every day—we’ve outlined a few in our recent A Little Privacy recap. However, it can be a lot to keep in mind for businesses that collect and process data.

Two of the most important data privacy regulations that have gone into effect are the European Union’s General Data Protection Regulation (GDPR) and The California Consumer Privacy Act (CCPA). While there are some similarities to these privacy laws, they are unique in the scope, focus, and definitions. 

Both data privacy regulations are comprehensive and broad, potentially impacting any entities that collect and process consumers’ personal data. To help you get a high-level understanding of each, take a look at our GDPR and CCPA comparison chart below.

The EU General Data Protection Regulation (GDPR)The California Consumer Privacy Act (CCPA)
OverviewThe General Data Protection Regulation is a regulation in EU law designed to enhance individuals’ control and rights over their personal data and simplify the regulatory environment for international businesses. 

It is defined as a regulation, not a directive, which means it is directly binding while providing flexibility for individual EU member states. 

This means that approaches to compliance can vary widely between European countries. 
The CCPA is designed to empower consumers to control the personal information that businesses collect and process. 

The California Privacy Rights Act (CPRA), effective in 2023, will amend and expand the CCPA and have a “lookback period” to January 2022.
Implementation DateThe GDPR was adopted on April 14th, 2016, and took effect on May 25, 2018.The CCPA took effect on January 1, 2020 (with some exceptions).
Who does the privacy regulation protect?“Data Subjects” are natural persons whose data is processed (like customers and website visitors).

The Data Subjects have the right to be informed about how their personal data is collected and used, the right to access the collected data, the right to object to the processing of their personal data, and the right to request their data erased.
Protection under the CCPA is limited to California residents, as defined under the California tax code.

As California residents, consumers may ask businesses to disclose the personal information they collected, what the business does with that information, and request the business not to sell the information and/or delete it.
What type(s) of personal information is protected?The GDPR defines personal data as any information that relates to an identified or identifiable natural person.Under the CCPA, personal information is defined as anything that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked with a particular consumer or household. 
What type(s) of entities are impacted?All natural or legal persons, public authorities, agencies, and other bodies, regardless of their physical headquarters or location of processing, that process the personal data of data subjects that are in the European Economic Area must comply with the GDPR if such processing activities relate to the offering of goods or services or the monitoring of behavior within the European Economic Area. This includes all entities that collect, store, transmit, or otherwise process such data. The GDPR also applies to the processing of personal data in the context of the activities of an establishment of an entity in the European Economic Area, regardless of where the processing takes place and regardless of where the data subjects are located. The CCPA applies to all for-profit legal entities that conduct business in California and meet any of the following criteria:

– Have a gross annual revenue exceeding $25 million

– Buy, receive, or sell personal information of 50,000 or more California residents, households, or devices

– Earn 50% or more of their annual revenue from selling California residents’ personal information

The physical headquarters of the business is irrelevant if they are doing business in California and satisfy the above thresholds.  
Key RolesController: A natural person or legal entity that determines the purposes and means of processing personal data. The controller is responsible for ensuring the entity’s compliance with GDPR.

Processor: A natural person or legal entity that processes personal data on behalf of the controller. 

Data Protection Officer (DPO): This is a leadership role required by the EU GDPR. The role is responsible for the strategy, approach, and execution of GDPR compliance.

Supervisory Authority: A public authority within an EU country (also known as a member state) monitors GDPR compliance. The Supervisory Authority can conduct audits, make recommendations, address complaints, and issue fines.
Business: A business is any legal entity that operates for profit, operates in California and meets at least one of the three thresholds defined by the CCPA (outlined above).

Service Provider: A Service Provider is any legal entity that operates under a service provider contract, operates for profit, receives consumers’ personal information from a business, and processes personal information on behalf of the business.

Third Party: A third party refers to any entity that is not a business that collects personal information from consumers or a person to whom a business discloses a consumer’s personal information. Third parties receiving personal information are prohibited from selling the personal information, retaining, using, or disclosing the information for any purpose other than the specific purpose of the services specified in a contract, and retaining, using, or disclosing information outside the direct business relationship.
Requirements for businessesBusinesses must implement technical and operational safeguards to protect the personal data they control. They must also maintain a record of processing activities.

For data processing activities that result in a high risk to the rights and freedoms of data subjects, the controller must conduct a data protection impact assessment.

In addition, they must have a legal basis for any processing of personal data, which may include obtaining consent. 
In some cases, businesses may be required to appoint a Data Protection Officer and update their privacy policy.

Their privacy policy must be concise, transparent, intelligible, and easily accessible. The exact requirements for the privacy policy depend on whether an organization is collecting data directly from an individual or if it receives it as a third party. 

For more information on the privacy notice, visit
All impacted businesses must give consumers a notice at the time of collection that lists all of the personal information the business collects about consumers and the purposes for collecting the information. 

The notice must include a link to the business’s privacy policy, which must include a complete description of the business’s privacy practices, financial incentives, and privacy rights. 

If a business is selling consumers’ personal information (The “sale” of personal information is defined as sharing personal information with another business or third party for monetary or other valuable consideration), they must include an option for consumers to opt-out, accessible through a “Do Not Sell
My Personal Information” link on the homepage or landing page of a website or application where the information is collected. 
Penalties for noncomplianceDepending on which provisions are violated, the consequences could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. 

In other cases, it may result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Failure to comply with the CCPA and its requirements may result in the following penalties:

– Maximum civil penalties of $7,500 for intentional violations
– Maximum civil penalties of $2500 for unintentional violations
– Consumers can file private lawsuits for $100-$750 maximum or actual damages (whichever are higher) for each instance of a violation of the security obligations under CCPA resulting in a security breach (or data breach).

In all cases, businesses will have 30 days to resolve violations prior to paying the penalties.

There is no upper cap on penalties, and a business may face penalties for each instance of a violation. That means if a company violates 50,000 individual requests that are deemed intentional by the attorney general, the penalties could add up to around $375 million.

One of the biggest differences between the GDPR and CCPA is the scope of who is protected. The GDPR is much broader as it protects what they define as a “Data Subject” who is located in the European Economic Area. The CCPA was modeled after the GDPR; however, it specifically protects “Consumers” that are identified as a natural person who is a California resident.

Therefore, as long as an organization is offering goods services or monitors the behavior of a data subject in the EEA, the organization must adhere to the GDPR. Similarly, if a for-profit organization meets any of the defined criteria of the CCPA, it must adhere to the requirements. But generally, given the momentum around new privacy regulations around the globe, many companies are moving away from thinking about the CCPA vs. GDPR, what the GDPR requires, and vice versa.

The Importance of responsible digital citizenship and data ethics

The GDPR and CCPA are just two instances of a larger trend focusing on data privacy for individual users. There will be more requirements, privacy laws, and regulations to address this focus moving forward. In this ever-changing digital world, businesses need to prioritize responsible digital citizenship and data ethics across all jurisdictions, regardless of the technicalities of the law. This means you ensure that your business is adhering to regulations as a means to behave safely, participate responsibly, and maintain the integrity of the digital space.

Schedule a demo to see how Sourcepoint’s Dialogue Consent Management Platform (CMP) can help you comply with privacy regulations like GDPR and CCPA while enabling consented personalized experiences for your users.

Disclaimer: The information above is provided for general, informational purposes only, does not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

What are the privacy laws in Canada?

June 6, 2024

Everything you need to know about PIPEDA and Quebec’s...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]