What is the General Data Protection Regulation (GDPR)?GDPR is a regulatory law created and enforced for the purpose of protecting the personal data of citizens across the European Union.
Any company, residing in the EU or not, must achieve GDPR compliance when handling (even in passing) the data of EU citizens and organizations.
Non-compliance with the GDPR may result in fines. The highest fine can get to €20 million or 4% of the annual revenue of the company. The highest of the two rates applies. |
What is the California Consumer Privacy Act (CCPA)?CCPA is a regulatory law created and enforced for the purpose of protecting the data of California citizens.
CCPA regulations require that organizations inform consumers about how they use the consumer’s data. Organizations are also required to provide consumers with controls over usage of their data.
The purpose of the CCPA is to inform consumers when and if their private information is being sold to third-parties and provide consumers with a way to opt-out. |
In this article, you will learn:
CCPA is usually compared to GDPR because both laws share common agendas. CCPA and GDPR aim to give individuals rights that enable them to control how their private information is used.
Both laws enable citizens to access and delete their personal information, gain information on how their data is used. Another common regulation is mandating contracts between service providers and organizations.
However, while the CCPA may seem similar to the GDPR, there are four critical differences between the two acts.
GDPR regulations apply to all companies processing the data of EU citizens. The location or size of the company does not matter.
CCPA regulations only apply to California-based companies generating a revenue of $25 million or more, or companies selling personal information. The latter criteria was created in response to the Facebook-Cambridge Analytica scandal.
The GDPR enforces fines for data breaches as well as non-compliance. Fines can reach 4% of the company's annual global turnover, or €20 million (whichever is higher). In addition to fines, there are administrative levies .
The CCPA imposes fines for each violation. There doesn’t seem to be any sanction for non-compliance. Fines cannot exceed $7500 per violation and there is no cap.
The CCPA determines violations only when a breach occurs, whereas the GDPR enforces sanctions when a company is at risk of being breached or conducts irresponsibly.
According to the GDPR, there are six lawful bases for processing the personal data of EU citizens and residents, but the CCPA does not acknowledge any lawful bases for processing data.
GDPR compliance requires companies to account for lawful bases when processing the data of EU citizens, while CCPA compliance lets companies process data unless individuals exercise their right to opt-out.
CCPA opt-out rights are not applicable to any and all data processing. Rather, CCPA opt-out applies only to the selling of personal data of California consumers.
CCPA applies the term “selling” when personal data is transferred to third parties, including giving access to the data, sending the data, releasing the data, communication related to the data, and more, in exchange for monetary value.
On the other hand, GDPR requires that consumers opt-in for any type of data processing, especially when pre-defined lawful bases are not applicable. This gives people more control over the processing of their data.
When comparing CCPA and GDPR, it is important to note that while GDPR is applied to all data of EU citizens, the CCPA is applicable only to specific data types.
Here are data types excluded from the CCPA:
Both regulations endow the consumer with specific rights but there are marked differences that should be noted by any company handling private data. Key aspects are summarized in the below table.
CCPA |
GDPR |
The right to opt out According to the CCPA, consumers can refuse the disclosure of their private information to third party entities.
The right to opt out applies to any data transaction that benefits the company, whether it is of monetary value or otherwise. |
The right to rectification The GDPR grants individuals the right to tell organizations to rectify inaccurate and incomplete records of personal information. |
The right to non-discrimination The CCPA prevents companies from discriminating against consumers, if and when consumers exercise their privacy rights.
According to the CCPA, companies are not allowed to deny goods and services, charge different rates, or provide lower quality services to consumers who opted out or asked to delete their personal information. |
The right to restrict processing According to the GDPR, individuals can restrict how their personal data is processed. This right is applicable in cases when: ● The data is inaccurate. ● Private data was processed unlawfully. ● The organization doesn’t need the data anymore.
However, restricting data processing does not restrict archiving personal data. |
Authorized agents The CCPA enables consumers to ask authorized agents to interact with companies on behalf of the consumer, for the purpose of making CCPA-related requests. |
The right to object The GDPR grants individuals the right to demand that organizations stop using their data for direct marketing. Organizations cannot continue processing this data, unless they have a valid reason to do so. |
Financial incentives The CCPA mandates that organizations must inform customers if and when the organization provides financial incentives derived from the usage (including collection, sale, and deletion) of private information. |
Automated decision-making and profiling The GDPR restricts the use of automated decision-making, generated and applied by algorithms and software. This applies to a wide range of actions, including the processing of data for profiling individuals. |
While there are certain differences, the two regulatory acts also overlap in certain areas. This means if you already comply with GDPR requirements, you might also be able to comply with the CCPA. Once you understand the areas of overlap, you can create a strategy that applies across areas and can help you dynamically make future changes when needed.
Here are the common aspects shared by the CCPA and GDPR:
NetApp Cloud Compliance leverages cognitive technology to discover, identify and map personal and sensitive data. Use Cloud Compliance to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with regulations such as the CCPA and GDPR.
Learn more about NetApp Cloud Compliance