CCPA vs. GDPR Compliance

Published March 7, 2019 by 4 min read

Heralded as the US version of the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) has many American companies adopting a new approach to privacy protection.

Assuming that the CCPA is, as it’s often called, “GDPR Lite,” however, may result in your non-compliance with the California law. The two laws have many differences. Being compliant with the GDPR will not necessarily ensure your CCPA compliance. To meet the standards required by both regulations, you need to understand the differences between the two.

To help, we offer here a detailed CCPA vs GDPR comparison.

Who Is Regulated?

The GDPR creates a broad privacy law governing all data controllers and data processors established in EU member states and outside the EU who have contact with EU citizen personal data. It provides many new consumer rights.

The CCPA applies only to for-profit entities doing business in California or with Californians — not to nonprofits–that meet one of the following requirements:

  • Earns gross revenue greater than $25 million
  • Annually buys, receives, sells, or shares personal information of more than 50,000 Californians, households, or devices for commercial purposes
  • Earns 50% or more of annual revenue from selling personal information

CCPA also applies to entities controlled by or sharing a brand with, businesses that meet these requirements.

Who Is Protected?

Although both laws focus on the data privacy of a natural person’s information, they differ in their approach and definitions.

The GDPR concerns “data subjects,” which it defines as identified or identifiable natural persons to whom personal data can be connected.

The CCPA applies to “consumers,” which it defines as people living in California for more than a temporary period or California residents whose primary residence is in the state but who reside outside the state for a temporary period. “Consumers” also comprises customers of household goods and services, employees, or business-to-business transactions.

Businesses outside the EU or California should review these laws’ effects on them, and determined whether they need to comply.

What Is Protected?

The types of information protected are similar. But the CCPA, unlike the GDPR, protects the data of entire households and that contained on computing devices, including their applications.  

The CCPA defines “consumer data” as personal information that identifies, relates to, describes, can be associated with, or maybe directly or indirectly linked to a specific person, household, or device. The CCPA lists specific categories of personal information.

The GDPR protects “personal data” of any identified or identifiable natural person, and prohibits processing that information if it fits any of the GDPR‘s categories.

What Are the Opt-Out Rights?

The GDPR does not provide EU residents the right to opt-out of the sale of their personal information

The GDPR does allow data subjects to opt-out of data collection or processing for marketing purposes, and to withdraw consent for certain processing activities. So data subjects may decline to have their information shared–but this ability is not the GDPR‘s focus. 

The CCPA devotes an entire section to create this right. It also requires regulated entities to inform consumers that they have the right. To comply with the CCPA, businesses must create a “Do Not Sell My Personal Information” link on their homepage. They cannot ask a consumer to opt-in until 12 months after they have opted out.

What Are Data Portability Rights?

Both privacy laws focus on similar data portability rights.

The GDPR created a new right for data subjects to receive copies of their personal data from the entity storing it in a structured, commonly used, machine-readable format. It also allows them to request the transmission of their personal data to other data controllers.

Under the CCPA, when consumer requests disclosure of the data a business has collected, the business must provide it within 45 days, in a readily useable format that allows the consumer to transmit their data easily from one entity to another.

Although the regulations use different languages, both focus on providing users easy-to-read copies of their collected data and enabling the protected parties to share that information easily.

What Do the Regulations Say about Security?

As privacy laws, the GDPR and CCPA focus on giving people control over data collection and use. Both regulations arose from concerns over data security

Although both data privacy laws require appropriate security controls and allow private lawsuits in the event of breaches, they differ significantly in the remedies they allow.

The GDPR requires companies to take organizational and technical measures to mitigate risk. People can sue companies for material and non-material damages caused by a data breach

The CCPA does not impose data security requirements, but it does establish private rights of action in the event of a data breach. As part of the California Civil Code, the CCPA allows residents to sue companies whose lack of security controls lead to a breach of their information. Courts can impose additional penalties, as well.

What Are Other Major Differences? 

The CCPA requires parental consent only for sales of personal data belonging to minor children.

The GDPR requires this consent for data processing of minors’ information.

The GDPR provides rights to object, restrict processing (other than opt-out), object to automated decision making, and rectification

The CCPA provides none of these rights except to opt-out from processing.

ZenGRC and GDPR/CCPA Compliance

GDPR and CCPA compliance require documentation collection, storage, and retrieval. 

And as more people interact with vendors who interact with consumer data and employees monitoring consumer requests, compliance with both regulations will require more communication between people within the organization and without.

ZenGRC monitors and streamlines workflows to ensure requests are followed through to completion–critical for meeting CCPA’s 45-day timeline. 

Zen also simplifies the task of reviewing controls necessary for maintaining opt-out and opt-in information.

Finally, ZenGRC acts as a single source of information so that all employees involved in GDPR and CCPA compliance can access the same information and documentation to support audits.

Why try to comply with these complex regulations on your own? ZenGRC helps take the “risk” out of risk management and compliance. Contact us for your free demonstration, and start down the worry-free path to GDPR and CCPA compliance.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo