What’s the difference between the CCPA and GDPR laws? [infographic]

What’s the difference between the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) laws? Let’s dive in to find out.

In 2018, the digital world changed with the institution of the GDPR. Although the law is based in the European Economic Area (EEA), businesses around the world that target European consumers are subject to comply with this comprehensive data privacy law. Shortly after the GDPR’s release, another law entered the public eye: the CCPA.

In effect as of January 1, 2020, this California law is conceived as a replica of the GDPR, meant to bring European privacy standards to the United States.

However, the CCPA failed in replicating the GDPR. Instead, it passed as a light version of the EEA’s landmark data law. How did the CCPA succeed in mimicking the guidelines of the GDPR? Where did it fail?

CCPA vs. GDPR: what’s the difference?

Let’s take a look at the basics of the CCPA vs. GDPR laws and what makes them different.

1. Defining who needs to comply

No doubt, the GDPR leaves plenty of room for interpretation regarding who is and is not subject to comply with the law.

However, it’s the common interpretation of the legislation that any business or digital operation that targets EEA (and Switzerland) citizens needs to meet the standards outlined in the law — or suffer the consequences.

The CCPA, on the other hand, gives a much narrower definition of who falls under the purview of the legislation. The legal text explicitly applies to “businesses” — as defined by the CCPA.

Under the CCPA, a business is defined as a for-profit entity that meets one or more of the following thresholds:

“(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as
adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial
purposes, sells, or shares for commercial purposes, alone or in combination, the personal
information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal
information.”

Compared to the GDPR, these thresholds are relatively high, and leave a lot of companies questioning whether they are or are not subject to comply with the CCPA.

2. Raising transparency standards

One of the most notable parallels between the two laws: the new standards they set for transparency. To meet the requirements of both the GDPR and the CCPA, businesses are modifying their privacy policies to be more thorough, detailing every aspect of their data collection, storage, sharing, and use.

These new standards raise the bar for what information users have the right to access regarding the collection of their personal data. Furthermore, both the GDPR and the CCPA require businesses to specify within their privacy policies what rights European and Californian consumers have under these laws.

In addition to explanations of their rights, users can follow instructions of how they can act upon them. For example, Californian consumers should be provided with a “Do Not Sell My Personal Information” link and instructions for opting out of the sale of their data.

3. Establishing consequences for noncompliance

Like with any law, both the GDPR and the CCPA establish penalties for those who fail to comply. The GDPR threatens fines up to 20 million euros, or 4% of a company’s annual revenue — whichever is higher. Fines are dished out by country-specific GDPR enforcers. Already, technology giants have been penalized for noncompliance, including a Google GDPR fine of 50 million euros.

Alternately, CCPA noncompliance can cost companies $750 per violation in a lawsuit brought by the California Attorney General’s office. Each person whose data is violated by a CCPA noncompliance claim counts as a violation. This means large companies may be looking at millions of dollars in class-action payouts. CCPA enforcement officially begins July 1, 2020.

4. Comparing the basics of the GDPR & CCPA

In addition to the similarities and differences mentioned above, these two landmark privacy laws share even more key features, and offer their own unique requirements.