General Data Protection Regulation (GDPR) vs California Consumer Privacy Act (CCPA)



In a recent blog post we explained how the California Consumer Privacy Act (CCPA) went into effect on the 1st of January, 2020, after it was signed into law in 2018. This consumer protection legislation, the most robust yet in the United States, was essentially modelled after the General Data Protection Regulation (GDPR) in the European Union, which went into effect in May, 2018 and is generally regarded as the most comprehensive data protection regulation enacted worldwide. The U.K. is maintaining the existing GDPR framework for a transitional period until at least the end of 2020, so the same rules and regulations continue to apply for now. In this blog post we'll explore how the GDPR and CCPA compare. 

Legislation designed to protect people

At their core, both the GDPR and the CCPA were designed to provide residents with enhanced protection and rights pertaining to how their consumer data is used. GDPR is a broader legislation, and emcompasses all forms of data processing, unlike CCPA which focuses chiefly on restricting the sale of consumer data. It is worth noting, however, that the fines and penalties with CCPA violations can exceed those set forth by GDPR, which are already high (GDPR fines can amount to 4% of the company’s annual global turnover or €20 million, whichever amount is higher).

California is the first state to introduce new legislation, but not the last

While California was the first US state to enact stringent privacy regulations, many other states are expected to follow suit in 2020 and beyond as there is an increased focus on data protection and general privacy rights. Just like the GDPR, companies don't need to be physically located in the territory in which the regulations apply (extraterritorial jurisdiction applies to both GDPR and CCPA). It's good to familiarize yourself with the legislation to understand how it could impact your business operations and how consumer data is managed.

This infographic below outlines how the two legislations are similar in a number of ways and also some circumstances in which they differ.


GDPR & CCPA violations can be costly in more ways than one

The consequences inflicted from an accidental data breach can extend far beyond a month, and even last years. There is not only a serious risk of long-term reputational damage and general loss of trust, but also steep fines. Many businesses simply cannot recover from such an incident after it occurs, even if the breach was unintentional. You can read about some GDPR violations and the corresponding financial penalties here.

Still struggling with GDPR compliance? We’re here to help.

It’s hard to think about potential future requirements that may impact your business if you’re struggling to comply with current legislation, such as the GDPR. 

If that sounds like you, don’t worry -- you’re not alone
! Some studies have shown nearly half of organizations in markets like the UK are not yet fully GDPR/DPA compliant, but the time to remedy that is now.

Download the free easy-to-follow Data Protection Compliance checklist using the link below, and you can be on your way to properly securing your communications in just a few clicks.

Download our GDPR checklist

Written by

Kate O'Neill

Originally published on August 5, 2020

Last update on August 5, 2020