phone 866-652-5003 Login
Mar 6th 2020


Are the Requirements the Same?

If you are compliant with GDPR it doesn’t mean you are compliant with CCPA. There are some differences between these two data laws and many companies with GDPR compliance think they are automatically CCPA compliant. 

This isn’t the case.


GDPR stands for General Data Protection Regulation. It’s an EU law that went into effect in May 2018. It controls how all websites, companies and organizations are allowed to handle personal data. This can be anything from names and postal addresses to email addresses, browser history and location data. 

If your website has visitors from the European Union, and you process any of their personal data, the law says you must first obtain prior consent from the user. This consent must clearly outline information about the purpose, extent and duration of your data handling practices. 

Unlike the CCPA, the GDPR is focused on creating a legal framework based on ‘privacy by default.’ The CCPA is about creating transparency and control among California consumers regarding the data the businesses maintain on them. 

It’s basically prior consent (GDPR) vs opt out (CCPA). 

GDPR: A Step Above the CCPA

The GDPR is more aggressive when it comes to privacy protection. Where the GDPR requires websites, companies and businesses to have a legal basis for processing personal data, the CCPA doesn’t. 

The CCPA doesn’t need prior consent from a user before processing their data, nor does a website need prior consent from a user to sell their data to a third party.

An EU user can shut the door on data processing prior to the handling or selling of their information, while the CCPA gives California consumers the ability to open the door in order to find out how their data is being used. 

Similar Rights

The rights under both privacy laws basically include: 

1. The right to be informed 

2. The right to access 


3. The right to gain portable data access

They also include the right to delete (CCPA) and the right to erase (GDPR). The major difference is the fundamental right of prior consent (GDPR), which doesn’t apply to the CCPA.

Personal Information vs Personal Data

Personal information defined by the CCPA is: “information that identifies, relates to, describes it capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal data, defined by the GDPR is: “any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier.”

The main difference here is the CCPA’s definition goes beyond just the individual. It includes data that is categorized as household data, where the GDPR remains exclusive to the individual person. 

DO NOT SELL MY PERSONAL INFORMATION vs. Legal Ground for Data Processing

There are six legal grounds under the EU for processing personal data, whereas the CCPA has none for processing personal information in California. 

Businesses can process the personal data of California residents as they please, unless the consumer opts out from having their data sold. 

This is why there’s a requirement within the CCPA that businesses must provide a link or a button on the bottom of their website that says: “DO NOT SELL MY PERSONAL INFORMATION.” This allows customers to opt out of third-party sales data.

If your business is required to comply with the CCPA, you must meet this requirement.

Who do the Laws Protect?

The GDPR protects ‘data subjects’ while the CCPA gives rights to consumers. 

Data subjects under the GDPR are defined as: “an identified or identifiable natural person,” while the CCPA gives certain rights to consumers defined as “a natural person who is a California resident.”

A data subject is any person, and not only EU residents or citizens. This is different from a consumer, who is defined under the CCPA as either an individual “who is in the State for other than a temporary or transitory purpose” or an individual “who is domiciled in the State who is outside the State for a temporary or transitory purpose.” 

The GDPR protects data subjects. The CCPA defends citizens or residents.

Example: If an American tourist is traveling somewhere in the EU, and their data is processed during their visit, they will be protected under the GDPR. Companies who process their data, even if based in the United States, will be required to comply. It’s any person who has their data processed in the EU by companies offering products or services there.

The CCPA only protects individuals that fall under its definition of a consumer as being a California resident.

Businesses vs Data Controllers

The CCPA controls the conditions for businesses and their data processing, with a set of classifications. 

The GDPR applies to data controllers and is defined as any kind of entity with data processing activities. 

It sets no restrictions as far as size, for profit or not, public or private, etc. It’s simply an entity that collects and/or processes data in the EU. 

It includes any company, business, or organization and any website, regardless of size and purpose. If you process any type of data in the EU, for any purpose, you are required to comply.

The GDPR is much more specific and protects more people from more data processing practices than the CCPA.

The GDPR is a bigger, broader privacy law and it gives individuals in the EU the power to access and the right to withdraw consent.

The CCPA is smaller and more specific that creates rights for California residents to gain decision rights over their personal data. 

The two laws are different, so it’s important to ensure compliance for both, if you are required by law.

Original Article:

Related Articles:

How the CCPA Impacts the Auto Industry

California Pushing the CCPA into the Hands of DC Lawmakers

How do I Ensure My Business is CCPA Compliant?

The Registration for Data Brokers Under the CCPA