This article covers the similarities and differences between GDPR and CCPA.
- Who is protected?
- What data is protected?
- What rights do individuals have?
- Who is impacted
- What about data sharing?
Who is protected?
CCPA covers Californian Consumers which the regulation defines to be any resident of California. As of now, the regulation protects residents physically outside of California.
GDPR protects data subjects which the regulation defines to be individuals inside a GDPR member state. A citizen from a GDPR member state is not covered by GDPR when they use services inside a non-member state.
Both regulations cover minors but afford different rights. Under CCPA, entities require consent to sell minor's data. GDPR prohibits the processing of any minor data without consent.
What data is protected?
CCPA takes a more expansive interpretation of personal data. In addition to data that can describe or identify a person, CCPA covers any data capable of being associated with a household or a device.
GDPR places specific restrictions on processing certain types of data including GDPR special categories of data and data related to criminal convictions.
What rights do individuals have?
| Right | CCPA | GDPR | Differences |
| Know | ✓ | ✓ | For data shared, CCPA only requires entities to disclose data shared in the past 12 months. |
| Access | ✓ | ✓ | |
| Delete / Forget | ✓ | ✓ | CCPA allows more exemptions. |
| Object | ✓* | ✓ | CCPA only allows users to object to the sale of information. |
| Rectify | ✓ | ||
| Data Transfer | ✓ | Under GDPR a subject can request to send data to another controller | |
| Automated Decisions | ✓ | CCPA does not mention automated processes |
Who is impacted?
CCPA regulates for-profit entities doing business in California meeting one of the following criteria:
- Has a gross revenue greater than $25 million.
- Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
If an entity falls under CCPA so does any parent company or company sharing its branding.
GDPR regulates data controllers or processors based in the European Union processing personal data or any company based outside of the European Union that processes data for GDPR data subjects.
What about data sharing?
CCPA divides data recipients into service providers and third-parties and requires an entity to disclose how and why they share information with each. A CCPA service provider takes the role of GDPR processors in that they process data under the direction of the CCPA regulated entity for a specific business need. Under CCPA, any organization that does not act as a services provider and receives personal data is a third party. Take for example a business partner that receives customer data as part of a joint marketing effort.
GDPR mentions both recipients and third parties interchangeably when discussing sharing personal data. Unlike CCPA, GDPR requires controllers to document proper safeguards when exchanging data to an organization outside of the regulatory zone.