GDPR vs. CCPA Comparison for 2020

09 Dec 2020 | Randy Lindberg

The General Data Protection Regulation and the California Consumer Protection Act, GDPR and CCPA respectively, are two landmark judgments passed in 2018, which regulate how companies collect and share data of consumers. GDPR is considered a landmark ruling because it is the most extensive legislation related to consumer data protection for the residents of the European Union (EU). Similarly, CCPA is considered the most important legislation to protect consumer rights, and is anticipated to pave the way for similar legislation nationwide in the United States.


What Is GDPR?

The General Data Protection Regulation, most commonly referred to simply as GDPR, tells organizations how they should manage, share, and protect user data. The regulation was enacted in May 2018 and affects any company that conducts business in the EU jurisdiction and/or collects the personal data of EU residents. Organizations doing business with EU residents must take appropriate measures to protect the data of residents or pay a hefty fine. The General Data Protection law is very detailed, it often gets confusing for small and medium-sized businesses to understand its ramifications. Therefore, here’s a brief overview of what you need to know:



The regulation states that any legal entity is obliged to protect the personal data of EU residents even if the entity is based outside the EU. It means if your company does business with EU residents, online or otherwise, and seeks their details, the rules of GDPR apply to your company.


Personal Data

As defined by GDPR, personal data is data which enables another person to identify the user. This can include the location of the person, date of birth, email, religious beliefs, gender, and political affiliations.



In the event personal data is not protected (i.e. there is a breach in security where data is leaked), a company can be fined up to €20 million or 4% of global revenue, whichever is higher. In addition to the fine, each individual that may have had their data leaked has the right to seek compensation for the data breach.


What Is CCPA?

The California Consumer Privacy Act, signed by Governor Jerry Brown in June 2018, is a similar regulation to GDPR but with some differences. To learn more, check out our blog post


The CCPA like GDPR impacts any for-profit company, online or otherwise, doing business with California residents, even if the company is not based in California. If your company has $25 million or more in annual revenue, derives 50% or more of your annual revenue from the sale of personal data, or annually buys/sells/receives personal data of more than 50,000 consumers/households/devices for commercial reasons you are subject to compliance.


Personal Data

The CCPA does not limit personal data to direct identifiers such as real names, unique personal identifiers, and IP addresses. Personal data can also include things like commercial transactions that can be traced to a specific person, biometric information (i.e. DNA and fingerprints), geolocation data, and professional/employment related information.


Similarities between GDPR and CCPA

The two laws are quite similar in many respects. Perhaps, the most obvious similarity is the need to protect the data of consumers and create a transparent environment where consumers feel safe about their data. Non-compliance with either law will lead to heavy fines for businesses. Furthermore, with both laws, businesses are also held liable for how third party vendors and other business partners manage and protect data.


GDPR vs CCPA: How They Differ?

Here are some of the key differences between GDPR and CCPA:


Opt-In & Opt-Out

GDPR requires all companies doing business with EU residents to gain user consent through opt-in before they can access and share any data. It means that businesses cannot share or store any personal data unless the consumer explicitly allows them to do so by accepting the terms. In contrast, CCPA is more lenient on how businesses get approval. CCPA allows the businesses to give opt-out options on their website and platforms so that anyone may decide not to allow a company to use or share personal data.



On the surface, GDPR is also considered the more stringent of the two when it comes to penalties and fines imposed on the business. According to the Association of Corporate Counsel, fines for violation of CCPA can be “$2,500 for unintentional and $7,500 for intentional violations of the Act,” and “$100-$750 per incident, per consumer- or actual damages, if higher – for damage caused by a data breach.” Though these CCPA fines may seem lower than GDPR, it’s important to note that since these fines are per violation, per consumer they can quickly add up to multiple millions of dollars. Consumers also have the right to bring litigation which can result in even more revenue losses for a company.


Interpretation of Data

GDPR and CCPA differ on the interpretation of personal data. According to GDPR, the data must relate to a specific person. On the other hand, CCPA influence reaches out to individual devices and households.

To learn more about the commonalities and differences of GDPR vs CCPA, check out this comparison chart from Baker Law or get in touch with Rivial Security today.