BLOG | CCPA | December 26, 2019

GDPR vs. CCPA: How To Stay Compliant

CCPA and GDPR are both high-profile privacy regulations. Despite their similarities, they bring different compliance challenges. Learn the differences between the two privacy regulations, as well as how businesses can stay compliant.

Post Featured Image

When the bill for the California Consumer Privacy Act (CCPA) was passed in June 2018, it was instantly compared with the EU’s General Data Privacy Regulation (GDPR)

This was for good reason. Both sets of regulations take a hard stance towards businesses that do not adequately protect consumer data. They both give individuals significant rights in regards to how their data is used, and they both leave the potential for large fines to be levied at companies that don’t comply. 

However, the comparisons only stretch so far; there are significant differences between the two regulations. 

For some businesses, specifically, those that only operate in one of the areas affected—either the EU or California—these distinctions may not cause problems. These companies can focus on complying with the regulation that matters to them.

For businesses that operate in both areas, however, complying with two sets of regulations will be a challenge. Especially for small companies that don’t have the budget for expensive legal or compliance departments. 

Failure to adhere to the regulations, however, could be just as costly. Agencies, publishers, and other small and medium-sized businesses that operate in both the EU and California need to ensure they have an in-depth understanding of how to adhere to both sets of rules. 

Let’s explore the differences between CCPA and GDPR, as well as look at how businesses can stay compliant.

GDPR vs CCPA in Numbers

£183.39 million: The largest fine so far handed out under GDPR. Given to British Airways by the ICO for the airline’s failure to protect customer data.

$7,500: The maximum penalty per intentional violation under CCPA. Non-intentional violations are capped at $2,500.

513.5 million: Number of people residing in the EU at the start of 2019, according to Eurostat.

37 million: Number of people living in California according to the 2010 census, which is around 12% of the population of the U.S.

33,089: Number of GDPR complaints submitted to the UK DPA by March 1, 2019. More than any other EU country but fewer complaints per 100,000 of the population than Ireland.

137: The number of people businesses need to collect data on per day to be subject to CCPA. This could come from the IP address of website visitors.

January 1, 2020: The day CCPA will go into effect. Businesses operating in California will need to ensure they are compliant by this date.

8%: The percentage of U.S. businesses that said they are ready for CCPA as of July 2019, according to PossibleNow.

Part One: GDPR vs CCPA: An Overview

Both GDPR and CCPA affect a wide range of businesses operating in the areas of enforcement. Although, GDPR takes a more all-encompassing stance. Here is a look at exactly which businesses the regulations affect, as well as what counts as data.

Overview of GDPR

Who Does GDPR Affect?

GDPR covers any organization that it defines as a “data controller” and that operates in the EU, whether or not it is based there. A data controller is defined as an organization that determines the purposes and means of processing data. 

Unlike in CCPA, there are no limits regarding size, whether the organization is for profit or not, or the amount of data it collects. All that matters is whether the organization is classed as a data controller.

There are also some regulations put on “data processors,” which are organizations that process data on the instruction of the data controller. 

GDPR protects “data subjects,” the individuals whose data is being collected. Interpretations of the wording suggest anyone based in the EU, EU residents or citizens based abroad, as well as anyone whose personal data is located in the EU, is protected7.

What is Data Under GDPR?

Under GDPR “Personal Data” is data that relates to an identified or identifiable individual. 

This includes both data that can directly identify an individual, and data that could do so when processed with other information. It also includes both personal data that has had identifiers removed, and inaccurate data that seems to relate to an individual. 

Examples of personal data include names and surnames, addresses, email addresses, location data, IP addresses, cookie IDs, and phone identifiers.

Overview of CCPA

Who Does CCPA Affect? 

Two parties will be affected by CCPA; anyone who is a legal resident of California and companies that have a business in California and meet certain criteria.

Businesses that will be affected by CCPA are those that:

  • Do business in California;
  • Collect information from consumers; and
  • determines the purposes and means of the processing of consumers’ personal information

As well as satisfying the three criteria above, a business must also meet one of the following three criteria to be affected;

  • Have annual gross revenue over $25 million;
  • Process the data of 50,000 or more consumers, households, or devices on an annual basis; or
  • Derive 50% of its revenue from selling data. 

What is Data Under CCPA?

CCPA defines personal information as that which identifies, indirectly or directly, a particular consumer or household. This includes names, addresses, and passport numbers, as well as online identifiers and IP addresses.

Part Two: GDPR vs CCPA: Data Subject & Consumer Rights

Both CCPA and GDPR give consumers specific rights they can enforce against companies that collect or process their data. 

These are called Data Subject Rights. They require businesses to put in place processes that allow consumers to exercise these rights. 

Data Subject Rights Under GDPR

Under GDPR, consumers have eight distinct rights that businesses have to be able to comply with. Businesses have one month to respond to requests, although this can be extended with a data subject notice. 

  • Right to be Informed: Businesses must inform data subjects about the collection and use of their data at the time of collection. They must do so in a way that is clear to read and easily accessible.  
  • Right to Access: Under GDPR data subjects have the right to request access to the data a business holds about them. When they receive a request, businesses must provide the data subject with information about why they process data, the categories of personal data they have collected, and the recipients of the personal data. Data subjects can also request a copy of the personal data that has been processed. 
  • Right to Rectification: Individuals have the right to request that businesses rectify inaccurate or incomplete personal data. 
  • Right to Erasure: Individuals have the right to have personal data erased and businesses must put in place procedures that allow them to comply with these requests.    
  • Right to Restriction of Processing: Individuals have the right to request the restriction or suppression of their data. If consumers exercise this right, businesses can store the data but must not use it.
  • Right to Data Portability: This gives individuals the right to obtain and reuse their data; for example, to move their data to another service. Businesses that collect data must have a process that allows for this.
  • Right to Object: Data subjects have the right to object to the collection of their data for use in some circumstances. Businesses must tell individuals about their rights and make it easy for them to object. They must also allow individuals to withdraw consent after it has been given.   

Consumer Rights Under CCPA

The CCPA has five main rights compared to the eight in the GDPR. However, there is an overlap between rights. For example, section 1798.100 of CCPA about the Right to Request Information covers the GDPR’s Right to Access and Right to Portability.

  • Right to Request Information: When CCPA comes into force, individuals will have the right to request information about the categories and specific pieces of personal data a business has collected. When businesses receive a request they must disclose the information electronically or by mail. Where possible, businesses must provide the information in a format that allows the subject to transfer the information to another entity.
  • Right to Disclosure: Businesses that collect personal data must disclose to consumers information about the data it collects including the category of the data and the purpose for the collection. 
  • Right to Deletion: Consumers will be able to request a business deletes personal information it has collected. Businesses must have a way to comply with this request. There are some exceptions such as when the data is needed to comply with a legal obligation or when the data is required by the business to complete the transaction required by the consumer.
  • Right to Opt-Out of the Sale of Personal Information: Consumers have the right to opt-out of the sale of personal data to third parties. The word “sale” covers a wide range of transactions including basically any form of transmitting data for a benefit. 
  • Right to Not be Discriminated Against: Consumers have the right to not be discriminated against for exercising their rights. This means businesses must continue to provide a service to all customers.  

What SMEs Need to do to Stay Compliant

SMEs must put in place processes and mechanisms that allow them to respond to data subject rights requests within the time limit set by the specific regulation. 

This means they need a way of knowing what data they collect and store about specific users, as well as what they do with this data. SMEs must also ensure they can process requests. 

Finally, SMEs must have a way to confirm that the person making the request is who they say they are. 

Part Three: GDPR vs CCPA: Cookie Compliance

For SMEs with a sizable web presence, the above Data Subject Rights will have a large effect on how their website uses cookies and other online trackers to collect and store personal data. 

Once again, there are similarities and differences in the way businesses must comply with the two regulations.

Cookie Compliance Under GDPR

Under GDPR, websites need to collect consent to drop all cookies other than those strictly necessary to the running of the site. 

GDPR has strict requirements for what counts as consent. The regulation says:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.”

The requirement of a “clear affirmative act” means users must opt-in to having their data collected. It’s not enough to use a pre-checked box or a banner that tells the user that by continuing to use the website they agree to cookies.

Additionally, when companies request consent, they must do so in a way that is “clear, concise, and not unnecessarily disruptive.” 

Finally, websites must provide a way for users to withdraw their decision to grant data collection consent.

Cookie Compliance Under CCPA

Data collected by cookies can count as personal information under CCPA. While CCPA doesn’t require businesses to gain opt-in consent for cookies, it does require them to disclose what data is being collected by cookies and what is done with the data.  

Additionally, businesses need to take steps to comply with the right to opt-out of the sale of personal information collected by cookies. 

What SMEs Need to do to Stay Compliant

To stay compliant with CCPA and GDPR, SMEs need to put in place a process related to how they use cookies to collect personal data specific to each regulation. 

To adhere to GDPR, businesses need a way to collect consent from website visitors before they drop cookies. They’ll also need to implement a method of tracking which users have given consent and which have not. As well as providing users with a way of withdrawing consent even if they originally gave it.

Both GDPR and CCPA require businesses to clearly provide information about the data the cookies they use to collect and how it is processed. 

In order to do this, businesses will first need to discover which cookies are in use on their website, as well as what each of these cookies does. 

Websites must have a way to access and delete all the data about a specific user it has collected to comply with deletion requests.

To comply with CCPA, businesses will need to provide users with a way of opting out of the sale of personal data collected by cookies, as well as a way of ensuring these requests are granted. 

CCPA gives specific guidelines about this, stating that businesses must provide a “clear and conspicuous” link to the do not sell page on the site’s homepage.

Part Four: CCPA vs GDPR: Mobile App Compliance

Mobile apps can be a significant source of data collection for businesses. SDKs used by apps to collect information can gain access to significantly more information than your average cookie. 

Often these tracking technologies come from third-parties and are used to, for example, serve targeted ads. Because of this, companies that publish mobile apps should be sure they know what data the app is collecting, by whom, and why.

Here is a look at some of the mobile app-specific requirements of both GDPR and CCPA.

Mobile App Compliance Under GDPR

Much like when gaining consent for cookies, businesses subject to GDPR must gain opt-in consent from users for data collected by an app. This means providing users with access to a privacy policy that details what information is collected, why it is collected, and who it is shared with. It also means that users have to take a step to agree with the policy, for example checking an unticked checkbox. 

Mobile App Compliance Under CCPA

As well as taking steps to ensure all data the app collects is done so in a way that is compliant with CCPA, businesses will have to take several app-specific steps.

The guidelines state that in the case of online services like mobile apps, apps will have to provide a link to the “do not sell my personal information” page on the application’s platform page or download page before they download the application. 

What SMEs Need to do to Stay Compliant

Businesses first need a clear idea of the data their app is collecting. While some of this may be obvious—such as contact details sent via a form—other types of third-party data collection may be harder to spot. 

Once a business knows what data its app collects, it needs to gain permission from users to do so. This means opt-in permission in order to stay GDPR compliant, or informing the user about data collection and giving them the option to opt-out of the sale of data to stay CCPA compliant. 

Businesses then need to have a way to record these permissions as well as maintain records of data collection so they can adhere to data subject requests should they receive one. 

Part Five: About CookiePro

CookiePro is a consent tool that provides solutions to helps companies of all sizes comply with the numerous privacy regulations coming into effect around the world.

CookiePro helps companies manage cookie consent and mobile app compliance, as well as provides tools that simplify how companies deal with data subject and consumer requests. What’s more, the tools can be personalized using geolocation technology to ensure that your business stays compliant, no matter where in the world the user is visiting your site from. 

To learn more about CookiePro and how it helps you stay compliant, consider looking at the following resources:

GDPR and Cookies: Defining Cookie Consent Under the GDPR

CCPA and Cookies: Defining Cookie Consent Under the CCPA

Check if Your Site is EU Cookie Law Compliant with this Free Scan

You Might Also Like


Cookie Banner Tool

View Resource

Cookie Consent Manager

View Resource

Template Targeting

View Resource

CNIL Cookie Compliance Guide

View Resource
Onetrust All Rights Reserved