What’s the difference between the CCPA & GDPR?

Posted: Nov 2019

The European Union’s (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have many similarities. For starters, they both outline and enforce new regulations regarding the personal data of individual consumers. Both require organizations to provide individuals access to their own personal data, as well as the right to have it deleted. And both are regional laws with global implications.

The GDPR and CCPA also have several key differences. With the CCPA going into effect January 2020, it’s wise to study up on the parameters of the CCPA to ensure you don’t face fines in the future, even if you think your business may not be affected.

Read on for more information on the CCPA and how it’s different from GDPR.

Legal Disclaimer: We applied our best understanding of the California Consumer Privacy Act when building this article. However, we are not legal professionals. To minimize risks, we urge you to read the actual text of the CCPA and seek the advice of your corporate lawyer.

The CCPA vs. The GDPR

The most notable difference between the CCPA and GDPR is that the CCPA concern consumers in the state of California, while the GDPR concerns those in the EU.

Here are 9 more key differences between the GDPR and CCPA (via SalesHacker.com):

GDPR

• Covers any entity that processes the personal data of protected consumers/residents
• Allows covered entities to establish equivalent mechanisms
• More narrow definition of personal information
• Outlines conditions for access and deletion requests
• Looser restrictions for commercial sharing of personal data
• Includes the right to correct errors in processed personal data
• Include the right to stop automated decision making (i.e., the right to require a human to make decisions that have legal implications/effect)
• Penalty limit set at 4% of global annual revenues
• No minimum or maximum for damages

CCPA

• Applies only to businesses
• Prescribes disclosures, communication channels, and other measures
• Broader definition of personal information
• Different conditions for access and deletion requests
• More rigid restrictions for commercial sharing of personal data
• Does not expressly include the right to correct errors in processed personal data
• Does not expressly include the right to stop automated decision making
• No limit on regulator penalties
• Sets minimum and maximum damage amounts ($100 to $750 per consumer per incident) for private actions against violators

If you’re worried about preparing for the CCPA, Sales Hacker has you covered with a detailed webinar on five straight-forward steps to prepare your organization for the CCPA, featuring security experts from DataGrail and Outreach.