CCPA and GDPR: Similarities and Differences for US Businesses

What are the similarities between the CCPA and GDPR? What are the differences? And how can you be sure your organisation is compliant with both?

2023 was the year the US got serious about data security. Inspired by Europe’s General Data Protection Regulation (GDPR), 2023 saw Colorado, Connecticut, Utah and Virginia enact new data protection measures that give consumers more control over their personal information, and more states are set to follow.

Data protection, of course, is already part of everyday life in the US. It’s the entire point of HIPAA, the Health Insurance Portability and Accountability Act, although it only relates to healthcare information. And it’s fundamental to SOC 2, the consumer data standard built on the five criteria of security, availability, processing integrity, confidentiality and privacy – although compliance is voluntary.

But 2023 was the year the dial shifted, thanks in large part to California, the first US state to enact data protection legislation that focused on the right of individuals rather than simply preventing harm. The California Consumer Privacy Act (CCPA) arrived in 2018 and was expanded by 2023’s California Privacy Rights Act (CPRA) to, in some senses, expand even on the protections offered by GDPR.

Both CCPA and GDPR grant individuals significant rights over their personal data. These include the right to access, rectify, and delete their information, as well as the right to know how it is being used.

Transparency and Accountability

Both regulations emphasize transparency in data processing activities. They require organizations to inform individuals about how their data is collected, used, and shared. Additionally, accountability measures, such as maintaining detailed records and conducting privacy impact assessments, are integral to both frameworks.

Stringent Enforcement and Penalties

CCPA and GDPR both have robust enforcement mechanisms in place. Non-compliance with either regulation can result in substantial fines and penalties (see below). This ensures organizations have a strong incentive to comply with the regulations and protect individuals’ privacy.

Scope and Applicability

CCPA applies to businesses that collect and process the personal information of California residents, regardless of where the business is located. GDPR applies to any organization that processes the personal data of EU residents, irrespective of location.

Definition of Personal Information

While both regulations define personal information broadly, CCPA includes additional categories like household information and internet activity. GDPR places a specific emphasis on sensitive data categories such as racial or ethnic origin, political opinions, and religious beliefs.

Penalties

The approach to penalties differs between GDPR and CCPA. For severe violations, the GDPR fine of €20 million or 4% of global turnover (whichever is higher) seems a world away from the CCPA’s levy of $7,500 per intentional violation and $2,500 per non-intentional violation. That is, until you realise that the CCPA treats each affected individual as a violation.

That’s what led Zoom to reach an $85 million settlement after a number of users had their calls ‘hijacked’ by so called ‘Zoombombers’. This can’t quite compare with Meta’s €1.2 billion GDPR fine, but its clear that both standards have teeth.

Empowering Individuals

Both regulations empower individuals by providing them with greater control over their personal data. They ensure that individuals have the right to know what data is being collected about them, who it is shared with, and the ability to request its deletion.

Fostering Transparency and Trust

CCPA and GDPR promote transparency and trust between individuals and organizations. By requiring clear and concise privacy notices and consent mechanisms, individuals can make informed decisions about their data.

Driving Organizational Accountability

Both regulations hold organizations accountable for their data processing activities. This encourages businesses to implement robust data protection measures, conduct privacy assessments, and maintain records of their processing activities.

Not directly. GDPR protects EU residents (that is, people living in the EU); the CCPA protects Californian residents (that is, people living in California). An EU citizen living in California (or vice versa) will still only be covered by one code at any one time because they can’t be ‘resident’ in more than one place simultaneously.

But there is a very clear overlap in terms of intent. The US approach to data protection has historically been very different to that of the EU. The CCPA was the first sign that the two approaches are converging. The fact the GDPR and CCPA appear to have been so influential on other US states is further evidence that the rights-based approach is becoming the ‘gold standard’ for data protection globally.

CCPA and GDPR are groundbreaking regulations that prioritize the protection of individuals’ privacy rights. While they have distinct scopes and applications, their shared commitment to empowering individuals and holding organizations accountable is evident.

Yet complying with them can be complex, and despite the fact that they contain similar DNA, complying with one is no guarantee that you’ll automatically comply with both.

GDPRLocal can help ensure you comply with the data protection legislation of all the territories in which you trade. Find expert help in managing your data protection here, or by calling + 1 303 317 5998.

You’ll find more about the specific standards here:

Guide to the General Data Protection Regulation (EU version)

The CCPA