Similarities and Differences between CCPA and GDPR

Similarities and Differences between CCPA and GDPR

The data breach and unauthorized exploitation of information has been a major area of crisis since the advent of the internet. With the ease of access to information over the network, it is easy to obtain, modify or delete the same for various purposes causing the financial, mental or physical threat to the target bodies.

In the age of magnanimous rate of technological growth, everyone is developing a sense of awareness for the need for information security. The common man is exposed to the hazards of data leak and has become more protective of the same.

The companies that deal with large consumer data are often prone to sell the data or alter it for their own business obligations. However, with consumer security awareness spread, it has become a responsibility for the companies to ensure consumer security and enforce their right over data before exploiting it.

In light of it, many Governing bodies of different countries, have taken an interest to put forth the consumer rights to information, through secured laws & policies. Among them are two major contributions, being, GDPR of the European Union and CCPA of the state of California.

Before knowing the major differences between the two ground-breaking policies in the defense of consumer data protection, let us get an oversight of each of them separately.


General Data Protection Regulation was summoned by EU nations in April 2016 and came into effect from May 2018, replacing the old and obsolete General data protection act of 1995.

With the goal of protecting the rights of consumers over their data, GDPR exerts restrictions & reservations on the companies for the transactions within and outside the European Union and European Economic Area, which deals with the data of common people. This act applies to all 28 states of the European Union.


While being inspired by GDPR, California State buckled up to formulate a more personalized version of the data protection act, called CCPA (California Consumer Privacy Act) in late June 2018. However, this is to take effect for the citizens from Jan 1, 2020.

CCPA gives rights for the California Consumers to demand and see all their data, a company uses, with a choice to opt-out for sharing it with third parties, in case it seems suspicious or inappropriate.

Both of these acts strive towards guarding consumer data and their right over it. However, they both differ in wide terms given the details of each act. Below are some of the striking differences between the two:

Company Requirements

GDPR – Any company that collects and uses EU residents’ data, regardless of the size of the company will be under GDPR regulations. They owe it to their customers all in all.

CCPA – CCPA levies some constraints regarding the size of the company. A company has to be a certain size & deal with a certain amount of consumer data to comply with CCPA.

Consumer Consent

GDPR – It gives the consumers to opt-in to give their data before the data collection process by the companies.

CCPA – While CCPA goes with a slightly different approach of giving consumers the right to opt-out of data sharing.

Data sharing with third parties

GDPR – Consumer consent is explicitly demanded before there is any data transfer to the third party.

CCPA – This provides the right to choose out of data transfer for consumers in case of third party deals.


CCPA – The damage compensation for a data breach is not less than 100$ and not greater than 750$ per incident, per customer.

GDPR – The fees for damages are based on 10 criteria including intention, history of offense, mitigation, cooperation, prevention, certification, notification, data type & more.


GDPR – In GDPR, the companies are required to inform the customer of

1) what your business is?

2) what type of data is collected?

3) why is it processed? and

4) where is it used/disclosed to?

CCPA – The companies need to disclose the type & purpose of the information collected and the details of parties to which the data is shared.