Key differences between CCPA and GDPR: How location affects enterprise compliance

CCPA gives Californians control over their personal data, while GDPR governs how EU citizens’ data is processed. 

However, understanding all the differences between CCPA and GDPR is crucial for businesses, as both have unique requirements (and penalties).

In this article, you’ll learn:

• How CCPA and GDPR define personal data
• Compliance requirements for each regulation
• The penalties businesses can face for non-compliance
• How to align your business with both laws

Let’s begin by understanding what exactly CCPA and GDPR are.

What are CCPA and GDPR?

California Consumer Privacy Act (CCPA), effective January 2020, regulates how for-profit companies in California handle consumers' personal information for commercial purposes. Its goal is to give Californians more control over their data, including the right to know how businesses use, share, and sell it. Consumers also have the right to access and request disclosure of their personal information.

The General Data Protection Regulation (GDPR) is the EU’s counterpart, regulating how firms control and process the data of EU citizens. Adopted in April 2016 and taking effect in May 2018, GDPR replaced the older Data Protection Directive of 1995. Unlike a directive, which allows EU member states to adopt laws locally, a regulation like GDPR requires full, uniform adoption across all member countries.

One visible impact of GDPR is the widespread use of cookie consent banners reminding users of their data rights.

These twin data privacy protection laws, passed within a few years of each other and an ocean apart, changed the world of compliance. Before, companies could, in many ways, “move fast and break things” (sorry, Facebook); now, they have to establish strict data privacy policies first.

Note: Both CCPA and GDPR grant rights to data portability and deletion.

Let’s compare seven key areas between CCPA compliance vs. GDPR.

1. They regulate different entities

CCPA regulates for-profit companies that do business in California and meet these criteria:

• Have a gross annual revenue greater than $25 million.
• Buy, receive, sell, or share the personal information of more than 50,000 consumers.
• Earn half or more of their annual revenue from selling personal information.

GDPR regulates data controllers and processors across the globe that process the data of EU citizens.

Note: Under GDPR, the "data controller" determines the purpose and means of processing, while the "data processor" handles the actual processing. In CCPA, similar roles are referred to as "businesses" and "service providers.”

2. They protect different groups of people

CCPA protects California residents, calling them “consumers.” Consumers include customers, employees, and business-to-business transactions. Additionally, it prohibits the sale of personal information for minors under 16 without consent.

GDPR protects EU citizens and residents, which GDPR defines as “an identified or identifiable natural person.” GDPR treats children similarly to CCPA but puts the age of consent at 16 to opt into the sale of their personal information.

3. They protect different kinds of personal information

CCPA compliance vs. GDPR reveals variations in what each considers “personal information.”

CCPA protects personal information, which CCPA defines as information that you can associate with a particular consumer or household.

GDPR protects personal data, which GDPR defines as any information related to a person that could be used to identify them, such as name, weight, date of birth, etc. 

4. Different approaches to pseudonymized data

Pseudonymization refers to the way companies turn personal data into functionally anonymous data by removing or separating identifiers.

Under CCPA, businesses can use pseudonymized data without considering it personal information. That said, the CCPA sets a high bar for what qualifies as de-identified data, meaning pseudonymized data must meet a high threshold before it is excluded from personal information categories.

However, GDPR treats pseudonymized data as personal, only excluding fully anonymous data. For example, suppose a dataset contains location data or an identification number that could still be traced back to an individual. In that case, it is considered personal data under GDPR, even if the person's name has been removed.

5. Varying privacy notice requirements

CCPA requires businesses to inform consumers about the categories of personal information collected, as well as the intended use of each category. Companies have to provide further notice if they want to collect additional information categories or use the information they gather for purposes unrelated to the original intent. Similar rules apply to third parties who buy and may want to re-sell personal data.

GDPR requires that data controllers provide consumers with information about how they are collecting and processing their data. Such notices must also detail whether the company is collecting data directly from the data subject or gathering data through a third party.

6. They have different penalties

CCPA allows consumers to sue for statutory damages of up to $750 per incident, but only in the case of certain data breaches. If the business is given a notice of a violation, then it has 30 days to resolve the issue or face damages. If a business can cure the violation within this time, it will avoid statutory damages​.

The California Attorney General can also impose fines for violations up to $7,500 per intentional violation and up to $2,500 per unintentional violation.

GDPR offers a similar right for individuals to take legal action for data breaches. Fines can reach up to 4% of global revenue or €20 million, whichever is greater. 

7. Some of the rights are the same, but there are also differences

The Future of Privacy forum details the rights across CCPA and GDPR; nine of the most important are highlighted here.

CCPA and GDPR agree on two rights:

• Right to data portability: Individuals can request and must receive copies of their data that are readable and portable. Companies must respond to a consumer request.
• Right to deletion or erasure (also known as the “right to be forgotten”): Individuals can request that companies delete their personal information.

The CCPA specifically covers three rights that the GDPR doesn’t:

• Right to opt out: Consumers have the right to opt-out if companies want to sell their personal information to third parties. CCPA’s definition of “sale” is broad and includes any sharing or transferring of personal information to third parties for monetary or another valuable consideration, not just direct sales. This means that even certain types of data sharing, like providing user information to advertisers for targeted ads, can be considered a "sale."
• Right of disclosure: Consumers have the right to request their personal information and request how businesses collect and use it.
• Right to non-discrimination: Consumers have the right not to be discriminated against by businesses for exercising their rights. Note that though the CCPA explicitly states this, this right is implicit in the GDPR, too.

Similarly, the GDPR covers four rights the CCPA doesn’t:

• Right of rectification: Data subjects can correct or complete inaccurate and incomplete personal data, respectively.
• Right to restrict processing: Data subjects can restrict how companies process their information in certain circumstances.
• Right to object to processing: Data subjects can object to how companies use their data, including for purposes such as profiling, marketing, and research.
• Right to object to automated decision-making: Data subjects don’t have to be subject to automatic decision-making, including profiling.

As you can see, the rights, in particular of your potential and current customers, differ across CCPA and GDPR.

Refer to this handy CCPA vs GDPR compliance infographic to summarize the differences:

Though CCPA and GDPR offer similar rights, they also differ in key ways, as you saw previously.

How CCPA and GDPR compliance can fuel your startup’s growth

Laika, a startup providing compliance and audit management software, lays out three ways startups can use compliance for growth:

1. Compliance frees you to close bigger deals. Compliance is a precondition of many deals, especially enterprise ones. If you understand and comply with CCPA and GDPR, you can better integrate into a business’s stack of already compliant apps.
2. Compliance helps you stand out from other startups. Startups often have the reputation of being flash-in-the-pan fads. To prove your maturity and intended longevity, build out a compliance plan early. No matter how differentiated your product is, you will be competing among similar offerings. Compliance is a filter companies use to sort through their options.
3. Compliance protects you from fines and embarrassment. When you’re just starting out, your brand is fragile. An early mistake, such as a data breach or high-profile fine, can fatally damage your brand and the trust your early users have in you. If brand damage is too abstract, think of your finances: Early startups run a lean operation. Big fines can be life or death.

Enterprises need to know you’re compliant before they’ll sign a deal with you. Enterprises, by their nature, are large and more than likely operate in both California and the EU. A deal with an app that isn’t compliant could then threaten the enterprise—and that’s something they just won’t risk.

Compliance is one reason among many established enterprises will work with other established enterprises instead of startups—product quality be damned. You don’t want to be on the losing end of that deal.

CCPA and GDPR compliance is essential to a global operation

You’re an internet company, and the opportunity in front of you is global. When you deliver your product online, scale is often merely a matter of additional digits in your AWS bill.

The existence of CCPA and GDPR mean, however, that the internet is no longer the Wild West. If you want to operate globally—and you do—then compliance needs to be a core part of your business strategy.

Find your early customers first, find product-market fit, build out your core team, iterate—and sooner rather than later, build out your compliance strategy. Better to have it now so you can close the next big deal, instead of leaving it to your competitors.

If you’re looking for more details on these differences, check out the International Association of Privacy Professionals' legal guide — it goes into a lot more depth.

How CCPA and GDPR compliance can fuel your startup’s growth

Laika, a startup providing compliance and audit management software, lays out three ways startups can use compliance for growth:

1. Compliance frees you to close bigger deals. Enterprises operating in California and the EU expect their partners to comply with CCPA and GDPR. Being compliant can open doors to major contracts that non-compliant businesses would miss.
2. Compliance helps you stand out from other startups. Startups often have the reputation of being flash-in-the-pan fads. To prove your maturity and intended longevity, build out a compliance plan early. No matter how differentiated your product is, you will be competing among similar offerings. Compliance is a filter companies use to sort through their options.
3. Compliance protects you from fines and embarrassment. When you’re just starting, your brand is fragile. An early mistake, such as a data breach or high-profile fine, can fatally damage your brand and the trust your early users have in you. Early startups run a lean operation, and big fines can be life or death.

Enterprises need to know you’re compliant before they sign a deal with you. If they were to make a deal with an app that isn’t compliant, it could then threaten the enterprise — and that’s something they just won’t risk.

Compliance is one reason among many established enterprises will only work with other established enterprises instead of startups — product quality be damned. You don’t want to be on the losing end of that deal.

How WorkOS simplifies compliance

The existence of CCPA and GDPR means that the internet is no longer the Wild West. If you want to operate globally — and you do — then compliance needs to be a core part of your business strategy.

But it doesn’t have to be a headache. 

WorkOS is a cutting-edge API platform that can help developers ensure enterprise compliance with CCPA and GDPR. 

It offers secure identity management through features like Single Sign-On (SSO) and Directory Sync (SCIM). These tools help companies manage data access and security, enabling them to meet strict privacy regulations in both California and the EU.

Ready to grow your global enterprise? Contact our team today to see if WorkOS can help your business.