CCPA vs. GDPR: A Comprehensive Comparison

Image Source

It was in 2018 when the General Data Protection Regulation (GDPR) took effect. This was the first time that the digital world was introduced to a new age of regulations involving data privacy. This new law has further set unprecedented standards for user control, transparency, and accountability. Right after its institution, a similar law was also enacted in the state of California – the California Consumer Privacy Act (CCPA).

The CCPA is largely based on the GDPR. In contract with GDPR, however, CCPA is noticeably less stringent and less extensive than its European predecessor, thus being given the name “GDPR Lite”. In this comprehensive comparison, we will discuss some factors that make them so similar while being different at the same time.  

User Control

Both the GDPR and CCPA introduce new controls and rights given to users, particularly when talking about the subject of consent. For instance, the GDPR requires businesses to collect and process data only on a minimum of 6 legal bases as stipulated by the legislation. One of these is user consent.

With the guidelines of GDPR, users are given the right to opt-in or consent to the gathering of their data before the data collection actually happens. On the other hand, the CCPA allows organizations and businesses to gather data from their consumers without the need to acquire consent first. Rather, the law grants the consumers of California the right to easily opt-out of the possible sale of their personal data.


Transparency is a factor in which both GDPR and CCPA share common compliance. Both of these acts impose more policies on transparent privacy. This includes specific descriptions involving practices in data-handling, and added sections on the rights that both California and EU currently have. Additionally, the acts also mention the ways in which they can possibly act on those rights.

For instance, a company that wishes to comply with the CCPA is now required to include a specific section in its privacy policy regarding rights. This has to be done along with complete instructions on how consumers can possibly opt-out from the sale of personal data.


Both GDPR and CCPA are currently making improvements with regard to their attempts in holding organizations all over the world accountable regarding their data gathering and selling practices. With GDPR, giants such as Google and Facebook have been levied millions of dollars. Some smaller companies also had to go through the same path.

With CCPA, consumers are enjoying the right to bring action against an organization that violates the guidelines. This is done via the California Attorney General. The companies, however, are given a grace period with which they may comply. This means that no violations of the CCPA will be recorded until after July 1, 2020. This means that the reality of the accountability of the legislation and its enforcers in California remains to be seen.


Image Source

In certain respects, the newly released CCPA is different or even goes beyond the actual scope of the GDPR. Here are some aspects that we can consider:

  • The definition and description of the personal definition under CCPA also specifically covers household information.
  • Even though both GDPR and CCPA need very detailed privacy notices, the content that is required of those notices differ. A privacy policy that meets the stipulated requirements of the GDPR will most likely not satisfy the requirements of the CCPA.
  • With GDPR, the business or organization does not really need the consent of an individual to gather and use data. In this case, an individual does not really have access to an opt-out option. With CCPA, on the other hand, individuals are provided with an absolute right and access to opt-out of the possible sale of their personal data. This further mandates businesses and organizations to prepare a “Do Not Sell My Personal Information” link on the website, as well as mobile apps.
  • Even though both the GDPR and the CCPA create provisions that need to be included in the contracts with the service providers, the actual requirements may differ. The data processing agreements for GDPR will most likely not meet the requirements of CCPA.
  • Also, both GDPR and CCPA have different approaches to the privacy rights of children. CDPR requires consent coming from the parents for the processing of the personal information of their children. On the other hand, CCPA requires that companies obtain opt-in consent first. Parents will provide the needed consent for children below 13, while those within the ages of 13 to 15 can already provide their own consent.


Indeed, there are a number of similarities and differences with how each of these data privacy laws applies their own concepts of user control, transparency, and accountability. The goal of both, however, is to make sure that consumers are given a level of privacy in terms of data collection and selling.

Encryption Software 101: Learning the Basics

CCPA Requirements 101: How to Become Compliant