CCPA vs GDPR, data privacy, California

CCPA vs. GDPR: the same, only different

Intellectual Property and Technology News


The groundbreaking California Consumer Privacy Act has been nicknamed California's GDPR, referring to the European Union's comprehensive data protection law that took effect in May 2018, just one month before the CCPA was passed. The CCPA, which comes into effect in January 2020, creates sweeping new rights for Californians and onerous transparency and other obligations for businesses handling their information.

While the law is a game changer for the US, "California's GDPR" may be a bit of a misnomer. The two laws share some key components, yet present crucial differences. Businesses that have undertaken GDPR compliance will have an advantage in addressing CCPA, but those efforts alone won't suffice.

CCPA Overview

The CCPA applies to certain businesses, regardless of location, that collect personal information about California residents, and, as of now, applies to information regarding customers (both individuals and entities), vendors and employees.

The law includes an expansive definition of personal information that, in addition to identifying information like names or phone numbers, includes such elements as IP address, device identifiers and biometric, audio and location information.

Under the CCPA, California residents will have rights to access their personal information, to have it deleted and to opt out of its "sale" (defined broadly to include any disclosure in exchange for something of value). The law also raises the stakes in the event of a data breach by creating a class action right and statutory damages without having to prove actual losses.

Comparison to GDPR

The CCPA is often compared to the GDPR – both laws give individuals rights to access and delete their personal information, require transparency about information use and necessitate contracts between businesses and their service providers.

Businesses that have undertaken GDPR compliance will have an advantage in addressing CCPA, but those efforts alone won't suffice.

In some respects, however, the CCPA does not go as far as GDPR. Most crucially, the CCPA does not require businesses to have a "legal basis" (a justification set forth in GDPR) for collection and use of personal information. The CCPA also does not restrict the transfer of personal information outside the US, or require that businesses appoint a data protection officer and conduct impact assessments. In addition, California residents' right to access personal information is limited to data collected in the past 12 months. CCPA also places fewer obligations on service providers.

In other respects, the CCPA differs or goes beyond the scope of GDPR:

  • The CCPA's definition of personal information specifically includes household information.
  • While both the CCPA and GDPR require detailed privacy notices, the required content of those notices differs. A privacy policy that meets the requirements of the GDPR will likely not satisfy the CCPA's requirements.
  • Under GDPR, a business does not necessarily need the individual's consent to collect and use data, in which case the individual does not have a general opt-out right. But CCPA grants individuals an absolute right to opt out of the sale of their personal information and obligates businesses to add a "Do Not Sell My Personal Information" link on websites and mobile apps.
  • Although both the CCPA and GDPR prescribe provisions that must be included in contracts with service providers, the requirements differ, and GDPR data processing agreements will likely not meet CCPA requirements.
  • Finally, the GDPR and CCPA take different approaches to children's privacy rights. GDPR requires that parents provide consent for the processing of their children's personal information in an online environment – but only where the legal basis for processing is consent. Children are defined as under 16, although member states can lower the age to 13. The CCPA, in contrast, addresses the sale of children's information – not all processing – and requires that businesses first obtain opt-in consent. Parents must provide consent for kids under 13; teens 13-15 can provide their own consent.


Back to IPT News Q1 2019