The European Union General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) might feel similar enough that you can cover them both in one compliance strategy for your website however this is a situation that requires a customized approach to respond to each legislation's requirements.
CCPA vs GDPR: The Individuals That the Regulations Protect
CCPA needs to be followed only by companies that have customers who are California residents. GDPR, on the other hand, applies to any organization that has ahold of personal information of European Union residents or information that is handled in the EU.
CCPA vs GDPR: The Information That is Protected
The personal information in question varies for GDPR and CCPA. The GDPR covers data that can be used to identify a person, whereas the CCPA is concerned with various data that has to do with a person or a household, including such nuanced information as internet browsing history. A key difference between the two is the method of consent allowed under the two regulations: under CCPA, businesses are allowed to continue to sell a consumer’s information until that consumer opts out, while the GDPR requires businesses to receive consent before they collect a consumer’s data.
CCPA vs GDPR: The Types of Businesses the Regulations Will Apply
The CCPA only applies to for-profit businesses that (i) make $25 million or more in annual gross revenue; (ii) have personal information for 50,000 or more California residents, or (iii) make at least half of their income from the sale of California residents’ information. GDPR applies to all businesses based anywhere around the world with EU customers, no matter their size.
CCPA vs GDPR: The Rights of Consumers
As we know, the CCPA requires businesses to provide California residents with the personal information held or opt-out of the company holding their information, two requests that must be fulfilled within 45 days of the request. GDPR is not as strict but similar, still giving customers the right to access, rectify, delete, restrict and object to their personal information being held by the company, and more, but there are no such specific calls to action, such as the “Do Not Sell My Personal Information” link required under CCPA. Further, non-discrimination stipulations are in place for the CCPA: customers who choose to exert their allotted rights are not allowed to be discriminated against by the companies, and customers who choose not to exert rights are not allowed to be offered rewards. GDPR doesn’t have such protections.
CCPA requires that businesses include whether they sell or even share customers’ information and if so, to what type(s) of organizations. The GDPR regulations for privacy policies only apply to the sale of personal data.
As there are a number of differences between the EU GDPR and GDPR California — some that we didn’t even get to cover here — the fundamental take-away is that the two regulations must absolutely be treated as separate regulations and compiled into the same bucket in rare cases and only with expert oversight.