How they Stack Up Against Each Other

GDPR

Data subjects, defined as identified or identifiable persons to whom personal data relates.

CCPA

Consumers, defined as California residents who are either:

• In California for other than a temporary or transitory purpose.
• Domiciled in California but are currently outside the State for a temporary or transitory purpose.

Consumers include:

• Customers of household goods and services.
• Employees.
• Business-to-Business transactions.

Comparison

While neither the GDPR nor the CCPA apply to legal persons, both apply to natural persons, but with a difference in the way they are defined. The CCPA clearly states that it applies to California residents, while the GDPR uses the more vague term “EU data subjects” without naming any residency or citizenship requirements. The CCPA also protects data that can be linked to a particular household, not just an individual as the GDPR does.

GDPR

Data controllers and data processors:

• Established in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU.
• Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior.

CCPA

Any for-profit entity doing business in California, that meets one of the following:

• Has a gross revenue greater than $25 million.
• Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
• Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Comparison

The GDPR’s scope is broad: it applies to all organizations, from businesses to public institutions and the nonprofit sector. The CCPA meanwhile has restricted its applicability to for-profit companies that meet very clear requirements.

In regards to geographical location, the GDPR applies to any company that processes the data of EU data subjects, wherever they may be located. The CCPA is unclear on this point: companies falling under its jurisdiction must be “doing business in California”, but does not clarify whether the company must be located in the state or meet certain profit thresholds to qualify as such.

GDPR

Personal data is any information relating to an identified or identifiable data subject.
The GDPR prohibits processing of defined special categories of personal data unless a lawful justification
for processing applies.

CCPA

Personal information that identifies, relates to, describes, is capable of being associated with,
or may reasonably be linked, directly or indirectly, with a particular consumer or household.

Comparison

The GDPR applies to all categories of personal data, while the CCPA only applies to data not covered by existing federal
privacy laws such as the Gramm-Leach-Bliley Act (GLBA) or the Health Information Portability and Accountability Act (HIPAA).

GDPR

Pseudonymous data is considered personal data. Anonymous data is not considered personal data.

CCPA

The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose consumer
information that is deidentified or aggregated. However, the CCPA establishes a high bar for claiming data
is deidentified or aggregated. Pseudonymous data may qualify as personal information under the CCPA because
it remains capable of being associated with a particular consumer or household.

Comparison

The definition of “pseudonymisation” under the GDPR and CCPA is very similar in that it is the
processing of personal data in such a manner that the personal data can no longer be attributed
to an identified or identifiable person without the use of additional information, by putting in
place technical and organizational measures which keep the additional information needed for identification separately.

GDPR

Data controllers must provide detailed information about its personal data collection and data processing activities.
The notice must include specific information depending on whether the data is collected directly from the data
subject or a third party.

CCPA

Businesses must inform consumers about:

• The personal information categories collected.
• The intended use purposes for each category.

Comparison

Both the GDPR and the CCPA requires organizations to disclose what they do with the personal data they collect.
The CCPA however requires companies to disclose data sales and activities pertaining to data processing in the last 12 months,
while the GDPR places no such limitations.

GDPR

The GDPR requires data controllers and data processors to take appropriate technical and organizational
measures to ensure a level of security appropriate to the risk.

CCPA

The CCPA does not directly impose data security requirements. However, it does establish a right of action
for certain data breaches that result from violations of a business’s duty to implement and maintain
reasonable security practices and procedures appropriate to the risk arising from existing California law.

• The personal information categories collected.
• The intended use purposes for each category.

Comparison

Substantially similar in statutory approach though reasonable security measures may vary to some extent
according to an organization’s circumstances and regulator interpretation.

GDPR

Expanded Individual’s’ Rights:

• access their information;
• have inaccuracies corrected;
• have information erased;
• prevent direct marketing;
• prevent automated decision making and profiling;
• data portability.

CCPA

Expanded Individual’s’ Rights:

• access their information;
• have inaccuracies corrected;
• have information erased;
• prevent direct marketing;
• prevent automated decision making and profiling;
• data portability.

Comparison

While the GDPR requires organizations to get prior consent from data subjects for data processing and third-party
access to their data, the CCPA allows data subjects to opt-out of the sale of their data and requires businesses
to have a visible link at the top of their homepage for this purpose.

Both the GDPR and the CCPA offer the right to data portability: namely to provide consumers with their personal
data in a commonly used, machine-readable format that can then be transmitted to another entity.

The GDPR goes a step further in this direction, putting organizations under the obligation to transfer a
data subject’s information to another data controller upon request.

Under the CCPA, businesses are only required to provide consumers with the information electronically in a readily useable format.

While the GDPR’s right to erasure has a few notable exceptions such as data necessary for exercising the right
of freedom of expression or data needed for compliance with EU or EU member state law, the CCPA broadens these
exceptions further by including not only free speech and information needed for contracts, but, most notably,
also internal uses compatible with the context in which the consumer provided the data.

GDPR

The GDPR’s default age for consent is 16, although individual member states law may lower the age
to no less than 13.

The person with parental responsibility must provide consent for children under the consent age.
Children must receive an age appropriate privacy notice.

Children’s personal data is subject to heightened security requirements.

CCPA

The CCPA prohibits selling personal information of a consumer under 16 without consent.

Children aged 13 – 16 can directly provide consent. Children under 13 require parental consent.

Comparison

The GDPR emphasizes special protection for children and provides specific provisions for protecting children’s
personal data when processed for providing information society services.

The CCPA creates a special rule for children with regard to “selling” personal information,
however this rule is not limited to information society services.