How the CCPA (CPRA) is Different from the GDPR

The EU General Data Protection Regulation (GDPR), often said to be the world's toughest privacy law, took full effect in May 2018. The California Consumer Privacy Act (CCPA), easily the strictest general privacy law in the United States, passed soon after in June 2018. It took effect in January 2020. The CCPA was then amended and expanded by the CPRA, which took effect on January 1, 2023.

The CCPA (CPRA) is unashamedly similar to the GDPR in many ways. In fact, parts of the GDPR appear to have been lifted and inserted verbatim into the CCPA (CPRA).

That being said, the laws are distinct in many ways. They both share the goal of bringing greater consumer privacy and control over personal information. But the scope, impact, and requirements of each law are very different in practice.

Some Fundamental Similarities

Before we look at what's different about the two laws, it's important to mention a couple of key similarities that will put these differences in context.

Both laws concern the way "personal information" is "processed."

Personal information ("personal data" in the GDPR) is any information that can be used, directly or indirectly, to identify an individual. This could be anything from a person's name to their IP address. The laws both take a very broad approach to defining personal information (particularly the CCPA (CPRA)).
Processing personal information means performing any operation or set of operations on it. So, for example - storing it, sending it, selling it, etc. The definition of "processing" in both laws is practically identical.

Both laws:

Apply internationally - to anyone who does business within each law's jurisdiction.
Protect individuals - "consumers" in the CCPA (CPRA) and "data subjects" in the GPDR.

Who the Laws Apply To

Beyond the international reach of both laws, there's a big difference in who is required to comply with them.

CCPA (CPRA) - Businesses

The CCPA (CPRA) is only aimed at businesses, and not just any business - a typical small ecommerce store or marketing startup, for example, would not be required to comply with CCPA (CPRA).

For the purposes of the CCPA (CPRA), a "business" is defined as a legal entity that "determines the purposes and means" of processing personal information, does business in California and conforms with one or more of the following:

It has annual gross revenues of over $25 million;
It buys or receives for its own commercial purposes, or sells or shares for commercial purposes, personal information from at least 100,000 devices, households or consumers per year;
It makes at least 50 percent of its annual revenues from selling or sharing consumers' personal information.

GDPR - Data Controllers

Most of the requirements in the GDPR are placed on data controllers. "Data controller" is defined in Article 4 of the GDPR. A data controller can be anyone - an individual, a charity, a government body, a website admin, a business.

The key is that a data controller "determines the purposes and means of the processing of personal data [...]" - they decide why and how personal information is processed.

How Each Law Applies

You can tell which of the two laws is more demanding by looking at their length. The CCPA (CPRA) comes in at over 10,000 words, but the GDPR is over five times longer.

Provisions Exclusive to the GDPR

There are many provisions in the GDPR that are not included in the CCPA (CPRA). We'll look at some of these in more detail below. But broadly speaking, unlike the CCPA (CPRA), the GDPR:

Aims to bring more consistent privacy and data protection standards across the geographic area over which it applies
Regulates the activities of data processors (known as "service providers" in the CCPA (CPRA)),
Provides a set of six principles to which all processing of personal information must adhere, for example, "data minimization" and "purpose limitation"
Provides a set of six legal bases under which all personal information processing must take place. (For example, where the consent of the individual has been gained, or where there is a legal obligation.)
Sets out specific measures that should be taken regarding data security
Requires some organizations to appoint a data protection officer
Empowers data protection authorities to enforce privacy law
Sets out procedures for professional bodies to set up data protection certification schemes and codes of conduct
Provides specific conditions under which data can be transferred overseas

In a nutshell, while the CCPA (CPRA) is a big achievement for legislators in the context of U.S. privacy law - which has historically been very weak - the GDPR is a much more significant and robust piece of legislation.

Provisions Exclusive to the CCPA (CPRA)

The CCPA/CPRA's main concern is to regulate the sale of consumers' personal information. It achieves this by taking some of the GDPR's legislative controls and implementing them in specific ways.

For example, unlike the GDPR, the CCPA (CPRA):

Requires businesses to publish up-to-date information about what types of consumers' personal information they have sold or shared for commercial purposes
Requires businesses to provide a specific process by which consumers can opt out of the sale of their personal information

Additional differences are that the CCPA (CPRA) requires that some businesses provide a toll-free phone number and a "Do Not Sell My Personal Information" page.

As we've seen, the GDPR and the CCPA (CPRA) do cover many common areas. Within these, the CCPA (CPRA) also makes some specific demands on businesses that the GDPR doesn't make. We'll explore some of these below.

Privacy Policy Requirements

Both laws require organizations to disclose extensive information about the personal information they collect in an easily accessible Privacy Policy. Failing to do this where required is unlawful.

GDPR Privacy Policy

The GDPR requires a data controller to disclose some information in their Privacy Policy that is not mentioned in the CCPA (CPRA), including:

The name and contact details of the data controller (i.e. the organization that created the Privacy Policy) and its data protection officer (if relevant)
The legal bases on which personal information is being processed
Specific information about the legal bases that are being relied on (e.g. a Legitimate Interests Assessment, or how individuals can withdraw consent)

A GDPR-compliant Privacy Policy actually looks more like a Privacy Policy created to comply with the CCPA/CPRA's predecessor legislation, the California Online Privacy Protection Act (CalOPPA). This was the first U.S. law that required commercial websites to display a Privacy Policy.

Any business that falls under the CCPA (CPRA) will also need to comply with CalOPPA - and in many cases, the GDPR itself. So, you're likely to see some of these features in the Privacy Policies of many U.S. businesses.

CCPA (CPRA) Privacy Policy

The CCPA (CPRA) Privacy Policy requirements center around the trade of personal information.

The CCPA (CPRA) shares some requirements with the GDPR in this respect. For example, businesses must explain how consumers can access their rights under the law. But there are some requirements under the CCPA (CPRA) which are not made by the GDPR.

For example, the CCPA (CPRA) requires that a business includes three specific lists in its Privacy Policy that disclose:

The types of personal information that the business has collected in the previous 12 months
The types of personal information that the business has sold in the previous 12 months
The types of personal information that the business has shared for commercial reasons in the previous 12 months

If the business hasn't sold or shared any personal information it must declare this.

Additionally, businesses are required to display a link reading "Do Not Sell My Personal Information" in a conspicuous location on their home page, to alert consumers to their "right to opt out." We'll cover more on this right below.

Rights Over Personal Information

Both the CCPA (CPRA) and the GDPR provide individuals with rights over their personal information. Individuals are the owners of their own personal information and should be able to control it.

Right of Access

The right of access allows individuals to request a copy of their personal information that is being processed by a business (or any data controller under the GDPR). This is the right that looks the most similar under both laws, but it's worth considering the differences.

For example, the GDPR requires data controllers to comply with a request within one month, with an exceptional extension of an additional two months. The CCPA (CPRA) allows 45 days, which can be extended once by an additional 45 days where reasonably necessary.

The CCPA (CPRA) only requires a business to fulfill this request twice per year. The GDPR doesn't specify a limit, but it does allow data controllers to reject "excessive" requests.

There are also some variations in what can be provided under the right of access.

Data controllers under the GDPR must provide:

The categories of personal information being processed
The reasons for processing the personal information
The categories of any recipients of the personal information, and whether they are based overseas
How long the personal information is stored
Details about the individual's data other data rights
The sources of the personal information
Details of any automated decision-making (if relevant)

Under the CCPA (CPRA), businesses must provide:

The categories of personal information collected
Specific pieces of the personal information
Any commercial reasons for collecting or selling the personal information
The categories of any recipients of the personal information
The categories of sources of the personal information
For how long the personal information would be retained

The CCPA/CPRA's right of access actually incorporates part of the GDPR's right to data portability, which requires that information is provided in a "readily useable format that allows the consumer to transmit this information to another entity without hindrance." Unlike the GDPR, however, the CCPA (CPRA) doesn't require the business to perform this transfer itself.

Right of Erasure/Deletion

The GDPR's "right to erasure" is also sometimes known as the "right to be forgotten."

The CCPA only allows consumers to request deletion of personal information that has been collected from them directly by the business. The source of the personal information is not a relevant factor under the GDPR.

An individual can request that their personal information is deleted under either law. What differentiates the two laws is the conditions under which a deletion request can be refused.

The GDPR gives five such exemptions, and these are all shared by the CCPA (CPRA) with one exception - where maintaining the personal information is necessary for reasons of public health.

The GDPR's exemptions for when a deletion request can be refused are:

When the right of freedom of expression and information is being exercised
If you're legally obligated to process the data for the exercise of official authority or for public interest
If you're processing the data for reasons of the public interest in public health
If you're processing the data for archiving purposes related to the public interest, scientific or historical research, or statistical purposes
If processing the data is necessary for establishing, exercising or defending legal claims

A deletion request can also be refused under the CCPA (CPRA) where the personal information is required:

To perform a contract (e.g. complete a transaction)
To repair and debug errors
To comply with the California Electronic Communications Privacy Act
For any internal purposes that the consumer might reasonably expect based on:

Their relationship with the business
The purposes for which they provided the information

These exemptions severely weaken this provision under the CCPA (CPRA).

Right to Opt Out/Consent

The CCPA (CPRA) requires businesses to allow consumers to opt out of the sale of their information. There is no such explicit right in the GDPR - but there doesn't really need to be. Both laws can allow consumers to prevent the sale of their personal information, via very different routes.

Because of the way that consent operates under the GDPR, businesses are not allowed to assume that they have the permission to do certain things with the personal information they process.

Not all processing of personal information requires consent under the GDPR. Selling personal information, however, is very unlikely to be justifiable on any legal basis other than consent.

So whereas the CCPA (CPRA) requires businesses to allow consumers to opt out of the sale of their personal information, the GDPR effectively forbids businesses to sell individuals personal information unless they have opted in, by giving informed consent. Further, any individual who has consented to such a practice is subsequently able to withdraw that consent.

The GDPR's approach in this regard is actually the approach taken by the CCPA (CPRA) towards children, who have the automatic "right to opt in" to the sale of their personal information, and cannot be assumed to have consented to it.

Penalties

The GDPR is well-known for its potentially brutal fines. The CCPA (CPRA)A may not go quite as far, but it does introduce some much tougher penalties than other privacy laws in the United States.

Enforcement of the CCPA (CPRA)

The CCPA (CPRA) can be enforced via:

Penalties issued via civil cases brought by the Attorney General:

Up to $2,500 per unintentional violation
Up to $7,500 per intentional violation

Private legal claims brought by consumers, where they can recover amounts between $100 and $750 per incident, or actual damages - but only for the unlawful loss of their personal data.

Enforcement of the GDPR

The GDPR can be enforced via:

Penalties issued via data protection authorities, including:

Warnings and other non-financial penalties
For some violations, up to 10 million euros or 2 percent of a company's annual worldwide turnover - whichever is higher
For more serious violations, up to 20 million euros or 4 percent of a company's annual worldwide turnover - whichever is higher

Private legal claims against data controllers, processors or data protection authorities. There are no maximum penalties specified.

Summary of Key Differences

The similarities between the CCPA (CPRA) and GDPR are mostly obvious - but in some places, they serve to highlight their differences.

The GDPR applies to "data controllers" which has a very broad definition. The CCPA (CPRA) applies only to businesses of a very specific size or type.
Unlike the CCPA (CPRA), the GDPR covers areas such as:

Principles of data processing
Legal bases for processing
Specific data security measures
Appointing a data protection officer
Empowering data protection authorities
Certification schemes and codes of conduct
Overseas transfers

Unlike the GDPR, the CCPA (CPRA) requires businesses to:

Publish up-to-date information specifically about their personal information trading practices
Specifically allow individuals to opt out of the sale of their personal information

The GDPR requires data controllers to publish a comprehensive Privacy Policy. The CCPA (CPRA) requires businesses to publish a specific Privacy Policy about their personal information trading practices.
The GDPR provides a broader set of rights that allow individuals a high degree of control over their personal information. The CCPA provides some of these rights, but with more exemptions for businesses.
The GDPR and CCPA (CPRA) are enforced via a different system of penalties.