CCPA: GDPR rears its US-based head

Filed under:

Strategy, Tech
Despite its global reach, GDPR is an EU regulation. CCPA, on the other hand, is specific to the US. Here's a high-level comparison of the two.

Earlier this year, GDPR went into effect. Many US-based companies updated their privacy policies, added consent banners, changed information collection practices, and improved internal privacy policies.  But despite its global reach, GDPR is an EU regulation. Not everyone has felt compelled to change their ways. Enter the California Consumer Protection Act (CCPA) of 2018.

CCPA was approved on June 29th and will not go into effect until Jan 1, 2020.  Just like GDPR, a long implementation period has been granted to give businesses ample time to make changes.

In an earlier post, we described some ways to prepare for GDPR. We’ll explore some high-level similarities and differences between GDPR and CCPA.

CCPA & GDPR Similarities

Scope: GDPR has a broad reach. It impacts any company that handles EU data subjects’ privacy data.  Even if your company is located outside of the EU, you may be held accountable for handling EU customer data wisely.  Similarly, CCPA focuses on California. But any company that handles the personal data of Californians is subject to scrutiny.  However, CCPA limits its reach to those businesses that:

  1. Handle private data for more than 50,000 users;
  2. Earn 50% of revenues from selling personal data; or
  3. Have gross annual revenues exceeding $25M.

CCPA spares businesses that don’t meet this litmus test.

Right to know:  Both regulations stipulate users should know how their data is being used. Both require users approve before using their data elsewhere.  CCPA requires businesses to prominently display an opt-out button that reads “Do Not Sell My Private Data.” But, GDPR insists upon opt-in consent protocols.

Right to be forgotten:  This is one of the main points of both regulations.  If a consumer shares private data, they should also have the ability to have it removed.  In both cases, the consumer should be able to request to have his/her information removed/deleted (unless there is a legitimate reason for keeping the data).  Not only does local data have to be removed, but so does all user data stored among processors (GDPR) or service providers (CCPA).

CCPA & GDPR Differences

CCPA allows companies to offer financial incentive to collect personal data.  If a business sells personal data, it must disclose to whom it sold the data, if requested.

Both CCPA and GDPR aim to offer more privacy protections to the consumer. This is great news for both businesses and consumers alike.  By offering more transparency on what is being collected, businesses will be able to earn more consumer trust.  A pre-GDPR study in the UK and the US shows the power of knowledge.  Two NYT reporters asked Amazon in the UK and the US for information that they stored about them. Hopefully, you agree that being transparent is the better of the two options.

Amazon on GDPR



With an increase in data breaches and cyber-attacks, consumers  want to work with companies that respect their privacy and/or have measures in place to protect their data.  We believe strong data privacy controls will continue to grow and be part of all the solutions we build in the future.

Disclaimer:  All information is the opinion of Taoti Creative.  We do not offer legal advice and we urge anyone that decides to pursue compliance with specific data privacy laws and regulations to seek legal counsel to ensure your specific needs are being met.