California Consumer Privacy Act of 2018 (CCPA) vs the EU General Data Protection Regulation (GDPR)

 The passage of the California Consumer Privacy Act (CCPA) has now raised the question as to whether the measures companies have implemented to comply with the General Data Protection Regulation (GDPR) will satisfy the CCPA. Unfortunately, the answer is largely, “No.”


  • Requires disclosures, communication channels (which must be at no cost such as toll-free phone numbers) and other items that are not required to comply with the GDPR.
  • Contains a broader definition of “personal data” and also covers information pertaining to non-individuals such as households and devices.
  • Establishes broader rights for California residents to direct deletion of data, with different exceptions than those in GDPR.
  • Establishes broader rights to access personal data without some exceptions available under GDPR.
  • Imposes more rigid restrictions on data sharing for commercial purposes.
  • Does not allow companies the discretion to offer consumers a choice between for-charge services and charge-free services.
  • If companies want to continue offering a charge-free service to Californians, companies cannot rely on revenue from data sharing or other usage to fund the service.
  • Companies may offer financial incentives to California residents, including compensation, for the collection or sale of their personal information, but only if they obtain prior opt-in consent which may be revoked by the customer at any time.

Table 1 – Other Differences

Basis for consent Opt in Opt out
Who it applies to Any organization holding personal data on EU citizens For-profit entities that process personal data of California residents and either:

  1. Do $24 million in annual revenue
  2. Hold the personal data of 50,000 people, households, or devices
  3. Do at least half of their revenue in the sale of personal data.
Rights for individuals Access to data being held, right to erasure, correction, and object to automated processing. Right to notification if there is a data breach. Right to disclosure and objection relating to who data is being sold to, no discrimination if individual objects to data sold. Right of access to data being held. Right to know how personal data is being used. Right to know who data has been provided to.
When does it come into force May 25, 2018 Jan 1, 2020
Financial Penalties 4% of turnover or €20m (whichever is greater) $7,500 per violation. $750 or actual damages for each individual, whichever is greater
Time allowed to respond to a request 1 month 45 days

Our compliance consultants are here to help if you have any questions on how to properly apply these new regulations to your organization.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.