GDPR & CCPA: Similarities and Differences

Decades after the internet reached households throughout Europe and the United States, consumers are beginning to find their voice when it comes to their privacy and data rights. After years of feeling like they were losing control over which business had what access to their data and information about them, consumers turned toward their governments to craft regulations to help them level the playing field.

The culmination of this work for personal privacy rights led to the introduction of the European Union’s GDPR and, in the years that followed, California’s own CCPA. Both of these regulations dramatically changed the expectations for how businesses were required to handle personal data and provided consumers with new tools to better control data about them and their habits.

There are several similarities between both laws, but there are also some key differences between the two regulations that businesses and marketing professionals need to be aware of. In doing so, they can not only steer clear of fines for noncompliance and potential backlash from customers but also adapt their strategies to still reach their target audiences effectively.

What Are GDPR and CCPA?

The General Data Protection Regulation (GDPR) is an EU-wide policy that limits how companies can handle and process personal data. First proposed in 2012 and then adopted in 2016, the GDPR was crafted to give EU citizens control over how their data is used and is widely seen as a milestone in protection of personal privacy online. The GDPR also seeks to protect the “fundamental rights and freedoms of natural persons” by outlining specific and strict requirements for businesses to follow relating to data handling, transparency, notifications, documentation, and user consent.

Wondering how Brexit affects whom you can direct market to? Download our free guide to learn everything you need to know about Brexit & GDPR >>>

Several years later, the California Consumer Privacy Act (CCPA) was adopted in 2018, introducing California’s own take on defining personal data rights, businesses’ responsibilities for handling and processing data, and consequences for noncompliance. The CCPA also requires that businesses provide Californian residents with the ability to  “opt out” of having their personal information sold to third parties, to know what data has already been compiled about them, and, if requested, to delete it.

How Is the CCPA Different from GDPR?

The CCPA draws a lot of inspiration from the GDPR, but businesses and marketing professionals need to recognize some of the key differences between the two regulations.

Though this is not a full legal review of both data privacy laws, here are some of the key ways the CCPA is different from the GDPR:

  • The CCPA only applies to businesses that have annual revenues of at least $25,000 and at least 50,000 consumer data points. The GDPR does not have any annual revenue or consumer data point thresholds.
  • The CCPA does not protect personal information if it is publicly available or summarized as part of larger aggregated information, but the GDPR extends its protections to also protect these forms of personal data (such as for statistical purposes).
  • The GDPR’s privacy protections are structured around the “opt-in” model, which requires consumers to take a positive action to have their data used or collected. The CCPA uses the “opt-out” model.
  • The CCPA’s definition of a consumer includes both a specific individual’s information and information relating to their household. The GDPR remains exclusive to the individual.
  • The GDPR requires businesses to have at least one of six legal grounds to process personal data in the EU. The CCPA does not have any additional criteria.

What Are Key Similarities Between the GDPR and CCPA?

There are several key areas in which the GDPR and CCPA can affect how your business uses and collects personal data. Some prominent similarities include:

  • Both regulations are enforceable with monetary fines for noncompliance or if a business does not take appropriate action in response to violations identified by consumers.
  • Data that cannot be traced to a single identity, known as anonymous data, is not within the scope of either law.
  • Both regulations require marketing professionals to obtain, record, manage, and abide by consent from consumers and provide access to privacy policies on their websites and data collection mechanisms.

This last point is particularly important for businesses that use e-commerce platforms like Shopify, because these services’ privacy policies do not extend to the brands themselves, too. Therefore, businesses need to ensure that they have the necessary data management and privacy controls in place.

Implement Continuous, Automated Compliance

No matter where your business is located, our digital world brings potential customers to your virtual doorsteps from both around the corner and around the globe.

That’s why it is more important than ever to ensure that your business has the tools, processes, and support it needs to appropriately comply with not only the GDPR and CCPA but also any other regulatory requirements that protect your customers.

The team at Dataships knows that this can be a challenge for businesses of any size, which is why we created a solution that automates and simplifies how businesses and marketing professionals comply with both laws by integrating within existing marketing technology, providing proactive privacy controls, and easing data management.

Ready to learn more about how Dataships can help your business? We recommend you check out our comprehensive GDPR/Brexit guide.