GDPR vs. CCPA: What you Need to Know to Keep Consumer Data Safe

GDPR vs. CCPA: What you Need to Know to Keep Consumer Data Safe

Published: October 31, 2019 (17 min read)

When it comes to consumer data, legislators are sending a clear message to business owners and organizations. Keep that data safe and give consumers more control over it. Let’s take a closer look at two pieces of legislation that tackle consumer privacy head on.

In recent years, data breaches have made the news more than a few times. In some cases, the breaches have been massive, affecting thousands and even millions of people. At the end of 2018, Marriott announced that it had been the target of a data breach. Personal data on 500 million people had been stolen. Three billion (with a b!) Yahoo users found their privacy had been compromised back in 2014. Cyber thieves often seem to be one step ahead of the good guys trying to shut them down. 

Consumers are generally aware that companies are collecting information about them all the time - from the newsletter sign-up on a restaurant’s website to Facebook to cookies being stored every step of the way on your digital travels. There is some evidence that even our friendly smart-home devices like Alexa are always listening, always collecting data. For better or worse, most of us have been pretty generous with our personal information. Then came the data breaches, one after the next. 

Consumers are understandably fed up and, in response, lawmakers have pushed legislation intended to keep personal data safer. Europe got the ball rolling with GDPR (General Data Protection Regulation). We wrote about GDPR in a blog post last year. In a nutshell, GDPR endeavors to give consumers more control over their personal data, and enforces fines on companies that don’t comply with the regulation. The underlying goal is to increase consumer trust. Businesses have good reason to support data security requirements - skittish consumers don’t spend money online (or in person, for that matter). 

In the wake of GDPR, it seemed likely that other countries would soon follow suit. In the U.S., California seems to be leading the way by enacting very stringent legislation to protect private data. The California Consumer Privacy Act (CCPA) was signed into law in June of 2018. It takes effect January 1, 2020. Other states are sure to follow suit with similar consumer protections. 

What does the CCPA do?

Like the GDPR legislation that affects the EU, the CCPA protects the consumer rights of California residents by requiring transparency and giving consumers ownership (and control over) their personal information. So, John Doe can contact a business and ask them to disclose the information they are collecting on Mr. Doe and with whom they are sharing it. He can request that they delete that information if he chooses. He can also request not to have his data sold to third parties. If Mr. Doe chooses to exercise his privacy rights, that business cannot treat Mr. Doe any differently - he must receive the same service and price that any other consumer would receive. 

If Mr. Doe’s son is between 13-16 years of age, businesses are not permitted to sell his son’s personal data. If he’s under 13, consent from a parent or guardian is required. 

Does the CCPA Apply to Your Business?

The CCPA applies under several different scenarios. It applies to businesses operating in California (or with California residents) that collect personal information. Beyond that, the details get a little sticky. For example, the CCPA doesn’t specifically apply to non-profit organizations, but most would be wise to take it into account anyway. Many law firms have attempted to weigh in and sort through the complexities of the CCPA. jackson|lewis breaks it down in detail on a recent blog post. The article attempts to bring clarity to grey areas, including the involvement of third-party players. "It does not appear to be necessary under the CCPA for a business to actually be the one to collect personal information from consumers in order for the law to apply. So long as personal information is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied."

CCPA has Long-Ranging Effects

You don’t have to live in California to be affected by the CCPA. Considering that California has the highest population of any U.S. state, it would be a rare business owner who could claim that there was no chance of doing business with a California resident. Because other states are likely to pass similarly stringent legislation, it makes sense to be prepared regardless. It’s also important to know that while the wording is specific to consumer protection, the law also applies to business-to-business scenarios where personal information is harvested. 

There are lots of good reasons to comply with data privacy legislation like the CCPA. Protecting consumer data is simply the right thing to do, of course. However, if that’s not enough motivation, be aware that once the act takes effect, residents of California will have the right to bring litigation against companies not in compliance. The state can also level fines against companies in violation. 


You may be wondering how the CCPA differs from GDPR. While it’s true that they are very similar (the CCPA was heavily influenced by GDPR), there are a few noteworthy differences. For example, the penalties for violating the CCPA are more severe, financially speaking. For a little light reading, check out this detailed guide from Future of Privacy Forum comparing GDPR and CCPA. It’s complex, but it’s also a reflection of how legislators are taking consumer privacy more seriously than ever. 

Some business owners are hoping that the federal government will take over data protection requirements so that compliance is more straightforward (vs. keeping up with laws passed by 50 individual states). For now, it’s important to stay up to speed on the privacy-related legislation that does affect your business. Depending on the nature of your business, compliance may be somewhat straightforward (such as the “cookie” warning you’ve surely seen on many sites) or it may be a layered approach (possibly involving legal help). Your customers (and potential customers) need to feel confident that their data is safe with you. 


Concerned about whether your organization needs to be GDPR/CCPA compliant? Talk to our team about security options for your website.