CCPA vs GDPR – A comparison of two of the biggest consumer privacy regulations in the world

John Sears

John Sears


May 16, 2023


8 min read

Jump to section

Whenever a discussion about consumer privacy and laws that help protect it takes place, at some point, somebody mentions either the California Consumer Privacy Act (CCPA) or (General Data Protection Regulation (GDPR) – or both. This is hardly a surprise because the two have become the most widely known sets of policies created to give users more control over their personal data.

Driven by the notion that all digital citizens should be entitled to know where their personal information is stored and what it is used for, governments around the world are implementing various methods to help people receive such information. However, although the goals of data privacy regulations are similar, no two policies are the same.

The CCPA and the GDPR are different with regard to the types of data they help protect, the requirements you must meet, and the entities they apply to. At NordLocker, we know how important data privacy is and what it takes for businesses to protect their clients’ personal information. Therefore, we want to help you navigate the consumer rights landscape.

In this article, not only will we take a closer look at CCPA vs GPDR – the differences and similarities – but we will also reveal what it takes to become compliant with either of the two.

What is CCPA?

The California Consumer Privacy Act (better known as the CCPA) is state-wide legislation created to protect privacy rights and enhance consumer protection for residents living in the US state of California.

Put into force on January 1, 2020, the CCPA has provided the people of California with increased transparency and control over their personal data. As a Californian, you have the right to request any business to delete the data it has collected about you or withdraw from third-party data sales.

The CCPA applies to organizations running business operations in California as well as companies that handle, store, or share personal information about California’s residents.

If you’re a business owner, you are allowed to collect and use personal data. However, you must make it clear how that data is processed and give Californian consumers a chance to reject that data processing.

This requirement explains why so many of today’s organizations put privacy and cookie content policies on their websites and allow visitors to personalize their data privacy preferences.

What is the GDPR?

The General Data Protection Regulation is, as its name suggests, a law concerning the protection of data and data privacy in the EU and the European Economic Area (EEA). Created by the European Parliament, it came into effect in May 2018.

On the surface, it looks similar to the CCPA (which is why some people think they are one and the same) because it provides European Union residents with more transparency and control over their personal data than they had before it went into effect. It applies to all organizations, in and out of the European Union, that store and manage the personal information of EU residents. However, the way the GDPR works is slightly different from how the CCPA is used, apart from the obvious that the GDPR was designed for EU residents and the CCPA for people who live in California.

The GDPR is a law that determines how businesses, organizations, and websites can handle personal data (which involves details like people’s full names and their email addresses, whereabouts, and browsing history).

Basically, if you have a website that has been viewed by someone from the EU and you (or a third-party services provider like Facebook or Google) process their personal data, according to the GDPR, you must obtain prior consent from that user first. Meaning that they must agree with you administering their personal data.

The GDPR is often called the world's toughest privacy and security law because it allows organizations to use EU residents’ personal data only when at least one of the following six conditions apply:

  • Data subjects can give their consent to use their personal data and withdraw that consent at any given moment.

  • The processing of the subject’s data is necessary to enter into or perform a contract between the user and the company.

  • The processing of data is necessary for legal reasons; an obligation caused by information security, consumer transaction law, or employment.

  • Data is processed to help protect the life of a particular consumer – most common in emergency medical care situations.

  • The subject’s data is necessary to complete a given task that’s in the public interest.

  • The subject’s data is used for other legitimate interests (a business’s interests, for example) but only when the interests, rights, and freedoms of that particular EU citizen do not override the controller’s interests.

GDPR vs CCPA: The 5 biggest factors that set the two apart



Subject entities

The GDPR applies to every business that collects the personal data of EU residents, no matter where it is located.

It should be no surprise to anyone that the GDPR is therefore much broader than the CCPA – the number of companies that process the data of EU residents is greater than the number of companies that store and use the data of people living in California.

The CCPA law applies only to for-profit organizations that collect personal data about the people living in California and use that data for marketing or sales purposes.

A “for-profit organization” is described as one that meets at least one of the following conditions:

  1. Its gross annual revenue is at least $25 million

  2. It is in possession of personal information (PI) of at least 50,000 California residents, householders, or devices

  3. It generates more than 50% of its annual revenue by selling personal information

Data Under Protection

Although both the GDPR and the CCPA provide a similar definition of personal data, the range of personal information covered by the GDPR is narrower than the CCPA.

The GDPR helps protect “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.” This information can be an ID number, email address, phone number, online identification number, or sensitive data that concerns the physical, physiological, genetic, mental, economic, cultural, or social identity of a given data subject.

Therefore, the GDPR does not cover, for example, information on deceased persons, anonymous data, or data used for houseful or personal purposes.

The CCPA helps protect “information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer, device or household.”

The above includes names, email addresses, browsing histories, shopping records, and biometric data.

What the CCPA excludes from its scope are, for example, personal information under the Gramm-Leach-Bliley Act, medical information protected under HIPAA, information covered by California’s Driver’s Privacy Protection Act, and information from federal, state, or local government records that are available publicly.

User’s Right to Opt Out

Following the principles of the GDPR, organizations must provide users with the ability to both opt in and opt out before they will be allowed to process personal data.

In other words, data owners must give businesses their consent before their personal information can be used in any way. Also, data owners must have the right to withdraw their consent at any moment in time.

Under the CCPA, businesses can collect personal data from a given user as long as that individual is over the age of 16. Not only must a company provide that data subject with the ability to opt out, but it also must give that person a chance to object to the collection of data about them.

When a user decides to opt out, the company is not allowed to collect information about them for a period of 12 months.

Security Requirements

Companies that process the personal data of EU residents are required to implement technical and organizational security measures to guarantee the security of all that data. To prevent data breaches and security violations, businesses are advised by the GDPR to use security methods such as encryption and pseudonymization.

No specific security requirements are listed in the California Consumer Privacy Act. However, the law allows Californians to take legal action against organizations that do not provide adequate security measures to protect personal data.


The GDPR fines are divided into two levels – you get fined depending on how serious the violation is:

  1. 2% of the annual global turnover or €10 million – depending on whichever is higher – is the maximum fine for less severe violations

  2. 4% of the annual global turnover or €20 million – again, whichever is higher – is the highest fine you can get for severe violations

GDPR fines are imposed by dedicated data protection authorities operating in the EU Member States.

The CCPA fines are also divided into two groups, but they are different from those in the GDPR:

  1. Up to $2,500 per violation

  2. $7,500 per intentional violation

A citizen of California can claim statutory damages from $100 to $750 per a single violation. Fined companies have 30 days to remedy the violation.

CCPA fines are imposed by the state court of California.

GDPR requirements vs CCPA requirements

Comparing the two sets of laws, it is easy to see that the GDPR requirements are more stringent than the CCPA’s. Let’s start with the CCPA.

To achieve compliance with the CCPA, an organization is required to send reports to inform data subjects about what happened to their personal information after a 12-month period. To be more specific, these reports must clearly tell the “story” of when personal data was collected, sold, or used for business purposes.

Every resident of California whose data was obtained must be notified before the company sells the data to yet another third party.

In the case of the GDPR, a business is required to do a lot more to be compliant with the regulations. Not only must EU residents be informed whenever their personal data is collected from them, but they also must be notified when their data is shared with another third party.

When their data is used for profiling, EU residents must be told how long it can be retained and what the purpose of that process is. Of course, they must also be reminded that they can opt out at any time.

What is the CPRA and how does it affect the CCPA?

CPRA is an acronym for the California Privacy Rights Act, which is the name of a state-wide privacy bill that came into full effect on January 1, 2023. Due to its name, it is not surprising that many people google “CCPA vs CPRA – what’s the difference.” After all, the two are related.

The CPRA is an addendum to the CCPA, created to introduce additional consumer privacy rights for California residents and tighten the regulations on the use of personal information (PI) by organizations. Its creation coincided with the establishment of a new agency called the California Privacy Protection Agency (CPPA), the goal of which is to drive educational initiatives on the risks and legal regulations related to data privacy.

The California Privacy Rights Act introduced a new category of personal data, Sensitive Personal Information (SPI), subject to new restrictions and laws. As a result, Californians can request businesses to limit the use of their SPI, which include social security number, driver’s license, passport number, debit or credit card number, health information, genetic data, and biometric information.

Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current, and is subject to change without notice. You should seek professional legal counsel before taking any action.

How can NordLocker help you with the GDPR and the CCPA?

NordLocker is an end-to-end encrypted cloud storage platform that you can use to not only protect your data but also meet some of the GDPR requirements.

As already mentioned, no security requirements are specified in the CCPA. However, Californians can sue companies for not providing adequate security measures to protect their personal data.

Therefore, NordLocker is a solution that businesses can use to keep California residents’ data safe and sound, and thus make sure that no one will take legal action against them on that basis.

If you want to know more about NordLocker and how it can help you improve your cybersecurity strategy, please contact us.

CCPA vs GDPR infographic

Here is a brief overview of GDPR vs CCPA.

John Sears

John Sears

Verified author

John believes that the best things in life are simple. He uses the same approach when he’s writing about online security. John says that his #1 pet peeve is phishing scams. Ironically, his favorite non-work related activity is fishing.