Similar
Largely similar
Some similarities
Substantially different
Required functionality
CCPA similarity
to GDPR

Who is regulated?

The scope and territorial reach of the GDPR is much broader. Substantially different in parties regulated

Who is protected?

Substantially different in approach, but similarly broad in effect. Both laws focus on information that relates to an identifiable natural person, however the definitions differ. Both have potential extraterritorial effects that businesses located outside the jurisdiction must consider

What information is protected?

Substantially similar. However, the CCPA definition also includes information linked at the household or device level

Right to deletion/erasure (The right to be forgotten)

Similar data deletion rights. The GDPR right only applies if the request meets one of six specific conditions while the CCPA right is broad. However, the CCPA also allows business to refuse the request on much broader grounds than the GDPR. The GDPR’s obligation to inform downstream data recipients of the person’s deletion request is also broader. Current legal interpretation is that under CCPA, you cannot anonymise data (under review by Attorney General)

Privacy notices/Information rights

Similar disclosure requirements, but differences in the specific information required and the delivery methods. The CCPA notice requirements on personal information disclosed or sold to third parties only covers the 12 month preceding the request

Security

Substantially similar in statutory approach though reasonable security measures may vary to some extent according to an organisation’s circumstances and regulator interpretation

Opt-out right for personal information sales

Substantially different. The GDPR does not include a specific right to opt-out of personal data sales, whereas under CCPA you must include a ‘Do Not Sell My Personal Information’ link in a clear and conspicuous location on a website homepage

Children

Substantially different requirements, other than ages involved. The CCPA only requires parental consent for personal data sales, while GDPR’s parental consent requirement applies to all processing consent requests

Right of disclosure or access

Broadly similar rights of disclosure/access. The CCPA’s right is only to obtain a written disclosure of the information. The GDPR allows broader access, which is not limited to a written disclosure in a portable format

Right of data portability

Broadly similar rights. The GDPR provides a specific right to request a data controller to transfer their personal data to another data controller

Right of rectification

Substantially different. This is not a requirement for CCPA

Right to restrict processing

Substantially different. This is not a requirement for CCPA; other than the right to opt-out of personal information sales

Right to object to processing

Substantially different. This is not a requirement for CCPA; other than the right to opt-out of personal information sales

Right to object to automated decision making

Substantially different. This is not a requirement for CCPA

Responding to rights requests

Substantially similar. However, turnaround times are different and CCPA only has a 12 month look back for customer rights requests

Non-discrimination

Similar idea, different obligations. Such as both acts cannot discriminate against a consumer because they exercised their rights

Penalties (Private rights of action)

Substantially different in scope, but violations of either may potentially result in significant economic liability

Penalties (Civil fines)

Approach to calculating fines differs, but violations of either may potentially result in significant economic liability