The CCPA vs. the GDPR comparison

December 19, 2019

Orange and yellow gradient

Both the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) aim to protect individuals’ privacy rights, but there are some key differences between the two. In this blog post, we’ll look at some of the important distinctions between the CCPA vs. the GDPR.

Core Concepts

Only in the GDPR

  • Restrictions on how and why businesses can process personal data
  • Additional protections for Sensitive Personal Data
  • Privacy by design and privacy by default requirements
  • Opt-in consent as a legal basis of processing

Only in the CCPA

  • Personal information includes data about devices and households
  • Right to Object/Opt-Out only covers the sale of personal information (narrower than GDPR Right to Object)
  • Access rights are broader

CCPA vs. GDPR terminology

In addition to differences in their core concepts, the CCPA and GDPR have variances in terminology.

Consumer (CCPA) vs. data subject (GDPR)

Under the CCPA, a consumer is a natural person who must be a California resident. According to the GDPR, a data subject is any identified or identifiable natural person, that is, a person who can be identified directly or indirectly.  In contrast to the CCPA’s residency requirements, a data subject under the GDPR does not necessarily need to be an EU citizen or resident.

The GDPR applies outside of the EU when a company sells products or services to individuals inside the EU or when individuals are targeted or monitored. It covers “processing” of personal data, defined to include any operation performed on personal data, including collection.

How is personal information defined by the CCPA vs the GDPR?

Personal information (CCPA)

The CCPA broadly defines personal information (PI) as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household.

Personal data (GDPR)

The GDPR defines personal data as any information relating to an identified or identifiable person, by reference to an identifier. In fact, an individual can be both a consumer and a data subject if an EU-established company processes personal data of California residents.

Business (CCPA)

The CCPA classifies the following as a business:

  • A for-profit organization (sole proprietorship, partnership, corporation, LLC, association, or other legal entity)
  • That collects consumers’ personal information (online or offline)
  • Determines the purpose and means of the processing
  • Does business in the State of California
  • Plus one or more of the following:
  • Has annual gross revenues in excess of $25 million
  • Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices.
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Controller/processor (GDPR)

The GDPR defines the controller the organization that determines the purposes and means of the processing.  The GDPR applies under the following circumstances:

  • Where the controller or its processor is established in the EU, or
  • The processing personal data of EU residents by a non-EU controller or processor, where it relates to:
  • offering of goods or services, or
  • monitoring of EU residents’ behavior (insofar as the behavior takes place in the EU); or
  • Processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law (i.e., an EU Member State embassy)

Right to opt-out vs. the right to object and the right to withdraw consent

Under the CCPA, the Right to Opt-Out means:

  • At any time, consumers can request a business to stop selling their personal information to third parties
  • Business must wait 12 months to ask a consumer to opt back into the sale of personal information
  • Businesses that sell personal information must post a link on their homepages that says “Do Not Sell My Personal Inform” so consumers can know about and exercise their opt-out rights

Under the GDPR, the Right to Object means:

  • The data subject’s right to object to processing “on grounds relating to his or her particular situation, at any time”
  • The scope includes processing based on legitimate interests, based on performance of task in public interest/exercise of official authority and research purposes

Under the GDPR, the Right to Withdraw Consent means that:

  • At any time, the data subject can withdraw consent when the legal basis of processing was based on consent
  • Withdrawal must be as easy as it was to give consent

How can businesses legally collect and use personal data?

CCPA compliance

The CCPA does not explicitly list legal grounds that businesses must rely upon to collect and use personal information. However, individuals have the right to opt-out of the sale after collection and can instruct businesses to stop selling their personal information.

Under the CCPA, there are several instances where businesses are required to collect the consent of the consumer. These include where the consumer is entering into a scheme that offers financial incentives based on the personal information provided. The CCPA allows businesses to sell minors’ data on the basis of valid consent, but consent is not required for the collection of the information.

GDPR compliance

The GDPR sets out 6 legal bases under Article 6 that organizations can rely upon to lawfully collect and use personal data. Processing personal data is considered lawful under the GDPR if at least one of the following applies:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation to which the controller is subject
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

CCPA vs GDPR: Enforcement & penalties

What is a violation under CCPA?

The CCPA outlines monetary penalties for unintentional and intentional violations. These range from $2500 per unintentional violation to $7500 per intentional violation with no maximum penalty outlined by the law. Violations of the CCPA are assessed and penalties recovered through civil action brought by the California Attorney General and issued in court.

On March 17, 2021, the establishment of the California Privacy Protection Agency (CPPA) was announced. The board will oversee, implement, and enforce the CCPA and the CPRA, a role previously fulfilled by the California Attorney General.

What are the types of GDPR breaches?

Breaches of the GDPR’s provisions are typically bucketed into two categories each with different levels of monetary penalty attached. Depending on the nature, gravity, and duration of the infringement, the penalty for non-compliance with the GDPR may be up to either:

  • 2% of global annual turnover or €10 million, whichever is higher; or
  • 4% of global annual turnover or €20 million, whichever is higher.

In general, the lower penalty amount is issued for breaches of controller or processor obligations. Breaches of data subjects’ rights and the GDPR’s data protection principles will result in fines from the higher tier being issued.

How OneTrust helps you comply with the CCPA and GDPR

OneTrust is a compliance management solution that helps organizations of all sizes simplify time to CCPA and GDPR compliance through start-to-finish privacy program automation.

Both the GDPR and the CCPA grant individuals rights that enable them to protect their privacy. Regardless of where you are in your privacy program, it’s never too late to start preparing for the CCPA. For more information on our CCPA Same Day Fast Track Implementation Program or to request a live OneTrust for CCPA software demo, visit or email

You may also like


Privacy & Data Governance

What California’s CCPA investigative sweep means for your mobile applications

The California Attorney General declared an investigative sweep of mobile apps that don't comply with certain CCPA opt-out and consumer request provisions.

Alex Cash

February 01, 2023 5 min

Learn more


Privacy & Data Governance

What California’s CCPA investigative sweep means for your mobile applications

The California Attorney General declared an investigative sweep of mobile apps that don't comply with certain CCPA opt-out and consumer request provisions.

Alex Cash

February 01, 2023 5 min

Learn more


Privacy & Data Governance

CCPA toll-free number requirement

The California Privacy Rights Act (CPRA) follows up the CCPA with new and expanded rights, retaining the toll-free number requirement.

Param Gopalasamy, CIPP/E, CIPM

December 15, 2022 4 min

Learn more