About GDPR and CCPA


The CCPA (California Consumer Privacy Act) took effect in January 2020 in the US. How does it compare to the GDPR (General Data Protection Regulation) of the EU? This, and more information about GDPR and CCPA in this blog post.

But first, do these regulations apply to you?

As soon as you process personal information of ‘data subjects who are in the European Union’ and/or ‘consumers in California’ these regulations generally apply.

So, (1) how is ‘Personal Information’ defined? And, (2) do all organizations need to comply?

1. How is Personal Information defined?

Personal Identifiable Information, or PII data in short, can be divided into two categories:

    1. Linked information
    2. Linkable information

Now, linked information has a pretty clear and common definition that can be summarized as ‘any piece of personal information that can be used to identify an individual’. Like email address, credit card number, date of birth or phone number.

Whereas linkable information is information that on its own may not be able to identify a person. But when combined with another piece of information could identify, trace, or locate a person. Like gender, race or job title. Device IDs, IP Addresses and Cookies are also categorized as linkable information within both GDPR and CCPA. 

Additionally, the CCPA also protects data that can be linked to a particular household, not just an individual.

So, if you collect linked or linkable personal information, these regulations generally apply to you.

Please be aware that Device IDs, IP addresses and Cookies are defined as linkable personal information, and as such PII data.

2. Do all organizations need to comply with CCPA and GDPR?

Between these two regulations, this actually is one of the major differences .

As the EU regulation applies to all companies, organizations and -even- individuals. Whereas the Californian regulation only applies to certain for-profit organizations that meet one or more of the following criteria:

    • Gross annual revenue of ≥25 million USD,
    • Deriving ≥50% of annual revenues from selling personal information,
    • Buying, selling, or receiving personal information of ≥50,000 consumers/households/devices.

The EU regulation applies to any “data processor”, even individuals and non-profits. Whereas the CCPA only applies to for-profit businesses of a very specific type and size.

Other key differences between CCPA and GDPR

Although these regulations are very similar, you need to be aware of some key differences. One if which I have already mentioned:  Who is required to comply?

Other noteworthy distinctions are:

  • Unlike the CCPA, the GDPR covers the regulation of data processors (service providers) and the principles of data processing. As well as specific data security measures and overseas transfers of data
  • And unlike the GDPR, the CCPA requires businesses to publish up-to-date information about their personal information trading practices, which each individual must be able to opt out of. A so-called ‘Do Not Sell My Personal Information’ opt-out.

Furthermore the GDPR requires data controllers to publish a comprehensive Privacy Policy. Whereas the CCPA requires businesses to publish a specific Privacy Policy about their personal information trading practices.

The EU regulation has a strong focus on “processing personal information” in general. Whereas the CCPA specifically regulates “trading practices of personal information”.

Global privacy regulations: increasingly complex

The General Data Protection Regulation in the EU is a pan-European framework for data protection. Each country within the EU can create their own country-specific legislation based on this framework. Examples are: DS-GVO (for Germany) and AVG (for the Netherlands).

Whereas the US currently does not offer such a framework, and legislations are state-specific. So, following the California Consumer Privacy Act (CCPA) several other states introduce new privacy legislation. Like Virginia (VCPA) and Washington (WPA).

Also other countries are likely to create data protection regulations. Like Brasil’s General Data Protection Law (LGDP) will become effective in February 2020, and is very similar to the EU regulation.

So, data privacy regulations will become increasingly complex. Please consult a lawyer or specialized consultant to be sure your website is in full, legal compliance. I also recommend to select a scalable technical solution that works for you/your business, like OneTrust (demo site can be found here).

Additional resources about GDPR and CCPA

Important note
I’m not a lawyer and this blog post does not -in any way- constitute legal advice. However, it does specify some important and required information about GDPR and CCPA. 

Like to learn more about one of my GDPR projects? You can find it here.

Related Articles