Business

GDPR vs CCPA: The Differences You Need to Know

Internxt

8 min read
GDPR vs CCPA

The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two essential and well-known regulations designed to protect user data.

However, despite the similarities, there are major differences between them. To help you gain more clarity on GDPR vs CCPA, we will explain the similarities and differences, so you can understand more about how both can help you manage your data.

Table of contents

  1. GDPR vs CCPA: The Differences You Need to Know
  2. GDPR vs CCPA comparison
  3. Type of law
  4. Location and who has to comply
  5. What kind of data is covered?
  6. Transparency and disclosure
  7. GDPR vs CCPA user rights
  8. How to opt out
  9. Age of consent
  10. Cookies
  11. Security
  12. Fines
  13. Who enforces GDPR and CCPA?

GDPR vs CCPA comparison

Below is a comparison of the topics covered when considering GDPR vs CCPA compliance.

Type of law

The California Consumer Privacy Act is a civil data privacy law giving California residents rights over how their data is collected, used, and shared by businesses. It offers users transparency, access, deletion, and the right to opt out of their data being shared or sold to third parties.

The General Data Protection Regulation governs how companies process the data of people within the European Union. The EU member states can incorporate the GDPR framework and enforce it into their national laws.

The GDPR, therefore, has a broader scope and stricter rules compared to the CCPA.

Location and who has to comply

The GDPR applies to any organization that offers goods or services to customers within the EU and European Economic Area (EEA). European Economic Area. It includes the 27 EU countries plus Iceland, Liechtenstein, and Norway.

Any organization that processes personal data and meets either of these conditions must comply with the GDPR. If any company handles the data of people within the EU, it must follow GDPR, regardless of where the company is located. GDPR applies to businesses, non-profits, and public bodies.

CCPA is more limited; it only applies to organizations that collect personal data about California residents for commercial reasons, or if they sell goods or services to these residents.

Businesses must meet these criteria:

  • Make at least $25 million in gross annual revenue.
  • Buys, sells, or receives personal information (PI) about at least 50,000 California consumers, householders, or devices for commercial purposes.
  • Receives more than 50% of its annual revenue from the sale of personal information.

What kind of data is covered?

Any organization that processes personal data and meets either of these conditions has to comply with GDPR:

  • It is based in the EU or EEA.
  • It is based outside the EU/EEA but offers goods or services to people in the EU/EEA or monitors their behavior (like tracking or profiling users online).

It doesn’t matter where the company is located—if it handles the data of people in the EU/EEA, it must follow GDPR. This applies to businesses, non-profits, and public bodies.

Internxt post quantum encryption

GDPR covers data that could identify a person, whether it's directly or indirectly. This data includes:

  • Names
  • Email addresses
  • Phone numbers
  • IP addresses
  • Locaation
  • Genetic or biometric data
  • Political or religious views

GDPR excludes data from the following:

  • The deceased
  • Data processed through non-automated means
  • Anonymous data
  • Data processed for personal or household purposes

CCPA covers this information about California residents:

  • Names
  • Emails
  • Browsing & purchase history
  • Location
  • Data linked to household devices
  • Data that could be used to create a profile of customers

CCPA excludes the following data:

  • Medical information protected under CMIA or HIPAA
  • Information collected for clinical trials,
  • Sale of information to or from consumer reporting agencies
  • Information covered by California’s Driver’s Privacy Protection Act
  • Data made publicly available from federal, state, or local government records

Transparency and disclosure

GDPR and CCPA regulations both offer transparency regarding user data, but they approach it in different ways.

Internxt VPN

GDPR requires businesses to be fully transparent about how they collect, use, store, and share personal data. Companies must inform users on how long they retain their data and when they share it with other organizations.

If a customer requests that their data be deleted, the company must confirm the erasure and stop processing the data.

If a company suffers a data breach, it must inform all its customers within 72 hours.

For the CCPA, businesses must inform users of the data that was collected and processed over 12 months. If the data is shared with a third party, then they must also inform users if they sell a user's personal information to another third party.

The CCPA has a less strict timeline for data breach notification, but it must respond to a customer’s request about a data breach within 45 days.

GDPR vs CCPA user rights

GDPR includes the following rights for users:

  • Right to access personal data
  • Right to correct personal data in case of inaccuracy
  • Right to delete personal data
  • Right to restrict personal data processing
  • Right to port data to another controller
  • Right to object to personal data processing
  • Right to object to automated data processing for decision-making and profiling

Companies must respond to the requests within one month. It can be extended to two months if the request is complex, but there has to be a reason for doing so.

Internxt is a cloud storage service based on encryption and privacy.

CCPA users have these rights:

  • Right to know about and access personal information
  • Right to delete personal information if collected from consumers
  • Right to opt out of the sale of personal information
  • Right to non-discrimination for exercising the CCPA rights

Requests must be responded to within 45 days and can be extended by another 45 days if the company informs the user.

How to opt out

Under GDPR, businesses must ask users to explicitly consent to data collection, and this must be clearly communicated at the first point of interaction. They can opt out at any time by contacting the provider, and they must stop collecting the user’s data unless they have a strong legal reason to continue.

CCPA requires all businesses to have a “Do not share or sell my personal information” button on their website that links to a page or settings where users can exercise their right to opt out.

Companies must honor this within 15 days and must not sell or share data for at least 12 months.

The age of consent for GDPR vs CCPA is 16 for both parties.

Under GDPR, anyone under 16 must get the consent of their parent or guardian, and the company must verify that this consent to opt in.

In California, any child under 13 requires parental consent to allow their data to be sold. For those between 13 and 15, they must directly opt in themselves.

Cookies

For GDPR web cookies that are not strictly necessary require prior consent from users before being applied, and each cookie needs an explanation of its purpose.

Browsing the site is not considered valid consent; consent must be informed, specific, and freely given.

CCPA does not require the same consent to use cookies; users must opt out of this from the Do Not Sell My Personal Information button mentioned before. From there, they can opt out and see how and why the website uses cookies.

Security

Security is one of the main points of emphasis in the GDPR, requiring companies to take the necessary measures to protect user data with technologies such as cryptography, pseudonymization, and other access controls to prevent data breaches.

Failure to do so will lead to heavy fines.

Internxt green cloud computing

While the CCPA doesn’t set specific security standards, it does hold the business liable if a data breach happens due to a lack of security protocols. In this case, customers can sue for damages because the company didn't protect their data.

Fines

GDPR fines can vary depending on the nature of the breach, whether it was caused intentionally or by company negligence, previous violations, and how the company cooperated.

  • Fines can reach €20 million, or 4% of the company’s annual global turnover, whichever is higher.
  • Less severe breaches can reach €10 million, or 2% of global turnover, whichever is higher.

CCPA fines are far lower; the California Attorney General can impose fines of up to $2,500 per violation or $7,500 per intentional violation.

Who enforces GDPR and CCPA?

The GDPR is enforced by independent data protection authorities (DPAs) in each EU member state. Each country appoints a supervisory authority responsible for monitoring compliance, investigating complaints, and issuing fines.

For example, Spain, where Internxt is based, has the Spanish Data Protection Agency (AEPD) as its supervisory authority. Examples from other countries are:

  • Ireland: Data Protection Commission (DPC)
  • France: Commission Nationale de l'Informatique et des Libertés (CNIL)
  • Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI),
  • Netherlands: Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
  • Italy: Italian Data Protection Authority (Garante per la Protezione dei Dati Personali)

The CCPA works with the California Attorney General, and both parties have full administrative authority to investigate, audit, and enforce CCPA compliance.

Gain GDPR compliance with Internxt

Internxt can help your business gain GDPR compliance with its zero-knowledge encrypted cloud storage.

Based in Spain, Internxt follows GDPR and offers cloud storage with the most advanced security measures to protect user data, including:

  • Post-quantum encryption
  • Secure file sharing
  • Encrypted backups
  • 2FA
  • Access logs

Business plans start at jusy €6.99 per user

Internxt S3 compatible object storage

Internxt also offers S3 storage for organizations that need hot cloud storage to store large amounts of data.

These plans cost just €7 a month, and as there are no ingress or egress fees, you could save up to 80% with Internxt compared to AWS, Azure, or Google Cloud.

Visit our website or get in touch with our sales team for more information on how we can help your company gain GDPR compliant cloud storage.

Frequently asked questions

How is CCPA different from GDPR?

CCPA only focuses on consumer rights related to the sale of personal data in California. GDPR covers broader data protection rules across the EU with stronger consent and privacy requirements.

Is CCPA stricter than GDPR?

GDPR is generally considered stricter due to its comprehensive scope, stronger consent rules, and higher fines than CCPA.

CCPA vs GDPR: Which is better?

GDPR is better if you want stronger privacy protections overall, while CCPA provides specific rights for California residents and focuses on data sales transparency.

What is GDPR compliance?

GDPR compliance means a company follows the EU’s data protection rules, including obtaining valid consent, protecting data, respecting user rights, and reporting data breaches promptly.

What is CCPA compliance?

CCPA gives Californian residents the right to know, access, delete, and opt out of the sale of their personal information.

Protect your privacy with Internxt