CCPA vs. GDPR: How California’s Landmark Privacy Law Stacks Up to Its EU Counterpart

January 29, 2020 Mike Toulch

Nearly two years from the introduction of the General Data Protection Regulation (GDPR) in Europe, California has become the first U.S. state to implement a similar legislation: The California Consumer Privacy Act (CCPA). The groundbreaking law, which gained significant legislative momentum on the heels of the Cambridge Analytica scandal and the U.S. congressional hearings on personal information misuse, is designed to protect personal information and data collected by companies. It will, no doubt, have significant implications for corporations and consumers alike. And, given that it applies to all companies wishing to do business in California, it is posed to impact tens of thousands of businesses worldwide. 

The exact compliance expectations and implications of the CCPA are yet to be defined in companion regulations expected to be introduced by the California Attorney General in July. But, given that CCPA and GDPR touch upon many of the same topics, the EU legislation provides a very interesting reference for comparison. Below, we take a look at some of the key features of the CCPA, how they mirror or differ from the GDPR, and what it all might mean for businesses moving forward.  

While both acts seek to protect the personal information of individuals within the territorial jurisdiction, the CCPA applies exclusively to for-profit companies that meet a certain minimum. Therefore, the CCPA is expected to have a far lower impact on small and medium-sized companies than its European counterpart. It also remains to be seen how lawmakers and companies will interpret the scope of “50% of revenues from information sales”. Given early pushback from some companies, that threshold is likely to be a source of ongoing debate the scope of the CCPA’s applicability is likely to be a source of ongoing debate. Despite the law’s current ambiguity, the CCPA does appear clear in its intent to place greater responsibility on companies that have a direct relationship with consumers for their own cybersecurity activities as well as those of their vendors and third-parties across the supply chain




Applies to personal information of California consumers held by for-profit companies that meet the following criteria:

(a) Revenues above $25,000,000

(b) Annual personal information purchase, sale or sharing of at least 50,000 consumers

(c) More than 50% revenues from information sales

[1798.140( c) & (o)]

The GDPR applies to data and personal information of natural persons (individuals) in the EU from data “controllers” and “processors” (businesses and public bodies) [Articles 1-4]


Under both laws, individuals are provided with the fundamental rights to know whether their personal data has been collected by a company, to view it, to object to it being sold (CCPA) or processed (GDPR), and to have it deleted upon request. 





Right to Access Data (collected within the previous 12-months) [1798.100 & 1798.130]

Right to View and Access (all collected data) [Articles 12-15]

Right to Opt Out of the sale of personal information [1798.120]

Right to Object to the processing of data [Article 21]

Right to be Forgotten (with restrictions) [1798.105]

Right to be Forgotten (with restrictions) [Article 17(2)]


Defining what reasonable security measures means will likely be a key challenge for businesses given those same issues with the GDPR’s definition of appropriate information security. One new obligation created by the CCPA is the prevention of discrimination against consumers exercising their rights over their personal information. However, as has been previously noted, ambiguities in the CCPA’s definition of ‘discrimination’ means we likely won’t have a full picture of what forms it might take any time soon.





Duty to comply with “verifiable requests” from consumers within 45 days [1798.130]

Duty to respond to access requests within 30 days [Article 12]

Duty to implement and maintain reasonable security procedures and practices [1798.150]

Duty to implement appropriate technical and organizational measures [Articles 24 & 32]


Duty to appoint of Data Protection Officer [Article 37]

N/A. There is no data breach disclosure obligation, as it already exists under the California Civil Code.

Duty to notify of personal data breach [Articles 33 & 34]

Duty to not discriminate against consumers who exercise their rights under the Act [1798.125]

No such requirement


A key difference between the two laws is the amount that a company could face in fines for non-compliance, as the CCPA’s penalty limits fall well short of what the GDPR has set and already doled out. Whether, and to what extent, that might undermine the CCPA’s effectiveness once enforcement begins remains to be seen, as there is no upper limit on the potential damage a violation might inflict on a company’s reputation.  




Fines for non-compliance with an upper limit of $7,500 for each intentional violation [1798.155]

Fines for non-compliance of up to 20 m Euros or 4% of annual turnover [Articles 82 & 83]

On the whole, the California law does not have as broad a scope as the GDPR and does not appear to have some of the GDPR’s most onerous requirements. However, it is the most extensive privacy law yet to be passed in the U.S. and experts believe that companies looking to trade in California will definitely have to treat consumer data with much more caution. As such, now is as good a time as any for companies to evaluate their cybersecurity system risks, including where companies might be most vulnerable: third-party vendors.   


About the Author

Mike Toulch

Michael Toulch is a CSR Analyst at EcoVadis and a subject matter expert in ethics and regulation. Prior to joining EcoVadis, Michael worked as a litigator in Canada and as a consultant in sustainability policy in Europe.

More Content by Mike Toulch
Previous Article
How Businesses Should All Dare Together for the Only Future We Have
How Businesses Should All Dare Together for the Only Future We Have

Climate crisis has become the defining issue of our time. To get the world back on track we need to act now...

Next Article
How to Measure Sustainability in the Juice Value Chain
How to Measure Sustainability in the Juice Value Chain

Environmental and social aspects have always played an important role for Eckes-Granini, as a family-owned ...


Join Our Newsletter To Stay Up To Date On Sustainable Procurement News

First Name
Last Name
Opt in to receive more information from EcoVadis
Thank you!
Error - something went wrong!