Comparing GDPR and CCPA

Reading Time: 5 minutes

The GDPR in Europe was one of the first major data privacy regulations to be implemented in recent times, followed closely by the CCPA in the United States. And since its enforcement, GDPR has been seen as the “gold standard” when it comes to data protection regulations. However, it is important to remember that each privacy regulation has differences in areas such as what and who is protected and that they are not equivalent to each other in all areas. Let’s take a look at these first two regulations, GDPR and CCPA, and you will see that while they follow a similar framework, there are some significant differences between the two. So how do they compare, and what do organisations need to do to make sure that they are compliant with the nuances between various regulations?

GDPR and CCPA: A Top-Level Overview

GDPR and CCPA are both privacy regulations that dictate how personal data should be handled by businesses and organisations. These regulations require organisations to have visibility into what data they possess and where it is located, and in addition, gives consumers more say over how their data is used.

  •  GDPR

GDPR was the first major data privacy regulation to be introduced, coming into effect on May 25th, 2018, and has since driven the emergence of various data protection regulations globally. It was designed to standardise data protection laws in place across the EU member countries and introduced guidance including how customer data should be stored, as well as how companies must respond in the event of a data breach. Under GDPR, EU citizens have the following rights when it comes to their personal data, which include:

  •  The “right of access” – Data subjects have the right to obtain conformation from the data controller as to if their personal data is being processed and if it is, access that information.
  •  The “right to rectification” – Data subjects have the right to have their data corrected if it is inaccurate and the ability to add to it if it is incomplete.
  •  The “right to erasure (‘right to be forgotten’)” – Data subjects have the right to request that some or all personal data held about them be erased.
  •  The “right to restriction of processing”—Data subjects have the right to prevent the processing of their personal data.
  •  The “right to data portability” – Data subjects have the right to receive their personal data in a machine-readable format and the right to transmit that data without hinderance from the previous source.
  •  The “right to object”—Data subjects have the right to object to the processing of their personal data or stop the processing of their personal data.


  •  CCPA

Following in the footsteps of the EU’s implementation of GDPR, California was the first state in the United States to pass their own privacy regulation, the California Consumer Privacy Act (CCPA), which came into effect on January 1st, 2020. The CCPA gives consumers more control over the personal information that businesses collect about them, and gives California residents rights when it comes to their data, including:

  •  The “right to know” – Residents can request an organisation disclose what personal information about them the organisation has used, shared, or stored, and why. The organisation must provide this information within 12 months of the request and must do so at no charge to the resident.
  •  The “right to delete” – Residents may request that an organisation delete collected personal information and have their services providers do the same. However, there are exceptions that allow organisations to keep personal data including, but not limited to, security practices, legal obligations or claims, and types of information exempt from the CCPA, such as consumer credit reporting information.
  •  The “right to opt out” – Residents may request that organisations stop selling their personal information. After the request has been received, an organisation may not sell the resident’s information unless the resident authorises them to do so again.
  •  The “right to non-discrimination” – Organisations cannot deny goods or services, charge different prices, or provide a different quality of goods or services just because a resident exercised their rights under the CCPA. However, if the business needs personal information to provide goods or services, the business may not be able to complete the transaction.


Now that we have a better base idea of some of the elements these regulations entail, let’s take a look at how they compare side by side:

Using Data Classification for Regulatory Compliance

Data classification uses visual labelling alongside customised metadata to protect and control its use. In addition, metadata applied to documents enhances the performance of downstream security solutions, such as DLP and DRM, which use the metadata properties to determine how a piece of data should be treated, handled, stored, and if necessary, disposed of.

Both GDPR and CCPA allow data subjects the right to obtain access to the personal data an organisation holds on them, as well as the right to request that their information be deleted at any given time. By identifying and classifying data into appropriate categories, organisations have more control, making data easier to locate and retrieve, which is of particular importance when it comes to risk management, compliance, and data security.

Regulations, legislation, and compliance are some of the biggest challenges impacting data security within organisations today. In order for an organisation’s data to be secure, and compliant with regulations, all data needs to be identified, categorised, and protected. Having data classified means you know where it is at all times, who is accessing it, and can mitigate the damage of a potential data breach within the allotted time.

Gartner predicts that by the end of 2023, modern privacy laws will cover the personal information of 75% of the world’s population. In order to prepare your data for future regulations, Gartner recommends standardizing security operations using GDPR as a base, and then adjusting for individual jurisdictions. Enza Iannopollo, principal analyst at Forrester, echoes this, saying that while all regulations have their own unique details, GDPR is still the reference point for organisations to follow when it comes to best practice data protection. Enza explains that if an organisation has developed these best practices in relation to GDPR requirements, going forward this will significantly ease the challenge of meeting compliance requirements with other current and upcoming privacy regulations.

While starting your regulatory compliance journey by following the requirements for GDPR is very helpful when it comes to preparing to be compliant with other data privacy regulations, such as the CCPA, it is equally important to know exactly what the nuances are of other regulations, and how they compare to what you already have in place, to avoid a costly mistake. While the GDPR laid the groundwork for data privacy regulations, remember that it is just one of many privacy regulations organisations are bound to adhere to in today’s data-centric world.