In the last few years, the number and size of data breaches have inspired governments to pass data privacy regulations to protect their citizens.  These laws enforce minimum security standards for organizations holding customers’ personal data and protect the rights of individual citizens regarding what data is collected, why that data is collected, how it is used, and to who it is transferred. Additionally, these rules allow regulators to impose fines for non-compliance.

The European Union’s (EU) General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two of the most well-known data privacy regulations. In this post comparing GDPR and CCPA, we’ll explore the scope, financial penalties, and consumer rights of both sets of regulations.

What is GDPR?

GDPR is a piece of EU legislation designed to improve the privacy of its citizens.  It went into effect May 25, 2018, and is notable since it significantly increased the types of data protected, the requirements for protecting them, and the penalties for failing to do so as compared to previous legislation.

What is CCPA?

CCPA is a comprehensive state statute intended to enhance consumer protection and privacy rights for California residents. The bill was passed by the California State Legislature and signed into law on June 28, 2018. The legislation took effect on January 1, 2020. The CCPA provides California residents unparalleled data privacy rights as far as US states are concerned.

How do GDPR and CCPA Differ?

While GDPR and CCPA are both designed to protect the personal data of their constituents, certain aspects of the two can vary greatly.  Achieving compliance with both regulations requires an understanding of how the two are the same and how they differ.

Scope of Regulation

One of the biggest differences between GDPR and CCPA is scope. While both regulations can affect organizations headquartered outside their jurisdiction, the threshold for qualifying for a given regulation differs greatly.

Under CCPA, a for-profit organization must do business in California and needs to meet one of the following three criteria to be required to comply with the regulation:

  • More than $250 million in gross revenue
  • Annually handles data of more than 50,000 consumers, households, or devices for commercial processes
  • More than half of its annual revenue comes from selling consumers' personal information

Under GDPR, however, any organization based in or outside the EU and processes EU citizen’s data to monitor them or offer them goods or services is covered by the regulation.

The main differences in regulatory scope are the lack of thresholds in GDPR and CCPA covering consumers, households, or devices. An organization may have identical operations in the EU and in California and be liable under one regulation and not the other.

Financial Penalties

While both GDPR and CCPA levy penalties for non-compliance, they handle the process very differently. These differences lie in what constitutes a violation and how the penalty will be calculated.

Under CCPA, regulatory penalties are applied after a 30 day grace period from notification of non-compliance or once a breach has occurred. Additionally, civil penalties may be brought by individual citizens after a data breach has occurred. GDPR regulators, on the other hand, can apply penalties if an organization is non-compliant with the regulation even if no incident has occurred.  The differences allow GDPR regulators to be more proactive about handling potential incidents but allows individual California residents to file suit for damages caused by a breach.

GDPR penalties are applied per incident and are capped at $20 million Euros or four percent of an organization’s global revenue, allowing regulators a fair amount of flexibility in levying fines for non-compliance or a breach. CCPA fines are uncapped and applied per violation, with a maximum fine of $7,500 per record violation (if the violation was intentional).

Rights of Data Subjects

Both GDPR and CCPA provide certain rights to data subjects regarding how their data can be handled and processed by an organization under the regulation. This includes the right to know what information is collected, the right to access that data, and the right to know with whom the data has been shared, transferred, or sold.

While many of these rights are similar, there are some significant differences.

One major difference is the fact that GDPR provides a data subject with several different rights that are not provided under CCPA. These include the consumer’s right to do the following:

  • Correct inaccurate or incomplete personal data
  • Restrict the use of personal data under set circumstances
  • Object to the processing of personal data for certain purposes
  • Object to automated decision making

In contrast, the CCPA provides data subjects with the right to object to the sale of their personal data to a third party. The same right is not explicitly given under GDPR.

GDPR and CCPA also provide data subjects with multiple rights that are similar in intention but differ in specific execution, requirements, etc. In general, one regulation is more permissive than the other or has fewer requirements for the request to be valid. In most cases, complying with the version that gives the data subject more rights achieves compliance with both regulations.

Comparing GDPR and CCPA

The GDPR and CCPA regulations are similar in intent but very different in execution. The table below summarizes some of the major differences between the two laws:

Scope of Regulation


- Organization within the EU
- Organization processing EU citizen Data


- Doing business in California

- One of :

  • More than $250 million in gross revenue
  • Annually handles data of over 50,000 consumers, households, or devices for commercial processes
  • More than half of its annual revenue comes from selling consumer’s personal information

Financial Penalties


- Cap of 20 million Euros or 4% of global revenue per incident

- Half that for non-compliance that doesn’t lead to a breach


- Regulatory fines of up to $7,500 per intentional violation and $2,500 per non-intentional violation with no total cap

- Support for civil lawsuits

Rights of Data Subjects


- Correct inaccurate or incomplete personal data

- Restrict the use of personal data under set circumstances

- Object to the processing of personal data for certain purposes

- Object to automated decision making


- Right to object to the sale of their personal data to a third party

Beyond California: State Data Protection Laws

While California is the US state with the most well-known data protection law, it is far from being the only one. Currently, all 50 US states and Puerto Rico have data breach notification laws, but they are in varying stages of the process of passing actual data protection laws.

State Law Passed Effective
Alabama Alabama Data Breach Notification Act 3/28/2018 6/1/2018
Alaska Alaska Personal Information Privacy Act 2007/2008 7/1/2009
Arizona Arizona House Bill 2145 4/11/2018 4/11/2018
California California Consumer Privacy Act (CCPA) 6/28/2018 1/1/2020
Colorado Protections for Consumer Data Privacy Act 5/29/2018 9/1/2018
Louisiana Louisiana ACT No. 382 5/25/2018 8/1/2018
Maine An Act to Protect the Privacy of Online Consumer Information 6/7/2019 7/1/2020
Massachusetts Bill H.4806 1/10/2019 4/11/2019
Nevada Senate Bill 220 5/30/2019 10/1/2019
New Jersey An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51) 5/10/2019 7/1/2019
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act 7/25/2019 3/21/2020
Oregon Oregon Senate Bill 1551 3/16/2018 6/2/2018

The table lists the relevant legislation for US states that currently have data protection laws in place.  These laws vary in scope and applicability (i.e. Maine’s law only applies to ISPs) but they are intended to provide general data privacy protections and/or data breach notification requirements.

This list does not include states or laws focused on certain types of sensitive data.  For example, many more states have explicit laws providing for the protection of medical data by healthcare providers.

While the list of states that have already passed legislation is short, many other states are currently in the process of doing so.  As of the end of 2019, the following states had pending legislation related to data protection.

  • Illinois
  • Massachusetts
  • Minnesota
  • Pennsylvania
  • Rhode Island
  • South Carolina
  • Vermont
  • Washington

Finally, a few states have passed laws creating a task force or setting up a legislative study regarding a potential data protection regulation.  These include:

  • Connecticut
  • Hawaii
  • Louisiana
  • North Dakota
  • Texas

While many of these state-level data protection regulations have similar intentions, they vary dramatically in the details.  The International Association of Privacy Professionals provides a comparison of some of the main properties of each state's data privacy law.

The wide variations in regulatory requirements and the increasing complexity of the data protection landscape drove 51 tech CEOs to write an open letter to Congress requesting a federal data protection law.  The goal was a single law that would supersede the collection of state laws and bring consistent data privacy protections and requirements to the entirety of the US.

Achieving Regulatory Compliance

This article covers the biggest differences between GDPR and CCPA, but numerous smaller differences and other regulations exist as well.  When attempting to achieve compliance with these regulations, these details and their impacts on the security controls that an organization must have in place can be complicated.  

Avertium has experts in data protection regulations to help you to understand the regulations and how to achieve compliance in your organization’s unique situation.  Reach out today for a consultation.


Chat With One of Our Experts

Compliance Consumer Privacy CCPA GDPR healthcare Data Privacy GRC Government, risk, and compliance Blog