What is GDPR?

GDPR is a comprehensive law governing data privacy and security in Europe. The GDPR entered into force in 2016. It applies not only to organizations in the European Union but to organizations anywhere with ties to European Union businesses and/or citizens.

GDPR’s goal is to empower citizens by giving them more control over their personal data and how it is used. Under GDPR businesses may only gather customers’ personal data under strict, legal conditions. They are also legally responsible for protecting that data and potentially face penalties if customers’ personal data is lost or stolen. As challenging as these penalties can be, they pail in comparison to the reputation damage and loss of customer trust such a breach can create.

Personal data, as defined under GDPR, can include a person’s name, address (physical or IP), genetic data, photos, and biometric data and so much more.

What about the CCPA? 

The CCPA first came into effect January 1, 2020, and provides comprehensive data privacy rights for California residents.

Under the CCPA California residents have the right to:

  • Know what personal information is being collected, shared, used, or sold
  • Delete personal information held by businesses and their service providers
  • Opt-out of the sale of any personal information
  • Non-discrimination – regarding price or service – when exercising their privacy rights under the CCPA

The California Attorney General’s office began enforcing the CCPA July 1, 2020, and it applies to for-profit businesses in California or doing business in California provided they meet any of the following requirements:

  • Exceed gross annual revenues of $25 million, or
  • Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices, or
  • Derive 50% or more of annual revenues from selling California residents’ personal information.

Under the CCPA, this personal information can be any information that identifies, relates to or could reasonably be linked with an individual or their household.
It’s also important to note that charities, non-profits, and government agencies are exempt from the CCPA. Read more about the CCPA in our CCPA compliance guide.

Understanding the similarities and differences between the GDPR and the CCPA

world map illustration

GDPR and the CCPA were created with many similar goals in mind. Both were designed to:

  • Encourage transparency among eligible businesses
  • Protect people’s personal information
  • Formally define data processing

However, while they share these similar objectives, they carry out their mission in very different ways.

Key differences include:

Application of the GDPR vs application of the CCPA

As discussed earlier, the CCPA applies to companies who:

  • Exceed gross annual revenues of $25 million, or
  • Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices, or
  • Derive 50% or more of annual revenues from selling California residents’ personal information.
    GDPR, however, has a much broader scope and applies to any and all organizations processing the personal data of applicable European citizens or residents. This is true even if the organization exists outside the European Union.

Like the CCPA, GDPR regulation does not apply to government agencies and law enforcement. GDPR also does not apply to the processing of applicable data by member states in conjunction with Chapter 2, Title V, of the Treaty on European Union.

Consent under the GDPR vs consent under the CCPA

While both legislations empower consumers through consent, the CCPA requires consumers to opt out of sharing their personal information. If the consumer fails to do so, the business has the right to sell that data.

Under GDPR however, businesses must demonstrate a lawful reason to process the information in order to maintain compliance. These lawful reasons could be any of:

  • Consent
  • Contract
  • Protection for vital interests
  • Legal obligation
  • Public task
  • Legitimate interest

Without one of these six, businesses have no right to process the information under GDPR.

Individual rights under the GDPR vs under the CCPA

In addition to consent, citizens have a number of protected rights under the CCPA and GDPR.
CCPA gives citizens the right to:

  • Data portability
  • Access their data
  • Deletion
  • Request information
  • Opt-out of sale
  • Disclosure


GDPR protects residents with an even longer list of rights that includes the right to:

  • Access
  • Erasure
  • Data portability
  • Make decisions surrounding automated profiling and decision making
  • Be informed
  • Rectification
  • Restrict processing and even object

Penalties 

While both legislative acts enforce through financial penalties, they do so in different ways.

Failure to comply with the CCPA could see an organization be subject to a $2,500 penalty for each violation. If the violation is judged to be intentional however, the penalty may be increased to $7,500 per violation.

GDPR, meanwhile, handles penalties on a percentage basis depending on the violation. Smaller violations could see companies pay fines of 10 million Euro or 2% of their global annual turnover – whichever is greater. A more severe infraction could see the fines climb to 20 million Euro or 4% of annual turnover. Once again, the greater number will be chosen.

How Siteimprove can help you achieving CCPA and GDPR compliance

Siteimprove data privacy

Maintaining compliance with CCPA and/or GDPR regulations requires consistent review and vigilance. Siteimprove’s Data Privacy tool can help by scanning your public facing website for personal data allowing you to remove instances of non-compliant data. As contributors come in and out of your organization Siteimprove’s review ensures their contributions to your public facing website – such as blogs, meta data or web pages - are recognized and handled in a compliant manner.

GDPR vs CCPA frequently asked questions

Below are answers to some common questions companies have regarding their CCPA and GDPR obligations.

If my company is US-based but part of my consumer base is in Europe, do I have to deal with GDPR? 

Yes. GDPR protects the data of European citizens so if you do business with citizens living in a European Union country that is a member of GDPR, and your company does not meet any of the exemptions described earlier, then those transactions are subject to GDPR regulation.

If my company is EU-based but part of my customer base is in the USA, do I have to deal with the CCPA? 

If you do business in California or if any customer is a California resident and your business is not a non-profit, charity or government agency, you will be subject to CCPA regulation.