CCPA vs GDPR – What You Should Know as a Marketer

An image for the California Consumer Privacy Act (CCPA) with the state shape as a bardcode with a padlock overlayed on top
Headshot of Joe Cha, Marketing Director at Roqad
By: Joe Cha

Depending on where you operate in the world, there are different laws to obey. It’s the same story with privacy rights. In the European Union, you have to stick to a set of regulations called GDPR (General Data Protection Regulation). And when you want to sell products and services in California – you have to act according to CCPA, which stands for the California Consumer Privacy Act. In this article, we are going to examine what marketers need to know about this act and how it differs from GDPR.

CCPA was introduced in the State of California back in 2018 to enhance privacy rights and consumer protection for all of its residents. And the first thing you have to know about it is that only California residents have rights under the CCPA and no one else. If you are interested in the content of this act, you can view it online.

Generally speaking, the California Consumer Privacy Act gives consumers more control over their personal information. Additionally, CCPA provides information on how this legal act ought to be implemented and by whom (we’ll talk about that in a few moments).

Crucial Consumer Rights Under CCPA

There are four fundamental rights that every California consumer can exercise if needed:

  1. The right to know about the personal information businesses in California collect about them and how it’s used.
  2. The right to delete personal information collected from them (with some exceptions);
  3. The right to opt-out of the sale of their personal information; and
  4. The right to non-discrimination for exercising their CCPA rights.

Moreover, businesses must provide transparent information about these issues and offer them the possibility to opt out. But there’s more. Any California resident can ask a given company to disclose personal information about them, inform what they do with it, and even delete it if they feel necessary. Each consumer also has the right to know what kinds of personal data a specific company gathers and processes.

Return to Top

What Constitutes Personal Information in CCPA

In general, it’s everything that can identify you (or your household) as a specific person. We deal with personal data even when a given piece of information can be related or linked to a specific customer. So in practice, personal data, as CCPA understands it, involves the following:

  • Full name
  • SSN (social security number)
  • Email address
  • Fingerprints
  • Geo-location data

It’s also personal information if it could be used to create a detailed profile about your preferences and characteristics. On the other hand, everything that’s publicly available from federal or local records does not constitute personal information under CCPA.

Return to Top

Who Needs to Obey CCPA

CCPA is very specific about what kinds of companies and organizations need to stick to it. It applies to all the businesses operating in California that:

  • Have a gross annual revenue of over 25 million USD
  • Buy, process, or sell any personal data of at least 50,000 California residents, households, or devices
  • Derive 50% or more of their annual revenue from selling California residents’ personal data

If your company meets at least one of these conditions, you need to operate under CCPA.

Unlike many other data privacy and security statutes, the CCPA also carves out from
most or all of its provisions:

  • Non-profits that do not operate for “profit or financial benefit.”
  • Financial institutions that are regulated under the Gramm-Leach-Bliley Act.
  • Consumer reporting agencies that are regulated under the Fair Credit Reporting Act.
  • Health care providers that are regulated by the Health Insurance Portability and Accountability Act
Return to Top

Data Breaches in CCPA

Of course, a data breach can happen at any time. However, consumers cannot use any data breach to sue a company. There is a whole list of conditions that need to be met. Consumers can file a lawsuit only if their full name was stolen in combination with their (at least one):

  • Unique identification number (e.g., SSN number, driver’s license number, passport number)
  • Financial account number/credit card data
  • Medical/health/insurance information
  • Biometric data

Furthermore, all of that information must have been stolen in a non-encrypted and non-redacted form. All in all, it’s rather unlikely for such a massive and uncontrolled data breach to happen.

Return to Top

The Right to Opt-Out

We understand the request to stop selling your personal information by this short term. There are some exceptions, but once a company receives such a request from you, they need to stop selling it immediately (of course, unless you authorize them to do so again in the future). With regard to this law, businesses operating in California need to provide a transparent “Do not sell my personal information” link directly on their website. It has to contain a form enabling any person to submit (unconditionally) an opt-out request.

If you want to know more about CCPA, take a look at this government website. Lastly, let’s take a closer look at the difference between CCPA and GDPR. There are some important points that need to be discussed.

Return to Top

The Difference Between CCPA and GDPR

If you’ve never heard of GDPR, that means you live and work outside the European Union. The General Data Protection Regulation was introduced back in 2016, and it is a legal framework that sets guidelines and regulations concerning processing personal data coming from individuals living and working in the European Union.

When compared to CCPA, GDPR is a much more complex and broader privacy protection law. In short, the main rule in GDPR is called “privacy by default,” and it means that for a company to process personal data, it needs to have prior consent from a specific person. Under GDPR, Europeans have a whole range of rights, including the right to access, erase, and modify their personal information. Furthermore, they almost always have the right to withdraw their consent to process personal data. CCPA is, without a doubt, a more specific law.

Let’s go further. GDPR provides six legal reasons to process personal data, whereas CCPA doesn’t give any. This means that businesses in California can process personal data however way they want and for whatever they want. All they have to do is provide the opt-out procedure.

Secondly, GDPR protects any consumer who is in the European Union at the time of collection or processing (they don’t have to be residents of the EU). On the other hand, CCPA only protects California residents.

Another difference – CCPA deals with personal information that identifies, relates to, describes, or links with a consumer or household. GDPR deals with any personal data of an individual but does not include households. Only anonymized data is exempt.

And the last thing that is worth mentioning is penalties. Both legal acts have some penalties for practices that go against their guidelines. However, the European regulation is much more strict here. The penalty can go up to 4% of the company’s global annual turnover. When it comes to CCPA, there is a maximum penalty of just 2,500 USD per violation (or 7,500 USD in case of international breaches).

Thank you for reading. If you have any questions about CCPA, GDPR, identity graphs or data onboarding, you can find me at LinkedIn.

Return to Top
Headshot of Joe Cha, Marketing Director at Roqad

About The Author
Joe Cha

Joe Cha is a marketing director with Roqad.

He has created content marketing projects for machine learning / artificial intelligence companies for the last 3 years. He previously served as content lead for fraud prevention ML company Nethone, which raised Series A and was named one of the fastest-growing companies in Central Europe by Deloitte.   

Stay in the Know

Get news, resources and updates about events happening in the world of digital advertising.