Comparing Privacy Laws: GDPR vs. CCPA & CPRA
Comparing the GDPR with the CCPA and the CPRA
The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have both shaped the modern privacy landscape as we know it. Each privacy law aims to protect personal data, impose strict requirements on businesses that process personal data, and provide rights to individuals for controlling their personal data.
The GDPR is one of the most comprehensive data protection laws in the world, used by several countries in the EU as inspiration to establish their own data protection laws. Whereas in the US, the CCPA is one of the most significant and strictest privacy laws, with a vast territorial application due to California being one of the largest global economies. On November 4, 2020, the California Privacy Rights Act (CPRA) amended and extended many of the CCPA’s provisions to establish even stricter requirements for businesses that fall under the law’s scope.
This data privacy and compliance guide, co-authored by Newmeyer & Dillion LLP, aims to help organizations understand and compare the relevant provisions of the CPRA and CCPA vs. the GDPR.
Similarities and Differences of the GDPR with the CCPA and the CPRA
Throughout this guide, there are detailed comparisons of key compliance areas of the GDPR, CCPA, and CPRA, including scope, legal bases, as well as, data controller and data processor obligations, among other things.
Notably, the GDPR and CCPA are similar in many aspects, such as the inclusion of various privacy rights like the right to access and the right to deletion. However, the laws have contrasting provisions when it comes to the scope of application and requirements for limiting the collection of personal information. Other key differences include the GDPR requiring a legal basis for the processing of personal data where the CCPA does not. Additionally, the CCPA sets out requirements for the sale of personal information, requiring that businesses include a visible 'Do Not Sell My Personal Information' link on their websites – The CPRA amends this requirement to include 'Do Not Sell or Share My Personal Information'.
Download the OneTrust DataGuidance report to take a closer look at these similarities and differences and how enforcement provisions, monetary penalties, and critical definitions compare across the GDPR, CCPA, and CPRA.
Further resources for the GDPR v. CCPA & CPRA:
- OneTrust DataGuidance Portal: General Data Protection Regulation
- OneTrust DataGuidance Portal: California Consumer Privacy Act
- OneTrust Blog: What Are the Differences Between CCPA and GDPR and LGPD?