California’s Consumer Protection Act in many ways looks like the General Data Protection Regulation, but there are some significant differences. Darren Wray provides a handy guide to understanding how the two pieces of legislation differ from each other.

When GDPR first became law in 2018, it was seen as the gold standard in data protection. Many legislatures around the world sat up and took notice, not least of which was California.

The Golden State went on to create its own data protection regulations as enshrined in the California Consumer Protection Act (CCPA), which was enforced in July 2020. Although similar to GDPR in many ways, there are significant differences that organisations looking to operate in the state need to take note of.

Rights and scope of the CCPA

While initially focused on consumers, from January 2021 the CCPA will also cover employees. There are five rights granted by the CCPA, where Californians have the right to:

  • Know what personal information is being collected about them.
  • Know whether their personal information is sold or disclosed and to whom.
  • Say no to the sale of personal information.
  • Access their personal information.
  • Equal service and price, even if they exercise their privacy rights.

In terms of scope, while the GDPR applies to any organisation wherever they are based and handling data of EU citizens and residents, only businesses based in California need to comply with the CCPA; further, these businesses are only liable under the CCPA if they fall under any of the following three criteria:

  • An annual gross revenue excess exceeding $25 million.
  • Buys or receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices annually.
  • Makes 50 percent or more of its annual revenues from selling consumers’ personal information.

Larger companies are clearly in the sights of the CCPA regulators, so smaller businesses are likely to avoid the expense of having to comply. The exception is those businesses that specialise in selling data, as these will be subject to the regulations regardless of their size.

Another area where the CCPA deviates from the GDPR is that it only applies to Californian residents that have lived in the state long enough to pay tax.

Time differences

The first difference in timings to note between the two regulations is that the CCPA only applies to information from the last 12 months, making it straightforward for businesses to find the relevant data. Conversely, there is no time limit on information under the GDPR, meaning businesses can be left with a huge task when finding information on a long-standing customer or employee.

Where the two are similar is the length of time businesses must respond to any data request. The CCPA grants businesses 45 days, which can be extended by a further 45 days provided the person that made the request is notified. Although the GDPR initially only requires one calendar month for response, this can be extended to three months, making it comparable with the CCPA.


Another significant area of difference between the GDPR and the CCPA is how penalties are handled. Under the GDPR, an organisation that has been found to breach the regulations is given a simple fine of either up to €20 million, or four percent of its worldwide annual revenue from the preceding financial year.

The penalties set out by the CCPA are a little more complex. If unencrypted or non-redacted personal data is breached there are recovery damages, injunctive or declaratory relief and any other relief the court deems proper. The recovery damages are between $100 and $750 per consumer, per incident or the actual damages, whichever is the greater.

These recovery damages can be incredibly large as there is no upper limit. For instance, a firm with the minimum of 50,000 records necessary for the CCPA could be liable for anywhere between $5 million and $37.5 million.

Further, as the damages go directly back to the injured consumer, this is likely to persuade them to pursue legal action.

When the CCPA becomes the CPRA

There are many ways in which the CCPA falls short of offering the same sort of protections the GDPR provides.  For instance, there is a loophole in the CCPA that enables businesses to share personal data even if the consumer has asked for it not to be.

The ‘watering down’ of the CCPA was a result of political horse-trading, which law makers are now seeking to put right with the forthcoming California Privacy Rights Act (CPRA). This will include greater consumer protections mirroring those of the GDPR. In fact, it is likely that if businesses comply with one of the legislations, they will be covered in both.

The CPRA was approved in November and while it is not expected to become law until January 2023, California-based businesses will need to start showing compliance in 2022.

How to ensure compliance with the CCPA and the CPRA

Due to the potential of being landed with a very large fine, any business that falls under the remit of the CCPA and the CPRA need to ensure they are compliant. To do this, businesses must complete the following actions:

  • Understand/map where the personal information is held so that it can be reported upon.
  • Have a data privacy and protection policy that is appropriate to the use(s) and the consumer(s).
  • Ensure that staff have appropriate training and awareness of the CCPA and the CPRA, and the rights provided to the consumer.
  • Ensure that there are adequate and free methods for consumers to exercise their rights, such as via their website.
  • Ensure that they have implemented and are maintaining adequate security.
  • Ensure that they have automated redaction tools to ensure they don’t cause an unwitting data breach when fulfilling a right of access request.

Businesses operating in California or looking to do so in future would be wise to ensure they meet the regulations set out by the CCPA and the CPRA. Fortunately, those that already meet the standards set out by the GDPR are covered due to the stricter nature of the regulations.

Darren Wray, Chief Technology Officer at Guardum