Skip to Content Skip to Footer

GDPR v. CCPA: What You Need to Know

A close-up photo of a laptop keyboard with a dark background.

What is the CCPA? What is the GDPR?

We discuss the difference between the two privacy laws and what they mean for marketers.

General Data Protection Regulation (GDPR)

What is it?

The regulation is a new set of rules from the European Union that are designed to improve individuals’ control over their personal data. The rules replace the 23-year-old Data Protection Directive 95/46/EC, and aim to harmonize data privacy laws across Europe.

GDPR affects organizations located within the EU, but it also applies to organizations located outside of the region if they monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of subjects residing in the EU, regardless of the company’s location.

Under the regulation, personal data is defined as any information related to a natural person or “data subject” that can be used to directly or indirectly identify the person. It can be a name, a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address or a host of other identifiers.

Parental consent will be required to process the personal data of children under the age of 16 for online services.

How are marketers affected?

Organizations need to pay attention to the rules: Penalties could lead to fines as high as $24.6 million or 4% of global annual revenue, whichever is larger.

GDPR limits the amount of data that marketers can collect on European consumers, who have more options about what data companies can see about them. Customers must be able to give consent, and implied consent is unacceptable. The consent must be informed, specific, unambiguous and revocable. That means consent may not be within long-winded terms and conditions that use complex legal language. The customer is also given the right to remove their consent at any time.

The type of data collected must be adequate, relevant and limited to what is necessary for the intended purpose of collection. Information may not be used in a way that would be incompatible with the intended purpose for which it was collected. Data may not be shared or transferred to another organization without consent from the person to do so.

Customers also reserve the right to be forgotten, meaning they may request that their personal data be removed from any database or cookie pool. Marketers will need to have processes that can erase collected data should a user submit a request for withdrawal. Users also reserve the right to correct or update any data.

Additionally, the data that an organization obtains from a consenting user must be protected. Any data breaches must be reported within 72 hours to all consumers and respective bodies.​

California Consumer Privacy Act (CCPA)

The act, going into effect Jan. 1, 2020, will affect any business collecting or storing data about California residents, giving them more information and control over how their personal information is used. The California Attorney General has until July 2, 2020, to publish regulations.

The CCPA applies to any for-profit entity that does business in the state, collects personal information of California residents (or has information collected on its behalf), determines the purpose and means of processing the information and meets one or more of the criteria:

  • Has annual gross revenue in excess of  $25 million, adjusted for inflation.
  • Annually buys, receives for a commercial purpose, sells or shares the personal information of 50,000 or more consumers, households or devices.
  • Derives half or more of its annual revenue from selling consumers’ personal information.

The definition for doing business in California is broad, with the sole exception being when every aspect of commercial conduct occurs wholly outside of the state. California residents are defined as individuals located in California for purposes that are neither temporary nor transitory, as well as those domiciled in California but are outside the state for a temporary or transitory purpose.

Personal information is defined in the CCPA as information that identifies, relates to, describes, is capable of being associated with or could reasonably be directly or indirectly linked with a particular consumer or household. An exception is information that is deidentified or part of aggregate consumer data.

Each individual violation carries a $2,500 penalty if unintentional and $7,500 if intentional. Businesses have 30 days to fix alleged violations after notification of noncompliance. There’s also the potential for class-action lawsuits in the event of a data breach of between $100 and $750 per incident—or greater if the actual damages exceed $750.

How are marketers affected?

An organization needn’t be located in California for the CCPA to apply to it, and an estimated 500,000 U.S. companies will be directly affected. The act does not distinguish between brick-and-mortar and online companies, meaning those without any physical footprint in California, but does business with Californians (likely via ecommerce), are obligated to follow the CCPA.

Marketers will likely be incentivized to build their own first-party data, and consider how they can provide value exchange between customer and brands to rebuild consumer trust. Brands should give consumers a good reason to share their personal information both in the moment and over time.

Using consumer-consented first-party data, or declared data, can provide a competitive advantage to brands: This information is unique to your organization, unlike third-party data that competitors also have access to. Declared data direct from the consumer is often more accurate and prevents wasting marketing dollars on “cleaning up” third-party data.