Home > Newsroom > European Data Protection Regulation And California Consumer Privacy Act

      European Data Protection Regulation and California Consumer Privacy Act


      This includes the process in which it is obtained, stored, used and, not be forgotten, destructed. For private households this new law came with various advantages, for the companies themselves, it meant a lot of work and restructuring. The more data an organization collected over the years, the more data they have to dig themselves out of now to make sure they comply to new data protection law. On January 1, 2020, the California Consumer Privacy Act (CCPA), a similar law, is going to be introduced in California. This law also exists to protect the consumer and his or her privacy. Therefore, activities to comply with the CCPA will have to start at least 12 months before the implementation of this new law. This is the only way organizations can guarantee they are prepared and operating within the law once January 1, 2020 hits. As data privacy experts, Natuvion has broken down the core differences and similarities the GDPR and CCPA have in definitions, rights and enforcement.


      Key Definitions

      Personal Data/Personal Information

      Both, the GDPR and the CCPA define their “personal data” and “personal information” quite broadly. The GDPR generally only means identified or identifiable individuals while the CCPA also includes households. The GDPR also has a topic for “special categories of data” which means sensitive data like race, sexual preferences, etc. and prohibits processing that data.


      The GDPR and the CCPA are very similar in this point. The personal data of the “Data Subject” can no longer identify the person without the use of additional information that is kept separately. The GDPR allows the data subject itself to provide the additional information which the CCPA completely denies.


      Under the GDPR, children under 16 must have their guardians’ consent while the CCPA has an opt-in requirement for selling personal data. Children under 13 must also have their guardian opt-in for them.


      Research is defined in a very broad manner for the GDPR and the CCPA which allows both of them to act more freely for the public interest. Pseudonymization is important here. Under the GDPR, data collected for such research cannot be used otherwise. Under the CCPA the data collected for a certain research project can be used by the same business that collected the data in the first place.


      Personal Scope

      Compared to the GDPR where businesses, public bodies and institutions as well as not-for-profit organizations are affected, under the CCPA, only for-profit entities are included. Also, for the CCPA it is important to know that you must be a California resident in order to be protected.

      Territorial Scope

      The GDPR applies to all organizations within the EU and also organizations outside the EU if they offer goods and/or services to “data subjects” that are located in the EU. The CCPA on the other hand hasn’t clearly defined their criterium. The law says that it applies to organizations doing business in California with California residents.

      Consumer Rights

      The consumer has the right under both laws to request the deletion of his or her personal data. Furthermore, he or she has the right to know when data is being collected and what it is collected for (specific reason and it can only be used for that reason). The consumer also has the right under both laws to request to get a full report on what personal information an organization holds about them. This data is required to be received in a commonly used and easily usable format. The GDPR and the CCPA allow the consumers to ask the entities to stop processing and selling their information. The CCPA only allows to opt-out of the selling and not the collection of personal data. Under the GDPR it is different as any type of processing of the personal data can be requested to end. The CCPA establishes the right to non-discrimination for the exercise of rights. this menas that a business cannot deny consumers any goods or services, charge them different prices or provide a different level of quality if these consumers requested access or deletion of their personal informationor opted out from selling their personal data to the firm. The GDPR on the other hand does not have a clear point about this in its law.



      The authorities to supervise the application of the law are two different ones with different power as well. For the GDPR it is the national data protection authorities which are also part of the European Data Protection Board. The CCPA is supervised by the California Attorney General. Both laws have monetary penalties in order. For the GDPR the fines are issued by a data protection authority, the fines under the CCPA, however, are issued by a court. These laws are there to protect the consumers privacy and allow individuals and also class or collective actions to be brought against any organization that breaks these laws.


      With the introduction of the CCPA the hope is to strengthen the data protection rights of the residents of California. In the event of intentional breach of the CCPA's privacy obligations, the company must pay a fine of up to $ 7,500. If the company meets the consumer's demands within 30 days, a penalty can be avoided. The European GDPR and the California CCPA have many things in common. Especially the rights of those affected are very similar in the two laws. These provide the largest problem area in the implementation of the laws. Many of the experiences gained through the introduction of the GDPR can thus be partially adapted and reused. The already developed technical solutions can also be used for the CCPA.


      It remains to be seen whether other states will follow the Californian approach or if the US government will develop a uniform data protection system. Do not miss our next article in which we introduce you to the relevant fields of action of the CCPA and their effects and technical realization options in IT system landscapes. Do you have questions or need help with your own privacy project? Then Natuvion is the ideal contact - we are happy to assist and accompany you on your way.

      Related News

      EN_Downloads_SuccessStory_swb ILM

      Jun 28, 2024

      Take the SAP fast route to...

      swb successfully implements SAP ILM with Natuvion expertise

      Read More

      Jun 5, 2024

      Successful divestments with...

      Lanco achieves two complex transformation projects with...

      Read More
      M&A Success with SAP S/4HANA Carve-in

      May 20, 2024

      M&A Success with SAP...

      Supported by Natuvion, AMAG migrates acquired company...

      Read More
      ‘In too many companies, organizational and cultural change is underestimated!’

      May 13, 2024

      ‘In too many companies,...

      Companies that successfully organize all areas of change...

      Read More
      Low-code in cloud product development

      May 8, 2024

      Low-code in cloud product...

      Software development has evolved rapidly in recent years,...

      Read More
      Preparation is key: ensuring an efficient and secure go-live for SAP S/4HANA migration

      Apr 30, 2024

      Preparation is key:...

      The switch to SAP S/4HANA is currently one of the main...

      Read More
      “We need to change the way data gets into systems!”  

      Apr 12, 2024

      “We need to change the way...

      Master data forms the basis of almost all business...

      Read More
      How archiving analyses can assist you in your transformation!

      Mar 27, 2024

      How archiving analyses can...

      In today's evolving system landscapes, strategic and...

      Read More

      Never miss information again. Subscribe to our newsletter!