California CCPA

How GDPR compares to California CCPA

First, we had Safe Harbour and the EU Data Directive, now we have GDPR and Privacy Shield, so who is the new guy on the block?

The US or at least a large part of it is catching up, GDPR came into full force on the 25th May 2018 ……. Hot on its heels, legislation was passed in California on June 29th 2018 governing data held on California residents. This piece of legislation is called the California Consumer Privacy Act 2018 (AB 375) and will come into force on the 1st January 2020, watch this space closely for other states to follow suit.

How does CCPA compare to GDPR?

CCPS doesn’t go quite as far as GDPR and therefore isn’t quite as stringent as Privacy Shield, however it is a step in the right direction.

The following table summarise some of the key differences:

Who does it apply to Any entity which operates for-profit or financial benefit of shareholders, that process personal data of California residents and either:

1. Have $25 million in annual revenue

2. Hold the personal data of 50,000 people, households, or devices

3. Derive at least 50% of their revenue in the sale of personal data

Any organisation holding personal data on EU citizens
When does it come into force Jan 1, 2020 May 25, 2018
Rights for individuals Right to disclosure and objection relating to who data is being sold to, no discrimination if individual objects to data sold.

Right of access to data being held.

Right to know how personal data is being used.

Right to know who data has been provided to.

Access to data being held, right to erasure, correction, object to automated processing.

Right to notification if there is a data breach.

Basis for consent Opt out Opt in
Consent Mechanisms Requirement to provide a conspicuous link on the website titled – “Do Not Sell My Personal Information”. All consent to use personal data for marketing must have granular, clear, unbundled consent via explicit opt in.
Marketing Consent Time Limits 12 Months until the opt out expires. No time limit.
Making request to a controller Mandates at least two channels, including a toll-free number and a website address if available. Requests may be made by any mechanism and to any channel, or employee (including nominal employee).
Restrictions on access requests Information shall not be required to be provided more than twice in 12-month period. Where requests are repetitive in nature or manifestly deemed to be a nuisance.
Time allowed to respond to a request 45 days with an extension if notified to the individual within the initial 45 days, the maximum extension is 90 additional days. 1 month and an extension to 90 days from first request.
Costs Free unless, manifestly unfounded or excessive, in particular because of their repetitive character. Free unless, manifestly unfounded or excessive, in particular because of their repetitive character.
Provision of data Through the user account if such an account exists, or by mail or electronically at the choice of the consumer. Electronically if requested electronically.
Discrimination Clauses around denial of services Explicit within the CCPA. Implicit relating to not bundling consent within T+C’s or binding it into a contract.
Financial Penalties $7,500 per violation. Minimum $100 to maximum $750 or actual damages for each individual, whichever is greater. Up to 4% of turnover or €20m (whichever is greater)


2% of turnover or €10m (whichever is greater)

Depending on the violation.

Retention of personal data Not addressed. For no longer than necessary pursuant to the purposes for which it was collected.
Documentation and Record Keeping Not addressed. Mandatory for organisations processing data on a ‘large’ scale and or have 250+ employees.

Contact us

If you would like to know more about how GDPR Auditing can help your organisation with the GDPR please contact us at or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

© GDPR Auditing 2018.