| Regulation | GDPR | CCPA |
| Enforcement Date | May 25th, 2018 | Jan 1st, 2020 |
| Who needs to comply | Any Business that collects or processes the data of EU citizens and residents | Any business storing or processing California residents’ information |
| Penalties | Upto 4% of the Company Annual Gross Revenue or 20M euros | $7500 per incident, per person |
| Opt-out Right for Personal Information Sale | GDPR does not include a specific right to opt-out of personal data sales | Must include a “Do not sell my personal information” link in a clear and conspicuous location on a website homepage. Must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out |
| Children | GDPR default age for consent is 16, although individual member state law may lower the age to no lower than 13 | Children aged 13-16 can directly provide consent. Children under 13 require parental consent. Children’s Online Privacy Act (COPPA) still apply on top of the CCPA’s requirement |
| Right to Disclosure | Data Subjects have a right to access their personal data, including receiving a copy and to obtain certain information about the data controller’s processing | Consumers have a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information |
| Right to Deletion/Erase | Data Subjects have the right to request erasure of personal data | A consumer has the right to deletion of personal information a business has collected, subject to certain exceptions |
| Right to Restrict Processing | Right to restrict processing of personal data, under certain circumstances | None, other than right to opt-out of personal information sales |
