CCPA vs GDPR
|Enforcement Date||May 25th, 2018||Jan 1st, 2020|
|Who needs to comply||Any business that collects or processes the data of EU citizens and residents||Any business storing or processing california residents information|
|Penalties||Upto 4% of the company annual gross revenue or 20M euros||$7500 per incident, per person|
|Opt-out Right for Personal Information Sale||GDPR does not include a specific right to opt-out of personal data sales||Businesses must enable and comply with a consumer’s request to opt-out of sale of personal information to third parties, subject to certain defences.
Must include a “Do not sell my personal information” link in a clear and conspicuous location on a website homepage.
Must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out
|Children||GDPR default age for consent is 16, although individual member state law may lower the age to no lower than 13.||CCPA prohibits selling personal information of a consumer under 16 without consent.
Children aged 13-16 can directly provide consent. Children under 13 require parental consent.
Children’s Online Privacy Act (COPPA) still apply on top of the CCPA’s requirement
|Right to Disclosure||Data Subjects have a right to access their personal data, including receiving a copy and to obtain certain information about the data controller’s processing||Consumers have a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information|
|Right to Deletion/Erase||Data Subjects have the right to request erasure of personal data||A consumer has the right to deletion of personal information a business has collected, subject to certain exceptions|
|Right to Restrict Processing||Right to restrict processing of personal data, under certain circumstances||None, other than right to opt-out of personal information sales|