The GDPR and the California CCPA: How Do They Compare?

Last updated May 15, 2023

We have seen significant developments in privacy protections for individuals. The General Data Protection Regulation (GDPR) came into force in May of 2018. It is followed by the California Consumer Protection Act (CCPA) of 2018 which came into force at the start of 2020. Both regulations have similarities including around the processing of personal data and special provisions for children. If a company is in compliance with the GDPR it is likely to be part way towards compliance with the new CCPA.

These regulations come at a time when the tech giants’ grip on the online identities of many of us is increasing at an unstoppable pace. Think way beyond tracking your likes and dislikes to marketing to you, to building psychological profiles that predict your mood and the myriad revenue opportunities this provides. Regulations cannot keep pace with digital developments, so to be effective they need to be far reaching and broad in scope. The GDPR is just this, it has long arms.

Both the regulations have provisions to “update”. The European Data Protection Board and the European Commission can adopt guidelines that have legal effect in relation to how the GDPR is implemented in practice and the CCPA allows the State Attorney General to update the Act.

Guidance from the regulators is vital. The GDPR has to date caused consternation, confusion and quite literally panic in some areas of the gaming industry. However, both the GDPR and the CCPA have at their heart the individual’s right to control their personal data and while they may pose challenges for companies trying to navigate the regulatory landscape, protections for today’s consumers couldn’t be more vital.

Informational Society Services (websites, apps, platforms and connected toys) should take note of the similarities and differences of both regulations as they design, build and develop online products. Following privacy by design principles from the outset will save time and resource in the medium term and help avoid costly fines for violations, not to mention brand damage. For example, the CCPA has some clear guidelines on designing opt out mechanisms.

One fundamental difference to note between the two regulations is the scope. GDPR covers publicly available personal data, any data that can be traced to an individual is personal data and it also covers not for profit organizations. The CCPA covers for profit organizations only and the collection, sharing and selling of personal data in certain circumstances. It also enumerates what constitutes personal data including IP address and browsing history. Importantly both the GDPR and the CCPA include the requirement for obtaining parent consent for processing children’s data. The age of consent is 16 under the GDPR so anyone 15 and under needs consent from the holder of parental responsibility. The CCPA sets the bar at 13, the same as the United States Children’s Online Privacy Protection Act (COPPA).

COPPA has already passed its 20th anniversary. It set the stage for gaining parent consent for the collection and use of children’s personal information. However, what we learned from COPPA is that the unless the “big guys” implement compliant platforms and accommodate children rather than blocking them, the rest of industry will be resistant to follow. Facebook has actual knowledge of their u13 user base, they close thousands of underage accounts annually, but so far the tech giant has failed to provide a compliant experience for them.  New regulations will only protect individuals and our children if the powers that be enforce them.