Skip to content
Home » Data Privacy Governance: GDPR vs CCPA

Data Privacy Governance: GDPR vs CCPA


One of the most foremost concerns for any organization or individual is privacy, including the protection of personal information. Data privacy regulation is getting more complex each day. When using a large company’s website or application, consumers often agree to the terms and conditions without reading the text. They agree to various conditions to create an account, purchase a product, or get a digital freebie.

The online world provides convenience for consumers, which is why many companies have shifted and created an online presence. With the web, sharing personal information also becomes easier, and companies can collect consumer information faster to help identify business goals. However, while sharing personal information, consumers expect their data to be properly protected.

Why You Need to Increase Data Privacy Governance

In the Cisco 2019 Cons­­umer Privacy Survey, 84% of respondents answered that they care about their data privacy, and of those respondents, 80% are willing to act to continue protecting their information. The respondents who have already acted switched companies or providers to ensure the data policies and data sharing practices align with their views on data privacy.

Data privacy governance ensures fair and consumer-friendly deals as well. Everyone has the right to determine how and why others use their data. Furthermore, 90% of respondents in the Cisco 2019 survey believe that how a company treats their data is also indicative of how they treat their customer.

data privacy actives percentage

Therefore, companies must follow and increase data privacy governance to maintain their consumer base who wish to maintain some of their consumers. Increasing transparency and accountability on how your company uses consumer data will help build trust with your customers.

“Data privacy and protection differentiates business today. Do it right, you stand out. Do it wrong, and you will be called out.” – John N. Stewart (Cisco, 2019)

Additionally, governments have implemented laws and regulations on consumer data. While collecting data for your company, remember that you must follow the regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Failure to abide to these regulations may result in hefty fines and penalties.

These regulations were created to protect the citizens from the misuse of personal information. They give individuals more control over their personal information even after companies have collected the information.

General Data Protection Regulation (GDPR)

The GDPR came in effect on May 25th 2018 and affects company actions when collecting information from consumers in Europe. It made data privacy more prominent in the public eye and resulted in incredible change for data privacy. The GDPR provides protection and individual empowerment. It also puts new obligations and privacy protection on the organization.

The GDPR ensures privacy and secrecy is maintained while providing power to regulators. The regulator can ask for descriptions of demonstrations on your company’s data privacy governance. If you do not provide the right answer, regulators have the power to impose fines on your company.

Key Concept of GDPR

The GDPR provides individuals fair, transparent, and explicit content on data collection. This ensures that the process of collecting information is completed without any ambiguity and gives consumers the right to access and right to privacy. Full transparency also includes notifying consumers when the company experiences a cyber breach related to consumer data. The GDPR also excludes anonymous data collection and enforces the safety handling and transfer of data across borders. Companies that fall under the GDPR’s jurisdiction requires the consent of subjects for data processing.

California Consumer Privacy Act (CCPA)

The CCPA was a law made in June 2018 but was put in effect on January 1st 2020. As a result of consumer complaints regarding personal privacy, the California government created this law to protect the personal information of individuals. Under the CCPA, companies that collect personal information must inform consumers what type of information they collect. This applies to any organization working within California.

Key Concept of CCPA

The CCPA is the most comprehensive data privacy law in the United States. It was created mainly for California residents and ensures that no personal data is used for any mishap or illegal work. The CCPA requires the subject to know what data companies collect as well as how and why companies use the data. Individuals also have the right to stop organizations from collecting data if they refuse to share their personal information.


The CCPA and GDPR share many similarities. Both are considered important laws for the security of personal information.

Data Privacy Scope of Regulation

The GDPR covers any business that is based in the European Union or have customers who are European citizens. It does not consider the size or revenue of the business. It protects any identifiable person that shares personal data. The personal data includes any information related to an identifiable subject.

Meanwhile, the CCPA only applies to companies based in California that meets one of the following:

  • Has a gross revenue greater than $25 million.
  • Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The CCPA covers any California resident and protects any information related to an identifiable person. However, the CCPA includes the protection of information linked at the household or device level.

Data Privacy Penalties

GDPR puts fines on data breaches and penalizes companies who are noncompliant. It imposes 4% of the company’s annual global turnover regardless of the company’s size. Meanwhile, the CCPA imposes penalties and fines for each violation committed. The penalty resulting from the CCPA can go up to $7,500 if the violation was intentional.

Data Privacy Rights

Both the CCPA and GDPR focus on information accessed or deleted for data privacy governance. For the right of disclosure or access, the two laws have similar interpretations in how consumers can choose whether they wish to disclose their information. However, the CCPA only covers written disclosure of information while the GDPR allows broader access and does not limit it to written disclosure.

The right of data portability requires a business to provide personal information in a readily useable and transferrable format. Both the CCPA and GDPR enforces this, but the GDPR provides specific rights to request the transfer of personal data between data controllers.

The right to deletion or erasure ensures consumers can choose to delete or remove their information from a company’s system. The GDPR only applies if the request meets one of six conditions while the CCPA’s interpretation is broad. However, the CCPA also has a broader interpretation on when businesses are allowed to refuse the request for deletion.

Data Privacy Security

The GDPR requires corporations to take appropriate measures to ensure the safety and security of data processed in their system. Meanwhile, the CCPA does not have any direct data security requirements. However, it establishes a right of action and holds companies responsible when a data breach occurs – especially when the company’s intent or negligence causes data breach.


While the CCPA is not as comprehensive as the GDPR, the processing of both laws focus on protecting consumer data. These laws help consumers understand how and why companies use their data and gives consumers more hold on to their personal data. As a result, companies should ensure they meet data privacy governance to maintain consumers who are gradually becoming more aware of the protection of their personal data.

However, keep in mind, if you are a company based in the United States, you must abide to data privacy laws implemented by the state you are based in. Each state in the United States have different policies in place. Therefore, check with a professional advisor or your state government to determine if your company is compliant with your state’s data privacy law.


  1. Cisco. (2019, November). Consumer Privacy Survey.
  2. Friel, A., & Jehl, L. (2018, November). CCPA and GDPR Comparison Chart. BakerHostetler.

If you found this blog useful, please share with others: