Need to start saving with a new ATS? Learn how to calculate the return on investment of your ATS Calculate ROI now


CCPA (California Consumer Privacy Act) is a California law granting consumers rights regarding their personal information’s collection and usage. GDPR (General Data Protection Regulation) is an EU regulation that strengthens privacy rights by restricting personal data collection and processing by organizations. Both prioritize individual data protection.

Nikoletta Bika
Nikoletta Bika

Nikoletta holds an MSc in HR management and has written extensively about all things HR and recruiting.

Many of the privacy regulations spawning all around the globe have numerous similarities (including the ostensibly similar acronyms) and several key differences. If you’re wondering about the CCPA and GDPR comparison, let’s take a look.

First, what are GDPR and CCPA?


Recently, California passed its own privacy law, CCPA or the California Consumer Privacy Act, set to take effect in January 2020. The CCPA law gives rights to consumers regarding how their personal information is collected, sold or shared by organizations.


One of the most discussed – and possibly stricter – privacy laws, the EU GDPR, or General Data Protection Regulation, has been in effect since May 2018. To strengthen people’s privacy rights, it restricts the collection and processing of personal data by organizations.

To help ensure GDPR compliance, check out our GDPR privacy policy template.


Let’s start with the similarities: both laws oblige organizations to follow certain guidelines when handling personal information of natural persons; namely, being transparent and acting to the best interest of the people whose information they collect. For example, both involve following disclosure requirements such as informing people about what personal information they collect and about their rights according to CCPA/GDPR.

But, how is CCPA different from GDPR? Here’s a breakdown of basic differences (note that this list isn’t exhaustive):


Applies to businesses, headquartered inside or outside of California, that collect personal information of California State Residents and that satisfy at least one of three conditions:

  • Annual Gross revenue more than $25 million.
  • Handling (buying, selling, etc.) personal information of more than 50,000 CA consumers, households, or devices annually.
  • Gets at least 50 percent of annual revenue from selling CA consumers’ personal information.
Has extra-territorial effect: it might cover all companies that process EU data whether they’re established in the EU or not, and regardless of where the actual data processing takes place.
Protects California residents (whether they’re currently in the state or not) Protects EU residents and data subjects whose data are collected by covered companies
Refers to ‘personal information’ that identifies, relates to, describes, and is linked to or associated with a consumer or household Refers to ‘personal data’ that is related to an identified or identifiable data subject
May not apply to job candidates and employees (according to amendment Assembly Bill 25) Applies to job candidates and employees

Privacy rights

The right to disclosure / access The right to disclosure / access
Right to deletion Right to erasure (‘to be forgotten’)
Requirements for sale of personal information of children:

  • Minors under 16 years of age must authorize the sale of their personal information.
  • For children under 13, the opt-in must be collected from a parent or guardian.
Where the child is below the age of 16 years, processing of their personal data shall be lawful only if and to the extent that consent is given or authorized by the legal guardian.

Member states can set a lower age provided that the lower age isn’t below 13 years.

Right to object only to the sale of personal information Right to restrict processing
The right of data portability The right of data portability
Right to rectification
Direct right of action Compensation claims and right to lodge a complaint with a supervisory authority
Right to recover damages ($100 to $750) Right to receive compensation for material or non-material damages

Specific regulations

Puts disclosure requirements for collection, selling and sharing of personal information Puts disclosure requirements and restricts collection and processing of personal data
Doesn’t impose a lawful basis as a requirement for the purposes of handling personal information Requires companies to have a lawful basis to handle personal data
Obliges businesses to comply with a verifiable consumer request within 45 days Obliges data controllers to comply with a verifiable data subject request within a month

Fines & consequences

Fine for violation is $2,500 to $7,500 Fine for violation is up to 20 million euros or 4% of annual revenue/turnover, whichever is greater
$100 to $750 per consumer per incident after civil action Compensation for material or non-material damages to the data subject
Businesses have 30 days to cure violations and inform consumers that they have done so No grace period

Terminology & descriptions

Refers to “businesses” in general Distinguishes between “data collectors” and “data processors”
Refers to “consumers” Refers to “data subjects”
Addresses “personal information” Addresses “personal data”
Applies to devices and households as well as consumers Applies to natural people only

CCPA-GDPR comparison:

  • If your company complies already with the GDPR, you might find it easier to comply with CCPA as well (although companies shouldn’t assume that their GDPR compliance efforts will necessarily satisfy the requirements of the CCPA).
  • CCPA places criteria based on the ‘gain’ companies get from consumer’s personal data or their overall revenue.
  • CCPA applies to households and devices as well as natural people, unlike GDPR
  • Both CCPA and GDPR can protect consumers or data subjects regardless of where they are at any given time.
  • Both laws protect the same types and categories of information of natural persons. CCPA may protect more information such as information linked to a device (e.g. browsing activity).
  • Both laws have disclosure and transparency requirements.
This article is meant to provide general guidelines and should be used as a reference. It’s not a legal document and doesn’t provide legal advice. Neither the author nor Workable will assume any legal liability that may arise from the use of this article. Always consult your attorney on matters of compliance with each law.

If you liked this CCPA vs GDPR article and would like to learn more about commonly compared terms, see our HR terms section.

Frequently asked questions

Let's grow together

Explore our full platform with a 15-day free trial.
Post jobs, get candidates and onboard employees all in one place.

Start a free trial