The CCPA and the GDPR Are Not the Same: Why You Should Understand Both

The EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) are milestone pieces of legislation, in major markets, one on each side of the Atlantic. While the CCPA has not had the international impact that the GDPR has and is considered to have been influenced by the latter, it is no “GDPR clone.” The result is that corporations must understand both pieces of legislation and their differences, in order to formulate compliance strategies going forward. In the context of events such as the passage of the California’s Proposition 24, the monitoring of legal developments is likewise of great importance. This study helps in highlighting the extraterritorial effect of both, and certain major differences between the two, as well as noting a couple of important changes to come through Proposition 24.

By W. Gregory Voss¹

I. INTRODUCTION

Within less than two years, on both sides of the Atlantic important data privacy laws became applicable — on the one side, the General Data Protection Regulation (“GDPR”) in the European Union and the other countries of the European Economic Area in 2018,² and on the other side the California Consumer Privacy Act (“CCPA”) as amended, in the United States in 2020.³ These two data privacy laws have rightly attracted attention outside the borders of their home jurisdictions, due in part to the importance of the markets they cover, and in part to their extraterritorial effect, co