Earlier this year, GDPR went into effect. Many US-based companies have updated their privacy policies, added consent banners, changed information collection practices, and improved internal privacy policies.  But despite its global reach, GDPR is an EU regulation. Not everyone has felt compelled to change their ways. 

Enter the California Consumer Protection Act (CCPA) of 2018.  

CCPA was approved on June 29th and will not go into effect until Jan 1, 2020.  Just like GDPR, a long implementation period has been granted to give businesses ample time to make changes.   

We’ll explore some high-level similarities and differences between GDPR and CCPA.  


Scope: GDPR is broad in its reach. Any company that handles EU data subjects’ privacy data is impacted.  Even if your company is located outside of the EU, you may be held accountable for handling EU customer data wisely.  Similarly, CCPA is focused on California, but any company that handles the personal data of Californians is subject to scrutiny.  However, CCPA limits the reach to those businesses that (1) handle private data for more than 50,000 users, (2) earn 50% of revenues from selling personal data, or (3) have gross annual revenues exceeding $25M. Businesses that don’t meet this litmus test are spared from CCPA. 

Right to know:  Both regulations have provisions that stipulate the user should know how their data is being used.  Both require user-approval before their data is used elsewhere.  CCPA requires businesses to prominently display an opt-out button that reads “Do Not Sell My Private Data.” GDPR maintains the need for opt-in consent protocols. 

Right to be forgotten:  This is one of the main points of both regulations.  If a consumer shares private data, they should also have the ability to have it removed.  In both cases, the consumer should be able to request to have his/her information removed/deleted (unless there is a legitimate reason for keeping the data).  Not only does local data have to be removed, but so does all user data stored among processors (GDPR) or service providers (CCPA).  


CCPA allows companies to offer financial incentive to collect personal data.  If a business sells personal data, it must disclose to whom the data was sold, if requested.  

Both CCPA and GDPR aim to offer more privacy protections to the consumer. This is great news for both businesses and consumers alike.  By offering more transparency on what is being collected, businesses will be able to earn more consumer trust.  A pre-GDPR study in the UK and the US shows the power of knowledge.  Two NYT reporters asked Amazon in the UK and the US for information that they stored about them. Hopefully, you agree that being transparent is the better of the two options

Source:  https://www.nytimes.com/interactive/2018/05/20/technology/what-data-companies-have-on-you.html 

With an increase in data breaches and cyber-attacks, consumers are more likely to want to work with companies that respect their privacy and/or have measures in place to protect their data.  We strongly believe the essentiality of strong data privacy controls will continue to grow and be part of all the solutions we build in the future.  

Peter, Digital Strategist / Producer 

Disclaimer:  All information is the opinion of Taoti Creative.  We do not offer legal advice and we urge anyone that decides to pursue compliance with specific data privacy laws and regulations to seek legal counsel to ensure your specific needs are being met. 


  1. CA Legislature: Assembly Bill No. 375. http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375 
  1. European Union:  GDPR – Regulations 2016/679 – http://data.europa.eu/eli/reg/2016/679/oj 
  1. GDPR info – https://gdpr-info.eu/