Sales Best Practices

What’s the Difference Between the CCPA & GDPR?

Heather Wood, Principal Privacy Program Manager's Avatar

Heather Wood, Principal Privacy Program Manager

Posted: Nov 2019

The European Union’s (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have many similarities. For starters, they both outline and enforce new regulations regarding the personal data of individual consumers. Both require organizations to provide individuals access to their own personal data, as well as the right to have it deleted. And both are regional laws with global implications.

The GDPR and CCPA also have several key differences. With the CCPA going into effect January 2020, it’s wise to study up on the parameters of the CCPA to ensure you don’t face fines in the future, even if you think your business may not be affected.

Read on for more information on the CCPA and how it’s different from GDPR.

Legal Disclaimer: We applied our best understanding of the California Consumer Privacy Act when building this article. However, we are not legal professionals. To minimize risks, we urge you to read the actual text of the CCPA and seek the advice of your corporate lawyer.

The CCPA vs. The GDPR

The most notable difference between the CCPA and GDPR is that the CCPA concern consumers in the state of California, while the GDPR concerns those in the EU.

Here are 9 more key differences between the GDPR and CCPA (via



Covers any entity that processes the personal data
of protected consumers/residents

Applies only to businesses

Allows covered entities to establish equivalent mechanisms

Prescribes disclosures, communication channels, and other measures

More narrow definition of personal information

Broader definition of personal information

Outlines conditions for access and deletion requests

Different conditions for access and deletion requests

Looser restrictions for commercial sharing of
personal data

More rigid restrictions for commercial sharing of personal data

Includes the right to correct errors in processed personal data

Does not expressly include the right to correct errors in processed personal data

Include the right to stop automated decision making (i.e., the right to require a human to make decisions that have legal implications/effect)

Does not expressly include the right to stop automated decision making

Penalty limit set at 4% of global annual revenues

No limit on regulator penalties

No minimum or maximum for damages

Sets minimum and maximum damage amounts ($100 to $750 per consumer per incident) for private actions against violators

If you’re worried about preparing for the CCPA, Sales Hacker has you covered with a detailed webinar on five straight-forward steps to prepare your organization for the CCPA, featuring security experts from DataGrail and Outreach.

Learn tactical steps to prepare for the CCPA (and beyond)

watch the webinar

Outreach & CCPA

Given that Outreach is already GDPR compliant, adjusting to the new regulations of the CCPA was the shift of a speed boat rather than The Titanic. For CCPA, there are a lot of similarities, so we could leverage the compliance pieces we already have in place.

The ways that we are GDPR and CCPA-compliant include:

  • We require an active banner on our website so that customers can control the "sale" of their data, and we educate folks on what the sale of data really means
  • Data is only “personal information” as long as it can be "reasonably linked" to an individual, and we already had to review our data for GDPR to understand what is required to reasonably link a person in our backend
  • GDPR requires stricter data inclusions, so we are prepared to provide a more comprehensive personal data profile upon request than required under CCPA
  • We require our data processors to not further process personal information except as required to fulfill the processing activities
  • We will respond to data access or deletion requests within a 30-day period
  • We have a “cookie banner” on our site as a notice before or at the point of collection of data
  • We review our Privacy Policy and update if needed on an annual basis
  • We do not discriminate against an individual that has exercised their rights under CCPA/GDPR

See how Outreach is GDPR-compliant

Go here