The California Consumer Privacy Act and the GDPR: Identifying Operational Overlap

After roughly two years of seemingly non-stop GDPR conversation, the California Consumer Privacy Act of 2018 (CCPA) is the latest new kid on the block in privacy compliance, and with its broad scope reaching beyond the borders of California (the fifth-largest economy in the world) it creates unique challenges for the over 500,000 businesses estimated to be subject to the new law.1

Like the GDPR, one of the primary aims of the CCPA is to protect consumers from data misuse, while empowering them with certain rights that require transparency from businesses and provide some control over how that personal information is used.

The CCPA, which will take effect on January 1st, 2020, will force certain companies that conduct business in the State of California to implement structural changes to their privacy programs. In particular, the new rights provided to California residents include the right to request information, right of deletion, and right to opt-out of the sale of one’s personal information. These rights, although not as comprehensive as what is provided by the GDPR, do result in some useful overlap.


The CCPA was quickly passed by the California legislature on June 28th, 2018 and signed into law later that day by Governor Jerry Brown. It was quite the surprise to many U.S. privacy professionals, especially in light of the fact that while “[t]he GDPR took 4 years to develop; in contrast, the California legislature will spend a grand total of 7 days working on this major bill.”

While it is possible, perhaps even likely, that the CCPA could change between now and its January 1st, 2020 effective date, it would be wise of those businesses to begin their compliance efforts today and make adjustments as necessary, rather than waiting until the eleventh hour.

Luckily, for those businesses that have already been in pursuit of GDPR compliance, they have a head start toward CCPA compliance that should not be overlooked. This article will address some of the key similarities between the CCPA and the GDPR, with a focus on leveraging existing work and building a privacy program so that it can be agile when new laws such as the CCPA get added to the privacy compliance puzzle.

Consumer Rights

Right to Request Information

Under the CCPA, California residents (“consumers”) will have a right to request the following information from a business that is collecting their personal information:

  • The categories of personal information collected
  • The specific pieces of personal information collected
  • The categories of sources of personal information
  • The business or commercial purpose for collecting or selling the personal information
  • The categories of third parties with whom the business shares personal information

Similarly, if a business sells the consumer’s personal information, that consumer can request the following:

  • The categories of personal information collected
  • The categories of personal information sold
  • The categories of third parties to whom the personal information has been sold
  • The categories of personal information sold to each third party
  • The categories of personal information that were disclosed about the consumer for a business purpose

Upon receipt of a ‘verifiable consumer request,’2 this information must be promptly delivered to the consumer, free of charge, either by mail or electronically. However, if delivered electronically then, to the extent feasible, the information must be transmitted in a portable and readily usable format that allows the consumer to transfer personal information to another entity. Additionally, the business can provide the information to the consumer at any time, but cannot be required to provide it more than twice in a twelve-month period.

Right to Opt-Out

Consumers also have the right to request, at any time, that a business that sells their personal information stop doing so, and to enable this right, businesses must provide a clear and conspicuous link on their website homepage, titled “Do Not Sell My Personal Information,” to another page where the opt-out can be submitted.


Leave a Reply

Please Login to comment
Notify of

Enjoyed the article?

Get notified of new articles and relevant events.

Thank you for being a part of the CPO Magazine community.

Something went wrong.

Before you go ...

How about giving us a follow?

Or let us notify you of new articles and relevant events.

Thank you for being a part of the CPO Magazine community.

Something went wrong.

Follow CPO Magazine