All-in-one Risk Management Platform


The CCPA, CPRA, and GDPR are terms thrown around a lot in conversations about data compliance – but what exactly are the differences between these regulations?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.


When it comes to data privacy regulations as a whole, the industry-standard laws that are often referred to include the CCPA, CPRA, and GDPR. These laws contain a lot of similar requirements and expectations but also some distinct differences between them.

In this guide, we’ll explore three personal data legislation, their differences, and everything else you need to know about being compliant with them.

Everything You Need to Know About CCPA vs CPRA vs GDPR

What is the GDPR?

The GDPR is one of the most widely-known laws regulating the use of personal information. Regardless of whether data processing occurs in the EU, the GDPR is applicable to Data Processors and Data Controllers based in the EU who handle personal data in the course of their business operations. In order to provide products or services in the EU or to keep tabs on its residents' behavior, this also applies to data controllers and processors that are not based in the EU but still process the personal data of EU data subjects.

The GDPR became enforceable in May 2018 and serves to protect those living in the EU. It is applicable outside of the EU whenever a business offers goods or services to EU customers or if it targets or keeps an eye on EU citizens. Personal information that pertains to a named or identifiable Data Subject is the kind of information covered by the GDPR. It forbids the processing of specified categories of personal data unless a valid legal basis exists. Under the GDPR, consumers must be given the option to opt-in or opt-out of the organizational use of their information.

What is the CCPA?

The CCPA was the first California law to regulate the business use of consumer personal data. For-profit companies that gather personal data from California citizens and match at least one of the following requirements are subject to the CCPA:

  • More than $25 million in annual gross income.
  • Purchase, receipt, or sale of 50,000 or more California customers', households', or devices' personal data.
  • Generates at least 50% of business income from the sale of customer data.

Organizations that either control or are controlled by a covered business are likewise subject to this regulation. Service providers and third parties are subject to some rules.

The CCPA became active on January 1, 2020. Consumers in California are protected by this statute. Defined as California residents who are in the state for reasons other than temporary or transitory ones, or California residents who are domiciled in the state but are currently out of it. The CCPA safeguards any personally identifiable information that may be used to directly or indirectly identify, contact, describe, fairly be linked to, or is capable of being associated with a specific consumer or household. This does not apply to material covered by other sector-specific laws or publicly accessible government data.

What is the CRPA?

Similar to the CCPA, the CRPA is a newer California law that will eventually replace the CCPA. For-profit companies that collect personal information from California citizens and have a gross annual income of more than $25 million, as well as those that acquire, receive, or sell the personal information of at least 100,000 California customers or households, are subject to the CPRA. It also applies to joint ventures and companies whose sales or sharing of consumer data accounts for 50% or more of total income.

In July 2023, the CPRA will become enforceable. This statute is intended to safeguard Californians who are either domiciled in California but are now out-of-state for temporary or transitory reasons, or California residents who are in the state for reasons other than temporary or transitory. It safeguards any personal data that may be used to identify, characterize, associate with, or fairly be related, either directly or indirectly, to a specific customer or household. This does not apply to material covered by other sector-specific laws or publicly accessible government data.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

CCPA vs CPRA vs GDPR - Similarities and Differences

The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) both contributed to the development of the current privacy environment that we are familiar with. Each of these privacy legislations attempt to safeguard personal information, set stringent obligations on companies that handle personal information, and give individuals rights to manage their personal information.

Numerous EU nations took inspiration from the GDPR, one of the most comprehensive data protection regulations in the world, to create their own data protection legislation. The CCPA, on the other hand, is one of the most important and stringent privacy laws in the US, with a broad geographical application because California is one of the biggest economies in the world. The California Privacy Rights Act (CPRA) modified and expanded several of the CCPA's provisions on November 4, 2020, imposing even harsher rules on companies that are subject to the legislation.

Notably, there are other ways in which the GDPR and CCPA are comparable, including the provision of different privacy rights including the right to access and the right to delete. But when it comes to the laws' applicability and specifications for restricting the gathering of personal data, they contain divergent rules. The GDPR requires a legal justification for the processing of personal data, but the CCPA does not, and this is another significant distinction. The CCPA also specifies standards for the selling of personal information, requiring companies to provide a clear "Do Not Sell My Personal Information" link on their websites. The CPRA modifies this requirement to read "Do Not Sell or Share My Personal Information."

Who Enforces These Rules?

The California Attorney General is given enforcement power under the CCPA. The Attorney General continues to have enforcement authority even though the CPRA gives the California Privacy Protection Agency complete administrative power, jurisdiction, and authority to execute and enforce the CCPA. According to Cal. Civ. Code 1798.199.90, the California Privacy Protection Agency is not allowed to restrict the Attorney General's ability to enforce this title. The CPRA won't start to be enforced until July 1, 2023, and then only for infractions that happen on or after that date. However, it should be underlined that until then, the CCPA's provisions are still valid and enforceable.

The GDPR is enforced by individual data protection agencies (DPAs) from the 27 EU member states. The government has no influence over DPAs. They look into complaints, offer guidance on data privacy concerns, and identify instances when the GDPR has been violated.

Like what you see?  Learn more below

The CCPA, CPRA, and GDPR are terms thrown around a lot in conversations about data compliance – but what exactly are the differences between these regulations?
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)