red line

Understanding GDPR and CCPA Compliance

GDPR and CCPA were created to provide privacy and consumer protection where online data collection is concerned. What businesses need to do to understand these guidelines and comply is becoming clearer but questions remain.


It was bound to happen: A backlash in response to the big data treasure trove of personal information generated from hundreds of millions of online exchanges every day, and often viewed as ripe for the plucking. 

Two regulations have emerged on the scene and recent questions from marketing directors reveal the need for some answers, beginning with the very basics:

  • What does GDPR stand for? and
  • What does CCPA stand for?

Good questions. 

GDPR stands for the General Data Protection Regulation. It is a European Union legal regulation designed to protect the personal data and privacy of EU citizens.

CCPA stands for the California Consumer Privacy Act. It was established to enhance digital privacy rights and consumer protection for residents of the state of California.

GDPR in Brief

The GDPR applies to organizations with more than 250 employees that are either located in an EU country, or store personal data of EU residents. The regulation can also apply to organizations with fewer than 250 employees who regularly collect certain kinds of sensitive, personal data.

GDPR compliance requires unambiguous opt-in/opt-out consent from website visitors to collect their personal data, clarity concerning the storage of data, and stringent limitations on who has access to it. 

Interested in more information on the GDPR? Click here for your own copy of the GDPR cheat sheet.

CCPA in Brief

The CCPA applies to for-profit businesses that buy, sell, receive, or share personally identifiable information of at least 50,000 Californians per year, or make at least half of their annual revenue from sharing consumers’ personal information with third parties.

CCPA compliance calls for the display of opt-in and opt-out options, along with detailed disclosures on a website. A Risk Assessment Report to the California Privacy Protection Agency is also required on a regular basis

Interested in more information on the CCPA? Click here for your own copy of the GDPR cheat sheet.

Clarity and Caution

It should come as no surprise that both of these regulations appear to be evolving, while at the same time, the source of some confusion among marketing directors and information services professionals. 

Our goal here is not to offer legal advice or to provide definitive answers regarding compliance, but rather to point out the importance of becoming familiar with these regulations, and to compare current practices for collecting and storing data against the guidelines set forth in the GDPR and the CCPA.  

If you are concerned that you are possibly in violation of either regulation, don’t hedge your bets or guess about the best course of action. Seek legal help and clarification. 

Generally speaking, we also recommend a higher level of caution concerning the collection of consumer data along with a sharper focus on how consumer data is being stored.

And of course, keep in mind that nothing online is ever static. It can be expected that both the GDPR and CCPA will continue to evolve. One might also be wise to assume that as big data gets bigger and technology gets more sophisticated in its ability to mine for personal consumer data, more stopgap measures along with deeper consumer protection laws on the side of website visitors will emerge.

Related resources