The general premise of two of the important data privacy laws such as GDPR and CCPA is the same- giving consumers more control over their personal data and protecting their right to privacy. 

The General Data Protection Regulation (GDPR) is the world's first comprehensive data privacy law that came into effect on May 25, 2018 and protects the privacy of all data subjects in the EU. The California Consumer Privacy Act (CCPA) of 2018, implemented on January 1, 2020, and applies to residents of California only.

While the two laws overlap on many aspects, there are differences with respect to certain aspects including the scope of application, accountability, and collection limitations.

Here are the key differences between CCPA and GDPR:

Key differences between CCPA and GDPR

Who it applies to: 

CCPA: Applies to:

- for-profit businesses that process the personal information of 50K or more consumers

- businesses that earn 50 percent of their revenue (monetary or otherwise) by sharing the personal data of Californian consumers. 

- businesses that have annual revenue of 25 million or more.

GDPR: Applies to all entities, including data controllers, for-profit, non-profit, public entities, individuals, and NGOs that offer services or goods, or target consumers in the EU. Data controllers are defined as entities that process or collect data of EU subjects regardless of their purpose, shape, or size. 

The GDPR does not set restrictions on the size, revenue, or geographic location of businesses that need to comply with the regulation. 

Scope of penalties: 

Non-compliance with GDPR can lead to a penalty of €20 million or 4 percent of the business's global annual turnover, whichever is highest. The fines are determined by the gravity, duration, and nature of the infringement. Monetary penalties in CCPR are smaller at $2.500 per violation while international infringement can go up to $7500.

Protection

Protections apply under CCPA to consumers in California only.

GDPR protects all 'data subjects' who can be any person in the EU, not only residents or citizens of EU. This includes those who are in any member state for other than transitory purpose and EU citizens who have gone out of the state for temporary purpose.

Data security

GDPR: Requires data controllers to implement adequate measures to secure data.

CCPA:  While there are no such data security requirements, consumers can take legal action should a security breach occurs.

Data rectification

GDPR: Consumers can request correction of any incomplete or incorrect personal data.

CCPA: Consumers do not have any rectification rights.

Representation

GDPR: Requires businesses outside the EU that process EU residents' data to appoint an EU representative.

CCPA: No specific representation requirements

Consent

GDPR: Prior consent from data subjects is a must for using data.

CCPA: While businesses need not obtain explicit consent for data use, they need to provide clear information to consumers on how their personal data will be used.  

While both data privacy laws seek to empower consumers with comprehensive rights over their data, GDPR is a broader and bigger privacy law with more stringent penalties for non-compliance. In comparison, the CCPA is a more specific, smaller sectoral law that protects the rights of residents of California related to their data use.