The California Attorney General considered and rejected the creation of a safe harbor exemption from the CCPA for businesses that are already complying with GDPR, says the statement of reasons that accompanies the draft CCPA Regulations.
“The Attorney General rejected this alternative because CCPA and GDPR have different requirements, different definitions, and different scopes. For example, GDPR prohibits collection without express consent; CCPA does not prohibit collection. GDPR does not have a right to opt-out of sale; the right to opt-out is a core right of CCPA. GDPR applies to both public and private sector entities; CCPA only applies to specific types of business.
Because of this incompatibility, the Attorney General determined that a safe harbor would not effectively further the purposes of the CCPA. In addition, both laws are relatively new, and thus, carving out a safe harbor so early in their existence appears premature.”