GDPR vs CCPA: Key Differences Compared
Quick Answer
GDPR is the EU's comprehensive data protection regulation; CCPA/CPRA is California's consumer privacy law. GDPR is broader in scope, rights, and penalties, while CCPA focuses on consumer data sale/sharing opt-outs. Companies with EU and California users need to comply with both.
GDPR vs CCPA/CPRA: Overview
Both GDPR and CCPA (California Consumer Privacy Act, as amended by CPRA) protect personal data privacy, but they take different approaches. GDPR requires opt-in consent for most processing, while CCPA primarily gives consumers the right to opt out of data sales and sharing.
Key Takeaways
- GDPR applies based on data subjects' location (EU); CCPA applies based on business location or California consumer targeting
- GDPR: opt-in model (need legal basis before processing); CCPA: opt-out model (can process until consumer opts out)
- GDPR fines: up to EUR 20M / 4% revenue; CCPA fines: up to $7,500 per intentional violation
- GDPR applies to all personal data processing; CCPA applies to businesses meeting specific revenue/data thresholds
- Companies operating in both jurisdictions should build to the higher standard (GDPR) and layer CCPA-specific requirements on top
Side-by-Side Comparison
| Feature | GDPR | CCPA/CPRA |
|---|---|---|
| Effective | May 25, 2018 | Jan 1, 2020 (CCPA); Jan 1, 2023 (CPRA amendments) |
| Jurisdiction | EU/EEA | California, USA |
| Who it applies to | Any organization processing EU residents' data | For-profit businesses meeting thresholds: $25M revenue, 100K consumers, or 50% revenue from data sales |
| Consent model | Opt-in (need lawful basis before processing) | Opt-out (process until consumer opts out of sale/sharing) |
| Personal data definition | Any info relating to identifiable person | Info reasonably linked to consumer/household |
| Right to access | Yes (Article 15) | Yes (right to know) |
| Right to delete | Yes (right to erasure, Article 17) | Yes (right to delete) |
| Right to portability | Yes (Article 20) | Yes (right to portability under CPRA) |
| Right to opt out of sale | Not explicit (but processing requires lawful basis) | Yes — core right ("Do Not Sell My Personal Information") |
| Right to correct | Yes (Article 16) | Yes (under CPRA) |
| Enforcement | EU supervisory authorities | California AG and California Privacy Protection Agency |
| Maximum penalties | EUR 20M or 4% global revenue | $2,500-$7,500 per violation |
| Private right of action | Limited (varies by member state) | Yes — for data breaches only ($100-$750 per incident) |
| DPO requirement | Yes (in certain cases) | No |
| Breach notification | 72 hours to authority | "Most expedient time possible" (no specific hour deadline) |
Key Differences in Approach
Consent Models
GDPR Opt-In vs CCPA Opt-Out
| Feature | GDPR (Opt-In) | CCPA/CPRA (Opt-Out) |
|---|---|---|
| Default state | Processing prohibited until lawful basis established | Processing permitted unless consumer opts out |
| Consent type | Must be freely given, specific, informed, unambiguous | Opt-out for sale/sharing; opt-in for minors and sensitive data (CPRA) |
| Data collection | Must have lawful basis before collecting any personal data | Can collect data with notice; consumer can request deletion |
| Cookies | Consent required for all non-essential cookies | "Do Not Sell" / "Do Not Share" link required if using tracking cookies |
| Marketing | Explicit opt-in required for direct marketing (with exceptions) | Permitted with opt-out mechanism |
Complying with Both
Dual Compliance Strategy
Build to GDPR standard first
GDPR is the higher standard in most areas. If you comply with GDPR, you're 70-80% of the way to CCPA compliance. The reverse is not true.
Add CCPA-specific requirements
Add a "Do Not Sell or Share My Personal Information" link, implement financial incentive disclosures, and handle CCPA-specific consumer requests (right to opt out of sale).
Implement geo-detection
Serve GDPR-compliant consent flows to EU visitors and CCPA-compliant notices to California users. Many consent management platforms handle this automatically.
Maintain separate records
Track consent and opt-out records separately for GDPR and CCPA compliance, as the requirements and evidence differ.
70-80%
GDPR to CCPA Overlap
GDPR compliance covers most CCPA requirements
$7,500
CCPA Max Per-Violation Fine
For intentional violations
EUR 20M / 4%
GDPR Max Fine
Dramatically higher than CCPA
15+
US State Privacy Laws
Modeled after CCPA/CPRA
If I comply with GDPR, am I CCPA compliant?
Mostly, but not completely. GDPR compliance covers about 70-80% of CCPA requirements. You still need CCPA-specific items: "Do Not Sell" link, financial incentive disclosures, specific notice-at-collection requirements, and California-specific response procedures.
Which law has stricter penalties?
GDPR by far. GDPR fines can reach EUR 20 million or 4% of global revenue. CCPA fines are $2,500-$7,500 per violation, though class-action lawsuits for data breaches ($100-$750 per consumer per incident) can add up quickly.
Do I need separate privacy policies for GDPR and CCPA?
Not necessarily. Many companies use a single comprehensive privacy policy that addresses both GDPR and CCPA requirements, with clearly labeled sections for each. Some companies create separate EU and US privacy notices for clarity.
What about other US state privacy laws?
As of 2025, 15+ US states have enacted comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas, Oregon, etc.). Most are modeled after CCPA/CPRA. A GDPR + CCPA compliance foundation covers most state law requirements with minor adjustments.
Find Multi-Jurisdiction Compliance Tools
Compare platforms that help you manage GDPR, CCPA, and state privacy law compliance from one dashboard.
Browse Privacy Tools