If your business serves customers in both Europe and California, you're subject to two of the world's most significant privacy laws. While GDPR and CCPA share the goal of protecting personal information, their approaches differ in ways that matter for implementation.
Here's a practical comparison that goes beyond surface-level similarities.
Scope: Who's Covered
GDPR
Applies to any organization that:
- Is established in the EU/EEA, OR
- Offers goods or services to EU/EEA residents, OR
- Monitors the behavior of EU/EEA residents
There is no revenue or size threshold. A one-person startup processing EU personal data is subject to GDPR.
CCPA/CPRA
Applies to for-profit businesses that:
- Have annual gross revenue exceeding $25 million, OR
- Buy, sell, or share personal information of 100,000+ consumers, households, or devices, OR
- Derive 50% or more of annual revenue from selling or sharing consumers' personal information
Non-profits and government entities are excluded. Small businesses below all three thresholds are not covered.
Key difference: GDPR applies to everyone. CCPA has a meaningful size threshold that exempts smaller businesses.
What Counts as Personal Data
GDPR: Personal Data
Any information relating to an identified or identifiable natural person. This includes:
- Direct identifiers (name, email, ID number)
- Online identifiers (IP address, cookie ID, device ID)
- Pseudonymized data (if re-identification is possible)
Employee data is fully covered.
CCPA: Personal Information
Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a consumer or household. This explicitly includes:
- Standard identifiers
- Commercial information (purchase history)
- Internet activity (browsing, search history)
- Geolocation data
- Inferences drawn from personal information
Employee and B2B contact data were previously exempt but are now covered under CPRA.
Key difference: Both are broadly defined. CCPA's inclusion of "household" data is unique — GDPR focuses on natural persons only.
Legal Bases for Processing
GDPR: Six Legal Bases
Processing requires one of six explicit legal bases:
- Consent
- Contract performance
- Legal obligation
- Vital interests
- Public interest
- Legitimate interests (with balancing test)
Every processing activity must be mapped to a legal basis before processing begins.
CCPA: No Equivalent
CCPA does not require a legal basis for collection or processing. Instead, it focuses on:
- Notice: Tell consumers what you collect and why at or before collection
- Purpose limitation: Don't use data for purposes incompatible with what was disclosed
- Opt-out rights: Consumers can opt out of sale/sharing
Key difference: GDPR requires affirmative justification for processing. CCPA requires transparency and opt-out mechanisms. This is a fundamental philosophical difference — GDPR is permission-based, CCPA is notice-and-choice.
Consumer/Data Subject Rights
| Right | GDPR | CCPA/CPRA |
|---|---|---|
| Access/Know | Yes (Art. 15) | Yes |
| Deletion | Yes (Art. 17) | Yes |
| Rectification/Correction | Yes (Art. 16) | Yes (CPRA added) |
| Portability | Yes (Art. 20) | Yes |
| Opt-out of sale | N/A | Yes |
| Opt-out of sharing | N/A | Yes (CPRA added) |
| Restrict processing | Yes (Art. 18) | Yes (CPRA: sensitive PI) |
| Object to processing | Yes (Art. 21) | Limited |
| Automated decisions | Yes (Art. 22) | Yes (CPRA added) |
| Non-discrimination | Implied | Explicit |
Response Deadlines
| GDPR | CCPA | |
|---|---|---|
| Standard | 1 calendar month | 45 calendar days |
| Extension | +2 months (complex) | +45 days |
| Total maximum | 3 months | 90 days |
| Extension notification | Within first month | Within first 45 days |
Key difference: CCPA's 45-day deadline gives slightly more time than GDPR's calendar month, but GDPR's extension is more generous (2 extra months vs. 45 extra days).
Consent
GDPR: Opt-In
- Consent must be freely given, specific, informed, and unambiguous
- Requires affirmative action (no pre-ticked boxes)
- Must be as easy to withdraw as to give
- Children under 16 (or lower, depending on member state) require parental consent
- Silence, inactivity, or pre-checked boxes do not constitute consent
CCPA: Opt-Out
- No general consent requirement for data collection
- Opt-out right for sale/sharing of personal information
- "Do Not Sell or Share My Personal Information" link required on website
- Opt-in required for sale of minors' data (under 16 requires affirmative consent, under 13 requires parental consent)
- Must honor Global Privacy Control (GPC) browser signals
Key difference: GDPR defaults to "no processing without permission." CCPA defaults to "processing is permitted, but consumers can opt out of sale/sharing."
Enforcement and Penalties
GDPR
- Enforced by: National data protection authorities (DPAs) in each EU member state
- Fines: Up to EUR 20 million or 4% of global annual turnover (whichever is higher)
- Private right of action: Yes — data subjects can sue for damages
- Complaint mechanism: Anyone can file a complaint with a DPA at no cost
CCPA/CPRA
- Enforced by: California Attorney General + California Privacy Protection Agency (CPPA)
- Fines: Up to $2,500 per unintentional violation, $7,500 per intentional violation
- Private right of action: Limited to data breaches only (not general privacy violations)
- Cure period: Was 30 days under original CCPA; eliminated by CPRA
Key difference: GDPR fines are percentage-based and can be enormous. CCPA fines are per-violation, which can also scale significantly (10,000 violated consumers × $7,500 = $75 million). GDPR allows broader private litigation.
Practical Implications for Dual Compliance
If You're Already GDPR Compliant
You're most of the way to CCPA compliance. Key additions needed:
- "Do Not Sell or Share" link on your website (if applicable)
- Honor Global Privacy Control signals
- Adjust response timeline processes for 45-day deadline
- Financial incentive disclosures (if you offer loyalty programs)
- Verify your privacy policy includes CCPA-specific disclosures
If You're Starting Fresh
Build for GDPR first — it's the stricter standard. Then layer CCPA-specific requirements:
- Data mapping: Required by both laws, but GDPR's Article 30 ROPA is more prescriptive
- Privacy notice: Cover both sets of required disclosures in one policy (with jurisdiction-specific sections)
- Rights handling: Build a unified DSAR process that accounts for different deadlines per jurisdiction
- Consent management: Implement GDPR-style opt-in consent (satisfies both laws)
- Vendor management: DPAs for GDPR, service provider agreements for CCPA
Ongoing Management
The challenge isn't achieving compliance — it's maintaining it across both frameworks simultaneously. This requires:
- Tracking which requests fall under which law
- Applying the correct deadline for each jurisdiction
- Maintaining evidence that satisfies both frameworks
- Updating policies when either law changes (CPRA regulations are still evolving)
Automation isn't optional for dual-jurisdiction compliance. Manual tracking across different deadline rules, exemption criteria, and documentation requirements breaks down quickly as request volume grows.