GDPR vs CCPA/CPRA
The two most influential data privacy laws compared. If your company processes data from EU and California residents, you likely need to comply with both.
At a Glance
Key differences between GDPR vs CCPA/CPRA for mid-market companies (<200 employees).
Detailed Comparison
| Comparison Point | GDPR | CCPA/CPRA |
|---|---|---|
| Jurisdiction | EU/EEA (27 member states) | California, USA |
| Effective Date | May 25, 2018 | January 1, 2020 (CPRA: January 1, 2023) |
| DSAR Response Deadline | 1 month (calendar) | 45 calendar days |
| DSAR Extension | +2 months (complex requests) | +45 days (with notice) |
| Maximum Fine | €20M or 4% of global annual turnover | $7,988 per intentional violation |
| Scope / Threshold | Any organization processing EU residents' data | Revenue >$26.6M, or 100K+ consumers, or 50%+ revenue from data sales |
| Consent Model | Opt-in (explicit consent required) | Opt-out (right to opt out of sale/sharing) |
| DPO Requirement | Yes (for public authorities and large-scale processing) | No (no DPO requirement) |
| Breach Notification | 72 hours to supervisory authority | "Without unreasonable delay" (no fixed timeline for consumers) |
| Right to Erasure | Yes (Article 17) | Yes (Right to Delete) |
| Data Portability | Yes (Article 20, machine-readable) | Yes (Right to Know, portable format) |
| Private Right of Action | Yes (Article 82, damages) | Limited (data breaches only, $100-$750 per consumer) |
| Cross-Border Transfers | Restricted (SCCs, BCRs, adequacy) | No restrictions on cross-border transfers |
| Enforcement Body | National DPAs + EDPB coordination | California Privacy Protection Agency (CPPA) |
When Does Each Law Apply?
GDPR applies whenever your company processes personal data of individuals located in the EU or EEA — regardless of where your company is based. If you have EU customers, website visitors from the EU, or EU employees, GDPR likely applies to you.
CCPA/CPRA applies to for-profit businesses that collect California residents' personal information AND meet one of three thresholds: annual revenue exceeding $26.625 million, processing data of 100,000+ consumers/households, or deriving 50%+ of annual revenue from selling or sharing personal information.
Key Differences That Matter for Mid-Market Companies
The most significant difference is the consent model. GDPR requires opt-in consent before processing personal data (with limited exceptions for legitimate interest). CCPA takes the opposite approach: businesses can process data by default, but consumers have the right to opt out of data sales and sharing.
For DSAR response times, GDPR gives you 1 calendar month (roughly 30 days), while CCPA gives you 45 days. This sounds like CCPA is more generous, but GDPR allows a 2-month extension for complex requests — giving you up to 3 months total. CCPA only allows a 45-day extension.
The penalty structures differ dramatically. GDPR fines can reach €20 million or 4% of global annual turnover (Meta was fined €1.2 billion in 2023). CCPA penalties are capped at $7,988 per intentional violation, which is significant but far less than GDPR's potential impact.
Practical Tips for Dual Compliance
If you need to comply with both laws, build to the higher standard — which is generally GDPR. A GDPR-compliant program will cover most CCPA requirements, but you will need to add CCPA-specific elements: the "Do Not Sell or Share My Personal Information" link, specific notice-at-collection requirements, and financial incentive disclosures. Use the DSAR calculator to track deadlines for both jurisdictions simultaneously.
Which Law Applies to You?
GDPR applies to you if: You process personal data of anyone in the EU/EEA — even if your company is based outside Europe. No revenue or size threshold.
CCPA/CPRA applies to you if: You are a for-profit business AND meet one of these thresholds: $26.6M+ annual revenue, 100K+ California consumers, or 50%+ revenue from data sales.
Both apply if: You operate in both markets. Most mid-market companies with EU and US customers will need dual compliance. Build to GDPR standards first, then add CCPA-specific requirements.
Related Resources
GDPR Compliance Guide
Full compliance guide for General Data Protection Regulation
CCPA/CPRA Compliance Guide
Full compliance guide for California Consumer Privacy Act
DSAR Deadline Calculator
Calculate exact response deadlines for 69 jurisdictions
Enforcement Actions
Real fines and enforcement cases from privacy authorities
Privacy Blog
Practical guides and analysis for mid-market companies
Frequently Asked Questions
What is the main difference between GDPR and CCPA?
Which has higher fines, GDPR or CCPA?
How long do I have to respond to a DSAR under GDPR vs CCPA?
Do I need to comply with both GDPR and CCPA?
Does CCPA require a Data Protection Officer like GDPR?
Get the full GDPR vs CCPA/CPRA comparison checklist
A printable checklist covering every compliance requirement from both laws, organized by priority for mid-market companies.
See how these laws are enforced in practice
Browse real enforcement actions and fines from privacy authorities worldwide. Learn what violations cost companies like yours.
Browse Enforcement ActionsDisclaimer: This comparison is maintained independently by PrivacyCache for informational purposes. We strive for accuracy but laws evolve and specific requirements may change. This is not legal advice. Consult qualified legal counsel for compliance decisions. Last updated: 4/2/2026.