CCPA vs GDPR: Key Differences and How to Comply With Both
A practical side-by-side comparison of GDPR and CCPA compliance requirements. Learn the key differences in scope, consumer rights, consent, penalties, and DSAR handling — and how to build a process that covers both.
Last updated: 2025-02-07
If you sell anything online, you have probably heard of both GDPR and CCPA. Maybe your lawyer mentioned them. Maybe a customer emailed asking you to delete their data. Maybe you just saw a scary headline about a company getting fined millions.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney or data protection professional for guidance specific to your business. The information here is based on the CCPA (Cal. Civ. Code §§ 1798.100–1798.199.100), the CPRA (Proposition 24, 2020), and the General Data Protection Regulation (EU) 2016/679 (GDPR), as of the date of publication.
Here is the thing most articles will not tell you: if you are a small business, you do not need to become an expert on both laws. You need to understand the practical differences, build one solid compliance process, and move on with running your business.
That is exactly what this guide covers.
What Are GDPR and CCPA?
GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) is the European Union's data protection law. It went into effect in May 2018 and applies to any business that processes personal data of people in the EU — regardless of where your business is located (GDPR Article 3).
CCPA (California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100–1798.199.100) is California's privacy law, effective January 2020, later amended by the CPRA (California Privacy Rights Act) in 2023. It gives California residents rights over their personal information and applies to businesses that meet certain revenue or data-processing thresholds (Cal. Civ. Code § 1798.140(d)).
Both laws give people more control over their personal data. But they approach the problem differently, and the details matter.
Who Is Covered: Scope and Applicability
This is the first thing you should figure out, because if neither law applies to you, you can stop reading (though you probably should not — more states and countries are passing similar laws every year).
GDPR Scope
GDPR applies to you if:
- You are based in the EU or EEA (European Economic Area)
- You offer goods or services to people in the EU (even if you are based in the US, Canada, or anywhere else)
- You monitor the behavior of people in the EU (think: analytics, tracking, profiling)
There is no size threshold. A one-person shop selling handmade goods to EU customers is covered. A SaaS company with three EU users is covered. If you touch EU personal data, GDPR applies.
CCPA/CPRA Scope
CCPA applies to for-profit businesses that:
- Do business in California, AND meet at least one of these:
- Annual gross revenue over $25 million
- Buy, sell, or share personal information of 100,000 or more California residents, households, or devices per year
- Derive 50% or more of annual revenue from selling or sharing California residents' personal information
This is a meaningful difference. Many small businesses fall under GDPR but not CCPA. But do not assume you are off the hook — if you have a website with analytics and email signup forms, you may be processing data of 100,000+ California residents faster than you think.
Side-by-Side Comparison
Here is the practical comparison:
| Area | GDPR | CCPA/CPRA |
|---|---|---|
| **Who it protects** | EU/EEA residents (data subjects) | California residents (consumers) |
| **Who it applies to** | Any org processing EU personal data | For-profit businesses meeting thresholds |
| **Size threshold** | None | $25M revenue, 100K consumers, or 50% revenue from data sales |
| **Lawful basis required** | Yes — must have one of 6 legal bases | No — can process unless consumer opts out |
| **Consent model** | Opt-in (must get consent before processing) | Opt-out (can process, consumer can say stop) |
| **Right to access** | Yes (DSAR — 30 days to respond) | Yes (consumer request — 45 days to respond) |
| **Right to delete** | Yes | Yes |
| **Right to correct** | Yes | Yes (added by CPRA) |
| **Right to portability** | Yes | Yes (limited) |
| **Right to opt out of sale** | Not applicable (processing requires legal basis) | Yes — "Do Not Sell My Personal Information" |
| **Breach notification** | 72 hours to supervisory authority | "Without unreasonable delay" |
| **Penalties** | Up to 4% of global annual revenue or 20M EUR | $2,500 per violation, $7,500 per intentional violation |
| **Private right of action** | Limited | Yes, for data breaches (statutory damages $100-$750 per consumer per incident) |
| **Data Protection Officer** | Required in certain cases | Not required |
| **Cookie consent** | Requires opt-in consent | Opt-out for sale/sharing only |
| **Cross-border transfers** | Restricted — needs safeguards (SCCs, adequacy decisions) | No specific restrictions |
The Key Differences That Actually Matter
Let me cut through the legal jargon and highlight what matters for your day-to-day operations.
Consent: Opt-In vs Opt-Out
This is the biggest philosophical difference between the two laws.
GDPR says: You need a legal reason (a "lawful basis" under GDPR Article 6) to process someone's personal data. In many cases, that means getting consent before you collect or use their data (GDPR Article 7). No pre-checked boxes. No "by using this website you agree to everything." Real, affirmative, informed consent.
CCPA says: You can collect and use personal information, but consumers have the right to opt out of the sale or sharing of their data (Cal. Civ. Code § 1798.120). You do not need prior consent to collect data — you just need to honor opt-out requests.
What this means for you: If you build for GDPR compliance (opt-in everything), you are automatically CCPA-compliant on consent. But if you only build for CCPA (opt-out), you are NOT GDPR-compliant.
Definition of Personal Data
GDPR's definition of "personal data" is very broad: any information relating to an identified or identifiable person. Names, emails, IP addresses, cookie IDs, location data — all personal data.
CCPA's definition of "personal information" is also broad but slightly different. It includes information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked" to a consumer or household. Notably, CCPA extends to household-level data, not just individual data.
In practice, both definitions are wide enough that most of the data you collect counts as personal data under both laws.
Rights and Response Times
Both laws give individuals the right to access, delete, and (with CPRA) correct their data. The mechanics differ:
- GDPR: Requests are called DSARs (Data Subject Access Requests). You have 30 days to respond (GDPR Article 12(3)), extendable by 60 days for complex requests.
- CCPA: Requests are called consumer requests. You have 45 days to respond (Cal. Civ. Code § 1798.130(a)(2)), extendable by an additional 45 days.
For a deeper dive on managing response deadlines across jurisdictions, see our guide on DSAR response deadlines.
Penalties
GDPR penalties are severe (GDPR Article 83). Up to 20 million EUR or 4% of global annual revenue, whichever is higher. And regulators have shown they are willing to use them — Amazon was fined 746 million EUR, Meta was fined 1.2 billion EUR.
CCPA penalties are per-violation. $2,500 per unintentional violation, $7,500 per intentional violation. That sounds manageable until you realize "per violation" can mean "per consumer affected." A data breach affecting 10,000 Californians at $7,500 each is $75 million.
CCPA also allows a private right of action for data breaches, meaning individual consumers can sue you. GDPR does not have this in the same direct way (though individuals can file complaints with regulators).
Cookies and Tracking
GDPR (combined with the ePrivacy Directive) requires opt-in consent for non-essential cookies. This is why European websites show those cookie consent banners. You cannot drop tracking cookies or analytics cookies until the user clicks "Accept."
CCPA does not require cookie consent banners per se. But if your cookies are used to "sell" or "share" personal information (and most advertising cookies are), you must offer a "Do Not Sell or Share My Personal Information" link and honor opt-out requests.
Data Transfers
GDPR heavily restricts transferring personal data outside the EU. You need safeguards like Standard Contractual Clauses (SCCs), Binding Corporate Rules, or an adequacy decision from the EU Commission. The EU-US Data Privacy Framework currently provides a mechanism for transfers to certified US companies, but this area has been legally turbulent.
CCPA has no restrictions on where you store or transfer data. As long as you honor consumer rights and protect the data, California does not care if your servers are in the US, EU, or anywhere else.
Practical Advice: How to Comply With Both
Here is the good news: if you comply with GDPR, you are almost entirely covered for CCPA. GDPR is the stricter standard in almost every area.
Here is the not-quite-as-good news: CCPA has a few requirements GDPR does not cover, so "GDPR-compliant" does not automatically mean "CCPA-compliant."
Build for GDPR First, Then Add CCPA-Specific Requirements
Step 1: Get your consent house in order. Implement proper opt-in consent for cookies, email marketing, and data processing. Use a consent management platform if you need to. This satisfies GDPR and goes beyond what CCPA requires.
Step 2: Create a clear privacy policy. Both laws require one. Your privacy policy needs to cover what data you collect, why, who you share it with, and what rights people have. CCPA specifically requires you to list the categories of personal information collected and the business purposes. Check our guide on whether you need a privacy policy — spoiler: you do.
Step 3: Build a DSAR/consumer request process. You need a way for people to submit requests and for you to respond within the required timeframe. One unified process that handles both GDPR DSARs and CCPA consumer requests is far more practical than maintaining two separate workflows.
Step 4: Add CCPA-specific features:
- A "Do Not Sell or Share My Personal Information" link on your website
- A process for handling opt-out requests specifically
- Financial incentive disclosures if you offer different pricing based on data collection
Step 5: Document everything. Both laws expect you to be able to demonstrate compliance. Keep records of consent, data processing activities, DSARs/consumer requests, and how you responded.
The "Comply With the Strictest" Strategy
For most small businesses, the smart approach is to adopt the strictest requirement from any applicable law and apply it globally. This means:
- Opt-in consent for cookies and tracking (GDPR standard)
- 30-day response time for data requests (GDPR is stricter than CCPA's 45 days)
- Comprehensive privacy policy covering both laws' requirements
- One unified DSAR process that satisfies both laws
This is simpler, less error-prone, and future-proofs you against new privacy laws (which are popping up everywhere — Virginia, Colorado, Connecticut, and many more US states now have their own laws).
For a full breakdown of how to handle multiple jurisdictions, see our guide on multi-jurisdiction privacy compliance.
Common Mistakes to Avoid
Assuming CCPA does not apply because you are small. The 100,000-consumer threshold counts devices and households, not just named customers. If your website gets meaningful California traffic, you may be closer to the threshold than you think.
Ignoring GDPR because you are US-based. If you have a website accessible in the EU and you sell products or services there, GDPR applies. "But I only ship to the US" might protect you. "I have a .com website that anyone in the world can visit" does not.
Treating privacy compliance as a one-time project. Both laws require ongoing compliance. You need to keep your privacy policy updated, respond to requests promptly, and adapt to regulatory changes.
Not having a DSAR process. This is the most common failure point we see. A customer emails asking "what data do you have on me?" and you have no idea what to do. Having a process in place before the first request arrives is critical.
What About Other Privacy Laws?
GDPR and CCPA are the big two, but they are not the only ones. If you do business across multiple states or countries, you will also need to consider:
- PIPEDA (Canada) — see our PIPEDA compliance guide
- UK GDPR (post-Brexit version of GDPR)
- VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), and a growing list of US state laws
The good news: most of these laws are modeled on GDPR or CCPA, so your foundational compliance work carries over. The bad news: each has enough unique quirks to keep privacy lawyers employed for decades.
For a complete guide to managing compliance across all these jurisdictions, see our CCPA compliance guide and GDPR guide for small businesses.
The Bottom Line
GDPR and CCPA are different laws with different philosophical approaches. GDPR starts from "you cannot process data without permission." CCPA starts from "you can process data, but people can tell you to stop selling it."
But for practical purposes, the differences matter less than you might think. Build your privacy compliance program around these principles:
- Be transparent about what data you collect and why
- Get meaningful consent (not buried-in-the-terms consent)
- Give people real control over their data
- Have a reliable process for handling data requests
- Document what you are doing
Do that, and you will be in solid shape for both laws — and most of the ones that are coming next.
References
- General Data Protection Regulation (GDPR): Regulation (EU) 2016/679. Full text
- UK GDPR: The UK General Data Protection Regulation, as retained under the Data Protection Act 2018. ICO guidance
- European Data Protection Board (EDPB): Official EDPB website
- California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
- California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
- California Privacy Protection Agency (CPPA): Official CPPA website
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Get Your DSAR Process Right
Handling data subject access requests is one of the most operationally challenging parts of GDPR and CCPA compliance. Miss a deadline or mishandle a request, and you are looking at fines and unhappy regulators.
Our DSAR Compliance Guide walks you through exactly how to set up a process that works — from receiving the request to verifying identity to delivering the response on time. It covers both GDPR and CCPA requirements in one unified workflow.
Download the DSAR Compliance Guide and stop worrying about whether you are handling requests correctly.