GDPR vs CCPA — Key Differences in Privacy Regulations
Compare GDPR and CCPA privacy regulations. Understand scope, rights, penalties, and what each law requires for businesses and website operators.
| Feature | GDPR | CCPA |
|---|---|---|
| Geographic Scope | Global (applies to EU residents) | California residents only |
| Legal Basis Required | Yes (one of 6 legal bases) | No (opt-out model) |
| Consent Model | Opt-in (explicit consent needed) | Opt-out (default is allowed) |
| Max Penalty | 4% of global revenue or €20M | $7,500 per intentional violation |
| Business Thresholds | None — applies to all orgs | Revenue or data volume thresholds |
| Right to Erasure | Yes ('right to be forgotten') | Yes (right to delete) |
| Data Portability | Yes | Yes (CPRA) |
| Enforcement | Data Protection Authorities | California AG + private actions |
Verdict
GDPR is stricter, broader in scope, and carries higher penalties. If you handle EU resident data, GDPR compliance is non-negotiable. For US-focused businesses, CCPA/CPRA compliance is required if you meet California's thresholds. Build for GDPR compliance first — it generally satisfies CCPA as well due to its higher standards.
The Fundamental Philosophy Difference
GDPR and CCPA reflect different philosophical approaches to privacy regulation. GDPR treats privacy as a fundamental right that requires active protection — businesses must establish a legal basis before processing data, obtain explicit consent for optional uses, and minimize collection to what's strictly necessary. CCPA treats privacy more as a consumer protection issue — businesses can collect and use data by default, but consumers have the right to know what's collected and opt out of certain uses. This philosophical difference leads to GDPR being more burdensome upfront (cookie consent banners, legal basis documentation, DPIAs) but more protective of individuals. CCPA's opt-out model is more business-friendly but arguably less effective at actually protecting privacy.
The Growing US State Privacy Law Landscape
CCPA was the first major US state privacy law but is no longer alone. Virginia's CDPA, Colorado's CPA, Connecticut's CTDPA, Texas's TDPSA, and many others have passed comprehensive privacy laws by 2025. The US patchwork of state laws is increasingly burdensome for businesses, fueling debates about a federal privacy law. In practice, multi-state businesses build a compliance program that satisfies the strictest applicable laws. CCPA/CPRA is often the most stringent US state law, so satisfying it generally satisfies others. For global companies, GDPR typically sets the highest bar.
Practical Compliance Overlap
For companies subject to both GDPR and CCPA, the good news is that compliance programs overlap significantly. Both require: a privacy policy disclosing data categories and purposes; mechanisms for data access, correction, and deletion requests; data processing agreements with third-party processors; security measures appropriate to risk; and breach notification procedures. Building a GDPR-compliant program first is often the recommended approach — GDPR's requirements are comprehensive enough that meeting them generally satisfies CCPA's more limited requirements, with the addition of CCPA-specific elements like the opt-out sale link.
Frequently Asked Questions
Yes, if you process personal data of EU residents (including through website cookies, contact forms, or any service used by people in the EU), GDPR applies to you regardless of where your business is located. The regulation follows the individual, not the business location.
GDPR requires opt-in consent — you must get explicit affirmative agreement before processing personal data for most purposes. CCPA uses an opt-out model — you can process (or sell) data by default, but must honor requests to stop. GDPR's opt-in approach is more protective of individuals but more burdensome for businesses.
CCPA's definition of 'selling' is broad and includes sharing data with third parties for monetary or other valuable consideration. This is interpreted to include sharing data with ad networks for targeted advertising, even without direct cash exchange. Many companies discovered that their standard ad tech stack technically constituted 'selling' under CCPA.
Not necessarily in the same form as GDPR cookie banners. CCPA requires a 'Do Not Sell or Share My Personal Information' link on your website. GDPR requires explicit consent before placing non-essential cookies. If you need to comply with both, a unified consent management platform (CMP) is typically the practical solution.