Privacy

CCPA vs GDPR: Key Differences & Which Privacy Law Applies

By Emily Rodriguez
January 11, 2026
11 min read
🛡️

CCPA vs GDPR Privacy Comparison

TL;DR: Quick Takeaways

  • GDPR applies to EU residents' data globally; CCPA applies to California consumers only
  • GDPR requires opt-in consent; CCPA uses opt-out model for data sales
  • GDPR penalties up to €20M or 4% revenue; CCPA up to $7,500 per intentional violation
  • Both provide rights to access, delete, and portability of personal data
  • US companies processing EU data need GDPR compliance; businesses serving CA need CCPA

CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Regulation) are the world's two most influential privacy laws. Both empower consumers with unprecedented control over their personal data, but they differ significantly in scope, requirements, penalties, and enforcement mechanisms.

GDPR, enacted in 2018, is the European Union's comprehensive data protection framework affecting any organization processing EU residents' data worldwide. CCPA, effective in 2020 and strengthened by CPRA in 2023, is California's landmark privacy law that has inspired similar legislation in 13+ US states.

This comprehensive guide compares CCPA and GDPR across geographic scope, applicability thresholds, consumer rights, consent models, penalties, and compliance requirements to help you determine which laws apply to your business and how to achieve compliance with both.

AspectCCPA/CPRAGDPR
JurisdictionCalifornia, USAEuropean Union + EEA + UK
Effective DateJanuary 1, 2020 (CPRA: Jan 1, 2023)May 25, 2018
Applicability Threshold$25M revenue OR 100K+ consumers OR 50%+ revenue from data salesAny organization processing EU residents' data
Consent ModelOpt-out (for sales/sharing)Opt-in (affirmative consent)
Data Subject RightsAccess, Delete, Correct, Opt-out, PortabilityAccess, Erasure, Rectification, Portability, Restriction, Object
Maximum Penalty$7,500 per intentional violation€20M or 4% global revenue (whichever higher)
EnforcementCalifornia Privacy Protection Agency + AGEU Data Protection Authorities
DPO RequirementNo (CPRA has limited requirements)Yes (for certain processing activities)
Private Right of ActionYes (data breach only, $100-$750 per consumer)Limited (varies by member state)
Response Timeline45 days (extendable to 90 days)30 days (extendable to 90 days)

Detailed Privacy Law Comparison

Geographic Scope & Applicability

CCPA/CPRA

CCPA applies to for-profit businesses that collect personal information from California residents and meet one or more of three thresholds. The law has extraterritorial reach, affecting companies worldwide that do business with Californians.

  • Annual gross revenues exceeding $25 million
  • Buy, sell, or share personal info of 100,000+ CA consumers/households
  • Derive 50% or more of annual revenue from selling/sharing consumer data
  • Applies only to California residents (40 million people)

GDPR

GDPR applies to any organization that processes personal data of individuals located in the European Union, European Economic Area, or UK, regardless of where the organization is based. No revenue or volume thresholds exist.

  • Applies to ALL organizations processing EU/EEA/UK residents' data
  • No revenue, employee, or data volume thresholds
  • Covers 450+ million people across EU, EEA, and UK
  • Applies to both data controllers and data processors

Consumer Rights & Data Subject Rights

CCPA/CPRA Rights

  • 1.
    Right to Know: What personal information is collected, sources, purposes, and third parties with access
  • 2.
    Right to Delete: Request deletion of personal information (with exceptions)
  • 3.
    Right to Correct: Request correction of inaccurate personal information (CPRA addition)
  • 4.
    Right to Opt-Out: Opt out of sale or sharing of personal information
  • 5.
    Right to Limit: Limit use and disclosure of sensitive personal information
  • 6.
    Right to Portability: Obtain a copy of personal information in portable format
  • 7.
    Right to Non-Discrimination: Not be denied service for exercising privacy rights

GDPR Data Subject Rights

  • 1.
    Right of Access: Obtain confirmation of data processing and copy of personal data
  • 2.
    Right to Erasure: "Right to be forgotten" – delete data when no longer necessary
  • 3.
    Right to Rectification: Correct inaccurate or incomplete personal data
  • 4.
    Right to Portability: Receive data in structured, machine-readable format
  • 5.
    Right to Restriction: Limit how data is processed in certain circumstances
  • 6.
    Right to Object: Object to processing based on legitimate interests or direct marketing
  • 7.
    Rights Related to Automated Decisions: Human review of automated decisions

Consent Requirements & Models

CCPA/CPRA: Opt-Out Model

CCPA uses an opt-out model for data sales and sharing. Businesses can collect and process data without prior consent but must provide clear mechanisms for consumers to opt out.

  • Must provide "Do Not Sell or Share My Personal Information" link on homepage
  • Must honor Global Privacy Control (GPC) browser signals
  • Opt-in required for consumers under 16 years old
  • Opt-in required for sensitive personal information use beyond necessary purposes
  • Cannot require consent as condition of service (with exceptions)

GDPR: Opt-In Model

GDPR requires affirmative, explicit consent before processing personal data (unless another lawful basis applies). Consent must be freely given, specific, informed, and unambiguous.

  • Consent must be opt-in (pre-ticked boxes not allowed)
  • Must be separate from other terms and conditions
  • Clear and plain language required (no legal jargon)
  • Must be as easy to withdraw consent as to give it
  • Six lawful bases for processing (consent is one of six)

Key Difference: Default State

CCPA Default:

Collection and processing is allowed by default; consumer can opt out of sales/sharing

GDPR Default:

Processing requires lawful basis first (often explicit consent); opt-in required

Penalties & Enforcement

CCPA/CPRA Penalties

Administrative Penalties

  • Up to $2,500 per violation (unintentional)
  • Up to $7,500 per intentional violation
  • 30-day cure period for most violations (before penalties)

Private Right of Action (Data Breaches)

  • $100-$750 per consumer per incident (or actual damages if higher)
  • Applies only to data breaches involving unencrypted/unredacted data
  • 30-day opportunity to cure before class action lawsuit

Enforcement Authority

  • • California Privacy Protection Agency (CPPA)
  • • California Attorney General

GDPR Penalties

Tier 1 Violations

  • Up to €10 million or 2% of global annual revenue (whichever higher)
  • Applies to: processor obligations, data breach notifications, privacy by design

Tier 2 Violations (Most Serious)

  • Up to €20 million or 4% of global annual revenue (whichever higher)
  • Applies to: consent violations, data subject rights violations, unlawful transfers
  • No automatic cure period (at discretion of DPA)

Enforcement Authority

  • • Data Protection Authorities in each EU member state
  • • Lead supervisory authority (one-stop-shop mechanism)
  • • European Data Protection Board (coordination)

Notable Enforcement Actions

CCPA:

Sephora: $1.2M settlement (2022) for not honoring opt-out requests via GPC signals

GDPR:

Amazon: €746M (2021), Meta: €1.2B (2023) for unlawful data transfers and consent issues

Key Compliance Requirements

CCPA/CPRA Requirements

  • Privacy Policy update with 13+ required disclosures
  • "Do Not Sell or Share My Personal Information" link on homepage
  • "Limit the Use of My Sensitive Personal Information" link (if applicable)
  • Toll-free number or web form for consumer requests
  • Verify consumer identity for access/deletion requests
  • Respond to requests within 45 days (extendable to 90 days)
  • Honor Global Privacy Control (GPC) browser signals
  • Maintain records of consumer requests for 24 months
  • Conduct data protection assessments for high-risk processing
  • Service provider and contractor agreements

GDPR Requirements

  • Lawful basis for processing (consent, contract, legitimate interest, etc.)
  • Privacy Notice with 15+ required elements
  • Cookie consent banners (ePrivacy Directive)
  • Data Processing Agreements (DPAs) with all processors
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Records of Processing Activities (ROPA)
  • Appoint Data Protection Officer (DPO) if required
  • Respond to data subject requests within 30 days (extendable to 90 days)
  • Breach notification within 72 hours to DPA (if applicable)
  • Standard Contractual Clauses (SCCs) for non-EU data transfers

Achieve CCPA & GDPR Compliance Faster

LowerPlane automates privacy compliance with built-in CCPA and GDPR workflows, data mapping, DSR automation, and consent management. Compliance in weeks, not months.

Book Free DemoLearn More

Key Differences at a Glance

1. Consent Philosophy

CCPA: Opt-Out

Businesses can collect and process data by default; consumers opt out of sales/sharing

GDPR: Opt-In

Requires affirmative consent before processing (or another lawful basis)

2. Data Breach Response

CCPA

No mandatory breach notification to regulator; private right of action for consumers ($100-$750 per consumer)

GDPR

Mandatory notification to DPA within 72 hours if risk to individuals; notify affected individuals if high risk

3. Scope of "Personal Information" vs "Personal Data"

CCPA: Broader Definition

Includes household-level data, inferred data, and commercial information (purchase history, preferences)

GDPR: Individual-Focused

Must relate to identified or identifiable natural person; excludes business/household data

4. Children's Data Protection

CCPA

Opt-in consent required for selling/sharing data of consumers under 16; parental consent for under 13

GDPR

Parental consent required for children under 16 (member states can lower to 13); stricter protections overall

5. Cross-Border Data Transfers

CCPA

No specific cross-border transfer restrictions; same rules apply regardless of data location

GDPR

Strict requirements for transferring data outside EU/EEA; requires SCCs, BCRs, or adequacy decisions

When Does Each Law Apply to Your Business?

You Need CCPA Compliance If:

  • You are a for-profit business collecting data from California residents
  • AND you meet at least one threshold: $25M+ revenue, 100K+ CA consumers, or 50%+ revenue from data sales
  • You sell or share personal information of CA consumers to third parties
  • You operate a website, mobile app, or service accessible to Californians
  • You process sensitive personal information (biometrics, geolocation, health data, etc.)

Example: A SaaS company with $30M revenue and 5,000 California customers must comply with CCPA even if headquartered outside California or the US.

You Need GDPR Compliance If:

  • You process personal data of individuals located in the EU, EEA, or UK
  • You offer goods or services to EU/EEA/UK residents (even if free)
  • You monitor behavior of individuals in the EU/EEA/UK (analytics, tracking cookies)
  • You are a data processor handling EU data on behalf of another organization
  • Your organization is established in the EU/EEA/UK (regardless of where data is processed)

Example: A US startup with a free trial signup page accessible in Germany must comply with GDPR, regardless of company size or revenue.

You Need BOTH If:

  • You serve customers in both California and EU/EEA/UK
  • You are a global SaaS, e-commerce, or digital platform
  • You meet CCPA thresholds AND process any EU/EEA/UK residents' data
  • You want to future-proof compliance as more US states adopt CCPA-like laws

Recommendation: Implement a unified privacy program that satisfies both CCPA and GDPR requirements. This approach simplifies compliance as more states adopt privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, etc.).

Compliance Implementation Timeline

CCPA/CPRA: 8-12 Weeks

Weeks 1-2: Assessment

  • • Data inventory and mapping
  • • Determine applicability thresholds
  • • Identify data sales/sharing

Weeks 3-6: Implementation

  • • Update privacy policy
  • • Add "Do Not Sell" link
  • • Implement DSR intake process
  • • Enable GPC signal processing
  • • Update vendor contracts

Weeks 7-12: Testing & Optimization

  • • Test DSR workflows
  • • Conduct data protection assessments
  • • Train team on CCPA requirements
  • • Set up ongoing monitoring

GDPR: 12-16 Weeks

Weeks 1-3: Assessment

  • • Create Records of Processing Activities (ROPA)
  • • Identify lawful bases for processing
  • • Assess DPO requirement
  • • Review cross-border transfers

Weeks 4-10: Implementation

  • • Update privacy notices
  • • Implement cookie consent banners
  • • Create DPIAs for high-risk processing
  • • Sign Data Processing Agreements
  • • Implement Standard Contractual Clauses
  • • Set up DSR response process

Weeks 11-16: Testing & Documentation

  • • Test data subject request workflows
  • • Document privacy by design measures
  • • Train team on GDPR requirements
  • • Establish breach notification procedures

Accelerate with Automation

Privacy compliance platforms like LowerPlane reduce implementation time by 50-70% through automated data mapping, DSR workflows, consent management, and pre-built policy templates. Typical timeline: 4-6 weeks for CCPA and 6-8 weeks for GDPR.

Key Takeaways

  1. 1

    Different consent philosophies: CCPA uses opt-out for data sales/sharing, while GDPR requires opt-in consent (or another lawful basis) before processing.

  2. 2

    Broader GDPR reach: GDPR applies to any business processing EU/EEA/UK data (no thresholds). CCPA requires meeting revenue or volume thresholds.

  3. 3

    Higher GDPR penalties: GDPR fines up to €20M/4% revenue vs CCPA's $7,500 per intentional violation. GDPR enforcement is more aggressive.

  4. 4

    Similar consumer rights: Both provide access, deletion, and portability rights, but GDPR includes additional rights (restriction, objection, automated decision-making).

  5. 5

    Unified compliance is best practice: Implement a privacy program that satisfies both CCPA and GDPR to maximize coverage and future-proof against emerging US state privacy laws.

Frequently Asked Questions

Is GDPR stricter than CCPA?

Generally yes. GDPR requires opt-in consent (vs CCPA's opt-out), has higher penalties (€20M/4% revenue vs $7,500 per violation), applies to more businesses (no revenue thresholds), and has stricter requirements for cross-border data transfers and breach notifications. GDPR also provides more data subject rights and requires Data Protection Officers in certain cases.

Can I use the same privacy policy for both CCPA and GDPR?

Yes, but it must include disclosures required by both laws. You can create a unified privacy policy that satisfies both CCPA (13+ required disclosures) and GDPR (15+ required elements), or create separate sections/policies for California residents and EU/EEA/UK individuals. Most companies opt for a single comprehensive policy.

Do I need a Data Protection Officer (DPO) for CCPA?

CCPA does not require a DPO. However, you must designate a contact method for consumers to submit privacy requests (email, web form, or toll-free number). GDPR requires a DPO if you are a public authority, conduct large-scale systematic monitoring, or process special categories of data at scale. Many companies appoint a privacy officer for both compliance programs.

What is the difference between CCPA and CPRA?

CPRA (California Privacy Rights Act) is an amendment to CCPA that became effective January 1, 2023. CPRA adds new rights (correction, limit use of sensitive data), creates the California Privacy Protection Agency for enforcement, introduces risk assessments, expands the definition of sensitive personal information, and requires honoring Global Privacy Control (GPC) signals. CPRA makes California privacy law closer to GDPR.

How long do I have to respond to consumer/data subject requests?

CCPA: 45 days (extendable to 90 days with notice). GDPR: 30 days (extendable to 90 days for complex requests). Both require acknowledging the request promptly and explaining any delays. Automated DSR platforms can reduce response time to under 10 days.

If I'm GDPR compliant, am I automatically CCPA compliant?

Not automatically, but you're 70-80% of the way there. GDPR compliance covers most CCPA requirements, but you'll need to add CCPA-specific elements: "Do Not Sell or Share" link, "Limit the Use of Sensitive PI" link, GPC signal processing, CCPA-specific privacy policy disclosures, and 12 months of data provision (vs 30 days for GDPR). The consent models differ, so cookie/tracking consent may need adjustment.

Related Resources

🇪🇺

GDPR Compliance Guide

Complete guide to GDPR requirements, implementation, and ongoing compliance

Learn More →
🌉

CCPA Compliance Guide

Everything about California Consumer Privacy Act and CPRA requirements

Learn More →
📅

Book a Demo

See how LowerPlane automates CCPA and GDPR compliance

Schedule Demo →

Related Articles

🌉
Privacy

What is CCPA? California Privacy Law Guide

Complete guide to CCPA requirements, applicability, and compliance steps.

🇪🇺
Privacy

What is GDPR Compliance? Complete Guide

Everything you need to know about GDPR compliance for your business.

🔒
Best Practices

Data Privacy Best Practices for 2026

Essential privacy best practices for modern businesses and compliance.

Get Privacy Compliance Updates & Guides

Join 8,000+ privacy professionals getting expert tips on CCPA, GDPR, and emerging privacy regulations.

No spam. Unsubscribe anytime.