TL;DR: Quick Takeaways
- •GDPR applies to EU residents' data globally; CCPA applies to California residents and businesses meeting revenue/data thresholds
- •GDPR requires opt-in consent for most processing; CCPA allows opt-out for data sales (default is processing permitted)
- •GDPR fines up to €20M or 4% global revenue; CCPA $7,500 per intentional violation with private right of action for breaches
- •If you're GDPR compliant, you're mostly CCPA compliant—but not vice versa
The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA, as amended by CPRA) are the two most influential privacy regulations affecting global businesses. While they share common goals—protecting consumer privacy—they differ significantly in scope, approach, and requirements.
This guide provides a detailed comparison to help you understand where these regulations overlap, where they diverge, and how to build a privacy program that satisfies both. Whether you're subject to one or both, understanding these differences is essential for effective compliance.
Quick Comparison Overview
| Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Effective Date | May 25, 2018 | Jan 1, 2020 (CCPA); Jan 1, 2023 (CPRA) |
| Geographic Scope | EU/EEA residents (global reach) | California residents only |
| Who Must Comply | Any org processing EU data | Businesses meeting revenue/data thresholds |
| Consent Model | Opt-in (affirmative consent) | Opt-out (for sales/sharing) |
| Maximum Penalties | €20M or 4% global revenue | $7,500/intentional violation |
| Private Right of Action | Limited | Yes (data breaches) |
| Enforcement | Data Protection Authorities | California Privacy Protection Agency (CPPA) |
GDPR at a Glance
The world's most comprehensive privacy regulation, setting the global standard for data protection. Protects EU residents regardless of where their data is processed.
Philosophy: Privacy as a fundamental human right requiring proactive protection.
CCPA/CPRA at a Glance
California's landmark privacy law, the strictest in the US. Focuses on transparency and consumer control over personal information.
Philosophy: Consumer right to know and control commercial use of their data.
Achieve GDPR and CCPA Compliance Together
LowerPlane helps you build a unified privacy program that satisfies both GDPR and CCPA requirements with shared controls and streamlined processes.
Scope and Applicability
One of the biggest differences between GDPR and CCPA is who must comply and what data is covered.
GDPR Applicability
Who Must Comply:
- • Organizations established in the EU/EEA
- • Non-EU orgs offering goods/services to EU residents
- • Non-EU orgs monitoring behavior of EU residents
- • No revenue or size thresholds—applies to all
What Data is Covered:
- • Any information relating to identified/identifiable person
- • Online identifiers (IP addresses, cookies)
- • Pseudonymized data (still personal data)
- • Special categories: health, biometric, genetic, political
CCPA/CPRA Applicability
Who Must Comply (meet any threshold):
- • Annual gross revenue > $25 million
- • Buy/sell/share data of 100,000+ consumers/households
- • 50%+ revenue from selling/sharing personal info
- • Only for-profit businesses doing business in CA
What Data is Covered:
- • Information identifying/relating to CA consumer/household
- • Online identifiers, browsing history, geolocation
- • Inferences drawn from other personal info
- • "Sensitive Personal Information" category (CPRA)
Key Scope Difference:
GDPR applies to ALL organizations processing EU data—a 5-person startup is subject to the same rules as a global enterprise. CCPA only applies to larger businesses meeting specific thresholds. However, many state privacy laws (Virginia, Colorado, etc.) are expanding coverage.
Consumer Rights Comparison
Both regulations grant consumers specific rights over their personal data, though the scope and implementation differ.
| Right | GDPR | CCPA/CPRA |
|---|---|---|
| Right to Know/Access | ✅ Yes (30 days) | ✅ Yes (45 days) |
| Right to Delete | ✅ Yes (right to erasure) | ✅ Yes (with exceptions) |
| Right to Correct | ✅ Yes (rectification) | ✅ Yes (CPRA added) |
| Right to Portability | ✅ Yes (machine-readable format) | ✅ Yes (limited scope) |
| Right to Opt-Out of Sale | ⚠️ Via consent withdrawal | ✅ Yes (core right) |
| Right to Limit Sensitive Data Use | ✅ Special categories require explicit consent | ✅ Yes (CPRA: limit use) |
| Right to Object to Processing | ✅ Yes (including profiling) | ✅ Opt-out of automated decision-making (CPRA) |
| Non-Discrimination | ✅ Implicit in fair processing | ✅ Explicit right (can't penalize for exercising rights) |
GDPR-Unique Rights
- • Right to Restriction: Pause processing while disputes are resolved
- • Right to Object: Broad objection right to legitimate interest processing
- • Automated Decision Rights: Right to human review of significant automated decisions
CCPA-Unique Rights
- • Opt-Out of Sale/Sharing: Specific right with mandatory link requirement
- • Financial Incentive Disclosure: Must explain value exchange for data
- • Household Rights: Rights extend to household-level data
Consent and Legal Basis
The biggest philosophical difference: GDPR is an opt-in regime; CCPA is primarily opt-out.
GDPR: Opt-In by Default
GDPR requires a lawful basis BEFORE processing personal data. Consent is just one of six options:
Six Lawful Bases:
- 1. Consent - Freely given, specific, informed
- 2. Contract - Necessary to fulfill contract
- 3. Legal Obligation - Required by law
- 4. Vital Interests - Protect life
- 5. Public Task - Public interest/authority
- 6. Legitimate Interest - Balanced against individual rights
Consent Requirements:
- • Affirmative action (no pre-checked boxes)
- • Specific to each purpose
- • Easily withdrawn
- • Not bundled with terms of service
- • Documented and auditable
CCPA: Opt-Out Model
CCPA allows processing by default but gives consumers the right to opt-out of certain uses:
Opt-Out Rights:
- • Do Not Sell My Personal Information
- • Do Not Share My Personal Information (CPRA)
- • Limit Use of Sensitive Personal Information (CPRA)
- • Must provide clear, conspicuous opt-out link
- • Must honor Global Privacy Control (GPC) signal
Exceptions Requiring Consent:
- • Minors under 16 (opt-in required)
- • Children under 13 (parental consent)
- • After opt-out, need consent to opt back in
- • Financial incentive programs
Practical Implication:
If you're GDPR compliant with proper consent mechanisms, you exceed CCPA requirements. But being CCPA compliant doesn't make you GDPR compliant—you'd need to add opt-in consent for EU users and establish lawful bases for processing.
Penalties and Enforcement
Both regulations have significant penalties, but GDPR's are generally larger while CCPA allows private lawsuits for breaches.
GDPR Penalties
Tier 1 Violations:
Up to €10 million or 2% of global annual revenue
Technical measures, DPO requirements, breach notification
Tier 2 Violations:
Up to €20 million or 4% of global annual revenue
Data subject rights, lawful basis, international transfers
Notable Fines:
- • Meta: €1.2 billion (international transfers)
- • Amazon: €746 million (advertising consent)
- • Google: €150 million (cookie consent)
CCPA/CPRA Penalties
Unintentional Violations:
$2,500 per violation (after 30-day cure period)
Intentional Violations:
$7,500 per violation
Children's Data Violations:
$7,500 per violation (no cure period under CPRA)
Private Right of Action (Breaches):
- • $100-$750 per consumer per incident
- • Or actual damages (whichever greater)
- • Applies to data breaches from security failures
Class Action Risk (CCPA):
The private right of action for data breaches creates significant class action exposure. A breach affecting 1 million California residents could result in $100-750 million in statutory damages, plus attorney fees. This risk has driven many organizations to prioritize CCPA compliance even if not GDPR-subject.
Notice and Transparency Requirements
Both regulations require transparent privacy notices, but with different specific requirements.
Privacy Notice Requirements
| Requirement | GDPR | CCPA |
|---|---|---|
| Categories of data collected | ✅ | ✅ |
| Purposes of processing | ✅ | ✅ |
| Third-party sharing/selling | ✅ | ✅ |
| Consumer rights explained | ✅ | ✅ |
| Retention periods | ✅ | ✅ (CPRA) |
| Lawful basis for processing | ✅ | ❌ |
| DPO contact information | ✅ | ❌ |
| "Do Not Sell" link | ❌ | ✅ |
| Financial incentive disclosure | ❌ | ✅ |
| Collection notice at point of collection | ✅ | ✅ |
Best Practice: Unified Privacy Notice
Create a single comprehensive privacy notice that satisfies both GDPR and CCPA requirements. Include jurisdiction-specific sections for EU and California users. This approach ensures consistency and simplifies maintenance while meeting all requirements.
Unified Privacy Compliance Platform
LowerPlane provides integrated GDPR and CCPA compliance with unified consent management, DSR workflows, and multi-jurisdiction privacy notices.
- ✓Multi-jurisdiction consent management
- ✓Automated DSR fulfillment for both regulations
- ✓Unified data mapping across EU and US
- ✓Privacy notice templates meeting both requirements
Achieving Dual Compliance: Practical Strategy
If your business operates globally or serves both EU and California consumers, here's how to efficiently achieve compliance with both regulations.
Step 1: Start with GDPR as Your Baseline
GDPR is more comprehensive. If you're GDPR compliant, you're approximately 80% of the way to CCPA compliance.
- • Implement opt-in consent mechanisms
- • Establish data subject rights processes
- • Create comprehensive privacy notices
- • Conduct data mapping and impact assessments
- • Implement technical security measures
Step 2: Add CCPA-Specific Requirements
Layer on CCPA-specific elements that go beyond GDPR:
- • Add "Do Not Sell or Share My Personal Information" link
- • Implement Global Privacy Control (GPC) recognition
- • Update privacy notice with CCPA-specific disclosures
- • Add "Limit Use of Sensitive Personal Information" option
- • Disclose financial incentive programs
- • Extend response timelines (45 days vs. 30 days)
Step 3: Implement Jurisdiction Detection
Serve appropriate notices and collect appropriate consent based on user location:
- • Detect user location (IP-based or explicit selection)
- • Show GDPR cookie banner for EU users (opt-in)
- • Show CCPA notice for California users (opt-out available)
- • Route DSRs to appropriate workflow based on regulation
- • Apply appropriate response timelines
Step 4: Unify Where Possible
Don't maintain entirely separate programs—unify where requirements overlap:
- • Single data inventory covering both regulations
- • Unified DSR intake with regulatory routing
- • Common security controls (encryption, access control)
- • Single vendor assessment process
- • Shared training program with jurisdiction-specific modules
Ready to Tackle GDPR and CCPA Together?
LowerPlane helps you build a unified privacy program that efficiently satisfies both EU and California requirements.
Key Takeaways
- 1
GDPR applies to all organizations processing EU data regardless of size; CCPA applies only to larger businesses meeting specific revenue/data thresholds.
- 2
GDPR is opt-in by default (consent before processing); CCPA is opt-out (processing allowed, consumers can opt out of sales/sharing).
- 3
Both grant similar rights (access, deletion, portability) but with different timelines and CCPA's unique "Do Not Sell" requirement.
- 4
GDPR has higher maximum fines (4% global revenue); CCPA enables private lawsuits for breaches creating class action risk.
- 5
Start with GDPR compliance as your baseline, then layer on CCPA-specific requirements—this is the most efficient path to dual compliance.
Frequently Asked Questions
If I'm GDPR compliant, am I automatically CCPA compliant?
What about other US state privacy laws?
How do I handle users who travel between jurisdictions?
What is Global Privacy Control (GPC) and do I need to honor it?
Can I use the same consent management platform for both?
Related Articles
Get Privacy Regulation Updates
Join 5,000+ privacy professionals getting regulatory updates, enforcement news, and compliance insights delivered to their inbox.
No spam. Unsubscribe anytime.