GDPR vs CCPA: Privacy Law Comparison
GDPR and CCPA are the two most influential privacy regulations affecting businesses today. While both aim to protect consumer privacy, they differ significantly in scope, requirements, and enforcement. Understanding these differences is crucial for global compliance.
Quick Comparison
| Factor | GDPR | CCPA/CPRA |
|---|---|---|
| Jurisdiction | European Union + EEA | California, USA |
| Effective Date | May 25, 2018 | January 1, 2020 (CPRA: Jan 2023) |
| Who It Applies To | Any org processing EU residents' data | Businesses meeting revenue/data thresholds |
| Data Covered | Personal data (broad definition) | Personal information (similar scope) |
| Consent Model | Opt-in required | Opt-out model |
| Max Penalties | €20M or 4% global revenue | $7,500 per intentional violation |
| Private Right of Action | Yes (varies by country) | Limited (data breaches only) |
| Enforcement Body | Data Protection Authorities | California Privacy Protection Agency |
Who Must Comply?
GDPR Applies If You:
- ✓ Have an establishment in the EU
- ✓ Offer goods/services to EU residents
- ✓ Monitor behavior of EU residents
- ✓ Process data of EU residents (any size)
No minimum size threshold—applies to all organizations
CCPA Applies If You:
- ✓ Annual revenue > $25 million, OR
- ✓ Buy/sell data of 100K+ consumers, OR
- ✓ 50%+ revenue from selling data
- ✓ Do business in California
Must meet at least one threshold to be covered
Consumer Rights Comparison
| Right | GDPR | CCPA/CPRA |
|---|---|---|
| Right to Know/Access | ✓ | ✓ |
| Right to Delete | ✓ | ✓ |
| Right to Portability | ✓ | ✓ |
| Right to Correct | ✓ | ✓ (CPRA) |
| Right to Opt-Out of Sale | ~ | ✓ |
| Right to Non-Discrimination | ~ | ✓ |
| Right to Restrict Processing | ✓ | ✓ (CPRA) |
| Right to Object | ✓ | ~ |
| Automated Decision Rights | ✓ | ✓ (CPRA) |
The Fundamental Difference: Opt-In vs Opt-Out
GDPR: Opt-In Model
GDPR requires explicit, affirmative consent before collecting or processing personal data. Pre-checked boxes don't count—users must actively agree.
- • Consent must be freely given
- • Must be specific and informed
- • Must be unambiguous
- • Easy to withdraw consent
CCPA: Opt-Out Model
CCPA allows data collection by default but requires a clear "Do Not Sell My Personal Information" link and honoring opt-out requests.
- • Collection allowed without consent
- • Must disclose data practices
- • Must provide opt-out mechanism
- • 12-month opt-out request limit
Penalties Comparison
GDPR Penalties
- Lower tier: Up to €10M or 2% global revenue
- Upper tier: Up to €20M or 4% global revenue
- Notable fines:
- • Meta: €1.2B (2023)
- • Amazon: €746M (2021)
- • Google: €90M (2022)
CCPA Penalties
- Unintentional: $2,500 per violation
- Intentional: $7,500 per violation
- Data breaches: $100-$750 per consumer
- Notable: Sephora $1.2M settlement (2022)
- Violations can add up quickly with large datasets
Compliance Requirements
GDPR Requirements
- ✓ Appoint a Data Protection Officer (if required)
- ✓ Maintain Records of Processing Activities (ROPA)
- ✓ Conduct Data Protection Impact Assessments (DPIA)
- ✓ Implement Privacy by Design principles
- ✓ Establish lawful basis for processing
- ✓ Manage cross-border data transfers (SCCs, adequacy)
- ✓ Report breaches within 72 hours
- ✓ Respond to data subject requests within 1 month
CCPA/CPRA Requirements
- ✓ Update privacy policy with required disclosures
- ✓ Provide "Do Not Sell/Share" opt-out link
- ✓ Implement consumer request processes
- ✓ Verify consumer identity for requests
- ✓ Train employees on CCPA requirements
- ✓ Maintain records of requests for 24 months
- ✓ Respond to requests within 45 days
- ✓ Implement reasonable security measures
Control Overlap: 70-80%
Despite their differences, GDPR and CCPA share many common requirements. Organizations compliant with GDPR are well-positioned for CCPA compliance.
Overlapping Requirements
- • Privacy policy disclosures
- • Consumer access and deletion rights
- • Data inventory and mapping
- • Vendor/service provider agreements
- • Security safeguards
- • Employee training programs
- • Request response processes
Key Differences
- • Consent model (opt-in vs opt-out)
- • DPO requirement (GDPR only)
- • DPIA requirement (GDPR only)
- • "Do Not Sell" link (CCPA only)
- • Breach notification timing
- • Cross-border transfer rules
Dual Compliance Strategy
Common Questions
If I'm GDPR compliant, am I automatically CCPA compliant?
Not automatically, but you're 70-80% there. GDPR is generally stricter, but CCPA has specific requirements (like "Do Not Sell" links) that GDPR doesn't address.
Which law should I prioritize?
It depends on your customer base. If you have EU customers, GDPR is mandatory. If you meet CCPA thresholds and operate in California, comply with both. Start with GDPR—it's more comprehensive.
What about other US state privacy laws?
Virginia, Colorado, Connecticut, Utah, and other states have enacted privacy laws. Most align with CCPA, so CCPA compliance provides a strong foundation for other state laws.
Achieve GDPR + CCPA compliance efficiently
LowerPlane maps shared requirements between GDPR and CCPA, allowing you to implement unified privacy controls and reduce compliance costs by 40%.