GetLegalPage
Compliance Guides

GDPR vs CCPA: Key Differences and Which One Applies to You

By the GetLegalPage Team··10 min read

Two Privacy Laws, Two Different Approaches

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are the two most influential privacy laws affecting online businesses today. Both aim to give individuals more control over their personal data, but they take notably different approaches to achieving that goal. If your website or app serves users in Europe or California, understanding these differences is not optional.

Who Do These Laws Apply To?

GDPR Scope

The GDPR applies to any organization that processes personal data of individuals located in the European Economic Area (EEA), regardless of where the organization itself is based. A small SaaS company in Texas that has even a single user in Germany falls under GDPR jurisdiction. There is no revenue threshold or minimum company size. If you collect data from EEA residents, GDPR applies to you.

CCPA Scope

The CCPA is narrower. It applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds: annual gross revenue over $25 million, buying/selling/sharing personal information of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenue from selling or sharing personal information. Nonprofits and small businesses below these thresholds are generally exempt.

What Counts as Personal Data?

The GDPR defines personal data broadly as any information relating to an identified or identifiable natural person. This includes names, email addresses, IP addresses, cookie identifiers, and even pseudonymized data if it can be linked back to an individual.

The CCPA uses the term "personal information" and defines it as information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household. The CCPA explicitly includes household-level data, which the GDPR does not. However, the CCPA excludes publicly available information from government records, while the GDPR generally does not make this distinction.

Consent Models

This is where the two laws diverge most sharply. The GDPR operates on an opt-in model. Before you collect or process personal data, you need a lawful basis. Consent is one of six lawful bases, and when you rely on consent, it must be freely given, specific, informed, and unambiguous. Pre-checked boxes do not count. Users must take a clear affirmative action.

The CCPA operates on an opt-out model. You can collect and use personal information without asking for prior consent, but you must give consumers the right to opt out of the sale or sharing of their data. The notable exception is for minors: businesses need opt-in consent before selling data of consumers under 16, and parental consent for those under 13.

For businesses building a GDPR-compliant privacy policy, the consent requirements are more demanding and require careful implementation of cookie consent banners and data processing records.

User Rights Comparison

Both laws grant individuals a set of rights over their personal data, but the specifics differ.

  • Right to Access: Both laws let users request a copy of their data. Under GDPR, you must respond within 30 days. Under CCPA, you have 45 days.
  • Right to Delete: Both laws include a right to deletion, though each has different exceptions. GDPR allows refusal when data is needed for legal claims or public interest. CCPA allows refusal for completing transactions, security, legal obligations, and certain internal uses.
  • Right to Portability: GDPR gives users the right to receive their data in a structured, machine-readable format and transfer it to another controller. The CCPA includes a similar right through its access provisions but does not emphasize controller-to-controller transfer.
  • Right to Correct: GDPR includes a right to rectification. The CPRA (the amendment to CCPA effective January 2023) added a similar right to correct inaccurate information.
  • Right to Opt Out of Sale: This is unique to CCPA. There is no direct equivalent under GDPR because GDPR requires opt-in consent for most processing in the first place.
  • Right to Non-Discrimination: CCPA explicitly prohibits businesses from discriminating against consumers who exercise their rights. GDPR addresses this implicitly through its general fairness principle.

Penalties and Enforcement

GDPR penalties can reach up to 20 million euros or 4% of annual global turnover, whichever is higher. Enforcement is handled by Data Protection Authorities (DPAs) in each EU member state. Major fines have been issued against companies like Meta, Amazon, and Google, running into hundreds of millions of euros.

CCPA penalties are comparatively modest. The California Attorney General can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. However, the CCPA also gives consumers a private right of action for data breaches, with statutory damages between $100 and $750 per consumer per incident. A breach affecting millions of users can add up quickly.

Data Protection Officers and Record-Keeping

The GDPR requires certain organizations to appoint a Data Protection Officer (DPO), particularly public authorities and organizations that process sensitive data at scale. There is no equivalent requirement under the CCPA.

GDPR also mandates that organizations maintain detailed records of processing activities (Article 30). The CCPA does not have a comparable record-keeping requirement, though businesses must be able to respond to consumer requests and verify identities.

Which One Applies to You?

The short answer: possibly both. If your website is accessible to users in both the EU and California, and you meet the CCPA thresholds, you need to comply with both laws. Many businesses find it practical to adopt the stricter standard (usually GDPR) as a baseline and then layer on CCPA-specific requirements like the "Do Not Sell or Share My Personal Information" link.

If you only serve California users and meet the revenue or data volume thresholds, you need a CCPA-compliant privacy policy. If you serve EU users at all, GDPR compliance is required regardless of your company size.

Practical Steps for Compliance

  • Audit your data collection: Know what personal data you collect, where it comes from, and what you do with it.
  • Update your privacy policy: It should clearly describe your data practices, the rights users have, and how to exercise them.
  • Implement consent mechanisms: For GDPR, add a cookie consent banner that blocks non-essential cookies until consent is given. For CCPA, add a "Do Not Sell or Share My Personal Information" link.
  • Set up processes for rights requests: You need systems to receive, verify, and fulfill access, deletion, and correction requests within the required timeframes.
  • Review your vendor agreements: Both laws impose requirements on how you share data with third parties and processors.

Summary Table

Here is a quick reference comparing the key differences:

  • Geographic scope: GDPR covers EEA residents globally; CCPA covers California residents.
  • Business threshold: GDPR has none; CCPA requires $25M+ revenue or 100K+ consumers.
  • Consent model: GDPR is opt-in; CCPA is opt-out.
  • Maximum penalty: GDPR is 4% of global revenue; CCPA is $7,500 per violation.
  • Private right of action: GDPR generally no (varies by member state); CCPA yes, for data breaches.

This article is for informational purposes only and does not constitute legal advice.

Ready to get your legal pages sorted?

Generate a privacy policy that covers both GDPR and CCPA requirements.

Free preview, no account required. Single document $14 · Bundle of 3 for $29.

Related Guides

Compliance Guides

How to Make Your Website GDPR Compliant: Step-by-Step Guide

11 min read

Compliance Guides

CCPA Compliance Checklist for Small Businesses and Startups

9 min read

Legal Basics

Do I Need a Privacy Policy? A Simple Guide for Website Owners

8 min read