GDPR vs CCPA Overview
The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two of the most influential privacy regulations in the world. While both aim to protect consumer data, they differ significantly in their approach, scope, and requirements.
Understanding these differences is essential for businesses that operate internationally or serve customers in both the EU and California.
Key Difference at a Glance
- GDPR: Consent-based (opt-in), applies to any organization processing EU data
- CCPA: Opt-out model, only applies to businesses meeting revenue/data thresholds
- GDPR: Stricter, broader rights, higher penalties
- CCPA: More flexible, business-friendly thresholds
Consent Models: Opt-In vs Opt-Out
The most fundamental difference between GDPR and CCPA is their consent model:
GDPR: Opt-In Consent
GDPR uses an opt-in model. Organizations must obtain explicit, affirmative consent before collecting or processing personal data. Key requirements:
- Consent must be freely given, specific, informed, and unambiguous
- Pre-ticked boxes, silence, or inactivity do not constitute consent
- Consent must be as easy to withdraw as to give
- Processing cannot begin until consent is obtained
- Separate consent required for different processing purposes
CCPA: Opt-Out Model
CCPA uses an opt-out model. Organizations can collect data by default, but must provide consumers the ability to stop (opt-out of) certain practices:
- Data collection is allowed unless consumer explicitly says no
- Must provide "Do Not Sell or Share My Personal Information" link
- Must honor opt-out requests within 45 days
- Can "limit use" of sensitive personal information
- Children under 16 must opt-in (consent) for data sales
Implications for Businesses
Under GDPR, you must get consent before collecting any data. Under CCPA, you can collect data by default but must provide clear opt-out mechanisms. Many businesses choose to implement GDPR-style consent everywhere for simplicity.
Business Thresholds
GDPR and CCPA differ significantly in who they apply to:
GDPR: No Thresholds
GDPR applies to any organization that processes personal data of EU residents, regardless of size:
- No revenue threshold
- No minimum number of data subjects
- Applies to small businesses, startups, and individuals
- Applies to non-profits and public bodies
- Even one EU visitor triggers compliance
CCPA: Specific Thresholds
CCPA only applies to businesses meeting one or more thresholds:
- Revenue: Annual gross revenue exceeding $25 million
- Data Volume: Buy, sell, or share 100,000+ consumers' data annually
- Revenue from Data: 50%+ of revenue from selling personal information
- Joint Ventures: Control/control by business meeting thresholds
GDPR Applicability
- All businesses processing EU data
- No size requirements
- Even with one EU visitor
- Applies globally if serving EU
CCPA Applicability
- Large businesses only
- $25M+ revenue threshold
- 100K+ consumers data volume
- Primarily US-focused
Consumer Rights Comparison
Both regulations grant consumers rights over their data, but GDPR provides more extensive rights:
GDPR Data Subject Rights
- Right to be Informed: Know what data is collected
- Right of Access: Get copy of personal data
- Right to Rectification: Correct inaccurate data
- Right to Erasure: "Right to be forgotten"
- Right to Restrict Processing: Limit how data is used
- Right to Data Portability: Transfer data to another service
- Right to Object: Object to specific processing
- Rights Related to Automated Decision-Making: Contest AI decisions
CCPA Consumer Rights
- Right to Know: Categories of data collected
- Right to Delete: Request data deletion
- Right to Opt-Out: Stop sale/sharing of data
- Right to Correct: Fix inaccurate data (CPRA)
- Right to Limit Use of Sensitive Data: Restrict sensitive data use
- Right to Non-Discrimination: Not penalized for exercising rights
Key Differences in Rights
- Portability: GDPR requires machine-readable format; CCPA doesn't
- Automated Decisions: GDPR has specific AI rights; CCPA doesn't
- Scope of Access: GDPR allows specific data access; CCPA mostly categorical
- Sensitive Data: CCPA has specific sensitive data provisions not in GDPR
Penalties and Enforcement
Both regulations have significant penalties, but GDPR is notably harsher:
GDPR Penalties
- Tier 1: Up to €10 million or 2% of global annual revenue
- Tier 2: Up to €20 million or 4% of global annual revenue
- Which applies: Tier 2 for principle violations, rights violations
- Enforcement: Individual EU member state authorities
CCPA Penalties
- Non-intentional: Up to $2,500 per violation
- Intentional: Up to $7,500 per violation
- Private Right of Action: $100-$750 per data breach incident
- Enforcement: California Privacy Protection Agency
Real-World Impact
For a company with $100 million in global revenue: GDPR max penalty = €4 million ($4.3M). For CCPA with 1 million affected consumers: max penalty = $7.5 million. However, GDPR applies to any EU visitor; CCPA only if thresholds are met.
Geographic Scope
One of the most important differences is who is covered:
GDPR: Global Reach
GDPR applies to any organization worldwide that processes personal data of EU residents:
- Applies to US, Asian, and global businesses
- Triggered by having EU visitors/users/customers
- Even a single EU visitor triggers compliance
- Must comply even if not physically in EU
CCPA: California Focus
CCPA primarily affects businesses doing business in California:
- Must "do business in California"
- Primarily affects US-based businesses
- Many international businesses unaffected
- Can affect global companies with CA operations
Bottom Line: If you have any EU visitors, GDPR likely applies. If you don't meet CCPA thresholds, you may not need to comply even with California customers.
Full Comparison Table
| Aspect | GDPR | CCPA |
|---|---|---|
| Effective Date | May 25, 2018 | January 1, 2020 |
| Consent Model | Opt-in (must get consent first) | Opt-out (can collect until told to stop) |
| Business Threshold | None - applies to all | $25M+ revenue or 100K+ consumers |
| Geographic Scope | Worldwide (EU residents) | California residents (US-focused) |
| Max Penalty | €20M or 4% global revenue | $7,500 per violation |
| Data Subject Rights | 8 rights (extensive) | 6 rights (more limited) |
| Data Portability | Required (machine-readable) | Not explicitly required |
| Breach Notification | 72 hours to authorities | Not specifically required |
| DPO Required | Sometimes (large-scale processing) | Not required |
| Privacy Policy | Detailed, comprehensive | Specific categories required |
| Children's Data | 16 (can be 13 with parental consent) | 13 (opt-in for sales under 16) |
| Sensitive Data | Special category data (health, etc.) | Sensitive PI (financial, location) |
Compliance: How to Handle Both
If your business needs to comply with both GDPR and CCPA, here's a practical approach:
Start with GDPR (Strictest)
- Implement opt-in consent for all data collection
- Build comprehensive data subject request systems
- Create detailed privacy policy covering all requirements
- Appoint DPO if required
- Establish 72-hour breach notification process
Add CCPA Requirements
- Add "Do Not Sell or Share" link to homepage/footer
- Add "Limit Use of Sensitive Data" link
- Support Global Privacy Control (GPC) signals
- Update for California-specific definitions
- Ensure non-discrimination for rights exercises
Simplify with One Approach
Many businesses find it easiest to adopt GDPR-style practices universally, which naturally satisfies CCPA requirements. This includes:
- Clear, opt-in consent for all data collection
- Detailed privacy policy with all required disclosures
- Robust data subject rights request handling
- Easy-to-access opt-out mechanisms
- Data minimization and purpose limitation
Analyze Your Privacy Policy
PolicyLens can check if your privacy policy meets requirements for both GDPR and CCPA compliance.
Analyze Your Policy Free