GDPR vs CCPA: Key Differences

A detailed side-by-side comparison of the European GDPR and California CCPA privacy regulations, including consent models, consumer rights, and business thresholds.

12 min read Updated April 2026

GDPR vs CCPA Overview

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two of the most influential privacy regulations in the world. While both aim to protect consumer data, they differ significantly in their approach, scope, and requirements.

Understanding these differences is essential for businesses that operate internationally or serve customers in both the EU and California.

Key Difference at a Glance

  • GDPR: Consent-based (opt-in), applies to any organization processing EU data
  • CCPA: Opt-out model, only applies to businesses meeting revenue/data thresholds
  • GDPR: Stricter, broader rights, higher penalties
  • CCPA: More flexible, business-friendly thresholds

Business Thresholds

GDPR and CCPA differ significantly in who they apply to:

GDPR: No Thresholds

GDPR applies to any organization that processes personal data of EU residents, regardless of size:

  • No revenue threshold
  • No minimum number of data subjects
  • Applies to small businesses, startups, and individuals
  • Applies to non-profits and public bodies
  • Even one EU visitor triggers compliance

CCPA: Specific Thresholds

CCPA only applies to businesses meeting one or more thresholds:

  • Revenue: Annual gross revenue exceeding $25 million
  • Data Volume: Buy, sell, or share 100,000+ consumers' data annually
  • Revenue from Data: 50%+ of revenue from selling personal information
  • Joint Ventures: Control/control by business meeting thresholds

GDPR Applicability

  • All businesses processing EU data
  • No size requirements
  • Even with one EU visitor
  • Applies globally if serving EU

CCPA Applicability

  • Large businesses only
  • $25M+ revenue threshold
  • 100K+ consumers data volume
  • Primarily US-focused

Consumer Rights Comparison

Both regulations grant consumers rights over their data, but GDPR provides more extensive rights:

GDPR Data Subject Rights

  • Right to be Informed: Know what data is collected
  • Right of Access: Get copy of personal data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: "Right to be forgotten"
  • Right to Restrict Processing: Limit how data is used
  • Right to Data Portability: Transfer data to another service
  • Right to Object: Object to specific processing
  • Rights Related to Automated Decision-Making: Contest AI decisions

CCPA Consumer Rights

  • Right to Know: Categories of data collected
  • Right to Delete: Request data deletion
  • Right to Opt-Out: Stop sale/sharing of data
  • Right to Correct: Fix inaccurate data (CPRA)
  • Right to Limit Use of Sensitive Data: Restrict sensitive data use
  • Right to Non-Discrimination: Not penalized for exercising rights

Key Differences in Rights

  • Portability: GDPR requires machine-readable format; CCPA doesn't
  • Automated Decisions: GDPR has specific AI rights; CCPA doesn't
  • Scope of Access: GDPR allows specific data access; CCPA mostly categorical
  • Sensitive Data: CCPA has specific sensitive data provisions not in GDPR

Penalties and Enforcement

Both regulations have significant penalties, but GDPR is notably harsher:

GDPR Penalties

  • Tier 1: Up to €10 million or 2% of global annual revenue
  • Tier 2: Up to €20 million or 4% of global annual revenue
  • Which applies: Tier 2 for principle violations, rights violations
  • Enforcement: Individual EU member state authorities

CCPA Penalties

  • Non-intentional: Up to $2,500 per violation
  • Intentional: Up to $7,500 per violation
  • Private Right of Action: $100-$750 per data breach incident
  • Enforcement: California Privacy Protection Agency

Real-World Impact

For a company with $100 million in global revenue: GDPR max penalty = €4 million ($4.3M). For CCPA with 1 million affected consumers: max penalty = $7.5 million. However, GDPR applies to any EU visitor; CCPA only if thresholds are met.

Geographic Scope

One of the most important differences is who is covered:

GDPR: Global Reach

GDPR applies to any organization worldwide that processes personal data of EU residents:

  • Applies to US, Asian, and global businesses
  • Triggered by having EU visitors/users/customers
  • Even a single EU visitor triggers compliance
  • Must comply even if not physically in EU

CCPA: California Focus

CCPA primarily affects businesses doing business in California:

  • Must "do business in California"
  • Primarily affects US-based businesses
  • Many international businesses unaffected
  • Can affect global companies with CA operations

Bottom Line: If you have any EU visitors, GDPR likely applies. If you don't meet CCPA thresholds, you may not need to comply even with California customers.

Full Comparison Table

Aspect GDPR CCPA
Effective Date May 25, 2018 January 1, 2020
Consent Model Opt-in (must get consent first) Opt-out (can collect until told to stop)
Business Threshold None - applies to all $25M+ revenue or 100K+ consumers
Geographic Scope Worldwide (EU residents) California residents (US-focused)
Max Penalty €20M or 4% global revenue $7,500 per violation
Data Subject Rights 8 rights (extensive) 6 rights (more limited)
Data Portability Required (machine-readable) Not explicitly required
Breach Notification 72 hours to authorities Not specifically required
DPO Required Sometimes (large-scale processing) Not required
Privacy Policy Detailed, comprehensive Specific categories required
Children's Data 16 (can be 13 with parental consent) 13 (opt-in for sales under 16)
Sensitive Data Special category data (health, etc.) Sensitive PI (financial, location)

Compliance: How to Handle Both

If your business needs to comply with both GDPR and CCPA, here's a practical approach:

Start with GDPR (Strictest)

  • Implement opt-in consent for all data collection
  • Build comprehensive data subject request systems
  • Create detailed privacy policy covering all requirements
  • Appoint DPO if required
  • Establish 72-hour breach notification process

Add CCPA Requirements

  • Add "Do Not Sell or Share" link to homepage/footer
  • Add "Limit Use of Sensitive Data" link
  • Support Global Privacy Control (GPC) signals
  • Update for California-specific definitions
  • Ensure non-discrimination for rights exercises

Simplify with One Approach

Many businesses find it easiest to adopt GDPR-style practices universally, which naturally satisfies CCPA requirements. This includes:

  • Clear, opt-in consent for all data collection
  • Detailed privacy policy with all required disclosures
  • Robust data subject rights request handling
  • Easy-to-access opt-out mechanisms
  • Data minimization and purpose limitation

Analyze Your Privacy Policy

PolicyLens can check if your privacy policy meets requirements for both GDPR and CCPA compliance.

Analyze Your Policy Free