Compliance Blog
GDPR vs CCPA: What Is the Difference and Which One Applies to You?
GDPR (General Data Protection Regulation) is a European privacy law that covers the personal data of people in the EU. CCPA (California Consumer Privacy Act) is a US state law that covers the personal data of California residents. If your business operates globally, you may need to comply with both. Here is a plain-English breakdown of how they compare.
Who They Apply To
GDPR applies to any organization that processes personal data of people located in the EU, regardless of where the organization is based. A US company with no EU office still has to follow GDPR if it collects data from EU residents.
CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds: annual gross revenue over $25 million, buying or selling personal data of 100,000 or more consumers per year, or deriving 50% or more of annual revenue from selling personal data.
Small businesses often fall under GDPR before they hit the CCPA thresholds.
Legal Basis for Processing Data
This is one of the biggest differences between the two laws.
GDPR requires a legal basis for every processing activity. The most common bases are consent, legitimate interest, and contractual necessity. If you rely on consent, it must be freely given, specific, and unambiguous. Pre-ticked boxes do not count.
CCPA takes a different approach. It does not require a legal basis for collecting data. Instead, it gives consumers the right to opt out of the sale of their data. You can collect and use data unless the consumer says no.
This is a fundamental philosophical difference. GDPR is opt-in by default. CCPA is opt-out by default.
Individual Rights Comparison
| Right | GDPR | CCPA |
|---|---|---|
| Know what data is collected | Yes | Yes |
| Delete personal data | Yes | Yes |
| Opt out of data sale | Not directly | Yes |
| Data portability | Yes | Yes |
| Correct inaccurate data | Yes | Yes (added by CPRA) |
| Non-discrimination for exercising rights | Not explicit | Yes |
Consent and Cookie Banners
GDPR requires explicit consent before placing non-essential cookies. This is why EU users see cookie banners asking them to accept or decline. Consent must be documented and users must be able to withdraw it as easily as they gave it.
CCPA does not require consent before placing cookies. It requires you to disclose what data you collect and give users the ability to opt out of data sales. Many businesses display a "Do Not Sell My Personal Information" link in their footer to comply.
Penalties
GDPR fines can be up to 4% of global annual turnover or 20 million euros, whichever is higher.
CCPA allows fines of up to $7,500 per intentional violation. It also gives consumers a private right of action for data breaches, with damages between $100 and $750 per consumer per incident.
Do You Need to Comply with Both?
If you have users in the EU: GDPR applies. Full stop.
If you are a for-profit US business with over $25 million in revenue, or you handle data from 100,000 or more California residents per year: CCPA applies.
Many companies treat GDPR as the higher bar and build their privacy practices around it. If you satisfy GDPR, you will satisfy most of CCPA automatically, with a few additions like the opt-out of data sale requirement.
Where to Start
Use the relevant checklist to assess your current position. Our free GDPR compliance checklist and free CCPA compliance checklist each walk you through the requirements so you know exactly where you stand.