Data privacy laws shape how you can collect and handle user information. For instance, the General Data Protection Regulation (GDPR) set a global standard when it launched in 2018, and California followed with the California Consumer Privacy Act (CCPA) in 2020. Both laws share the same goal of protecting individuals’ data and privacy, but they take different approaches.
If you operate in multiple regions or serve international customers, you need to understand how these regulations differ. The scope, requirements, and penalties vary significantly. Getting it wrong can mean regulatory fines, lost customer trust, and operational disruption.
This guide breaks down the key differences between GDPR and CCPA compliance, explains what each law requires, and shows you how to manage both efficiently.
At a glance
- The GDPR applies globally to any business processing personal data of EU residents, and the CCPA/CPRA applies to residents of California and their personal data.
- Both laws protect personal data, but consent requirements and some data categories differ.
- The GDPR requires opt-in consent, while the CCPA/CPRA uses an opt-out model for sales and sharing of personal data.
- The GDPR emphasizes accountability and record-keeping, and the CCPA/CPRA requires privacy policies and rights requests handling.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is the EU’s overarching data privacy law that took effect in May 2018. It governs how businesses collect, process, store, and share the personal data of EU residents.
The GDPR applies to any company that processes data from EU residents, regardless of where your company is located. This extraterritorial reach means businesses worldwide must comply if they sell to or serve European customers or monitor their behavior.
The regulation centers on seven core principles:
- Lawfulness, fairness, transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
These principles shape every aspect of how organizations handle personal data.
Curious to know more about the GDPR? We’ve covered the 18 most common GDPR questions with expert answers.
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) became enforceable in January 2020. It grants California residents control over their personal information and requires businesses to be transparent about data collection practices.
Unlike the GDPR, the CCPA applies only to for-profit businesses that meet specific thresholds, such as:
- Annual gross revenue of over USD 25 million (adjusted every two years according to the Consumer Price Index)
- Buying or selling the personal information of 100,000 or more California residents
- Deriving 50 percent or more of annual revenue from selling personal information
The California Privacy Rights Act (CPRA), which took effect in January 2023, strengthened CCPA requirements and largely replaced the older regulation. It created a dedicated enforcement agency — now known as CalPrivacy — expanded data rights, and introduced new obligations around sensitive personal information.
Learn more about the key differences between the CCPA and the CPRA.
CCPA vs GDPR compliance: Who do the laws apply to?
The GDPR and CCPA share a common goal: protecting personal data and individuals’ rights. However, their reach isn’t the same. Their approach to scope is what really separates them and shapes how businesses have to respond.
The GDPR casts a wide net. Any business that processes EU resident data must comply. It doesn’t matter if you’re a one-person startup or a global company. If you have even one customer in Europe, then the GDPR applies to you. There’s no revenue minimum or exceptions based on company size.
The CCPA is more selective. It only applies to for-profit businesses operating in California that meet certain thresholds. Small businesses can fall outside CCPA requirements entirely.
The law also exempts nonprofits and government agencies. It aims to protect California residents specifically, even when they’re temporarily outside the state. (In the United States, there is no overarching federal data privacy law, and to date it’s handled state by state, with each passing its own legislation.)
It’s worth noting that both laws focus on what companies do with customer data, not only the collection of it or where it’s stored. Therefore, even if you don’t have data servers in Europe or California, you still need to comply when processing data of protected individuals.
What types of data are protected under GDPR and CCPA compliance?
Complying with the GDPR and the CCPA entails protecting personal data. But each privacy law defines “personal data” differently.
The GDPR defines personal data as anything that identifies someone or could identify them. This includes direct identifiers like names and addresses, plus online identifiers like IP addresses, cookie IDs, and device fingerprints.
Even data that’s been pseudonymized, like replacing names with random IDs, still counts as personal data if someone could theoretically link it back to a person.
Under the GDPR, some data gets extra protection. This special category data includes:
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health information
- Details about sex life or sexual orientation
Companies need explicit consent or another legal basis to process this type of data.
The CCPA protects personal information that identifies, relates to, or could be linked to a California resident or household. This covers similar ground to GDPR, such as names, addresses, online activity, location data, professional information, and inferences about someone’s characteristics or preferences.
In addition, the CPRA added a new category called sensitive personal information. While many of these items were already protected as personal information under the CCPA, the CPRA created this specific category and granted consumers the right to limit its use and disclosure.
This includes:
- Social Security number
- Driver’s license
- Financial details
- Precise location data
- Racial or ethnic origin
- Religious beliefs
- Contents of a consumer’s mail, email, or text messages (unless the business is the intended recipient)
- Genetic data
- Biometric identifiers
- Health data
- Information about sex life or sexual orientation
California residents have the right to limit how this sensitive data is used and disclosed.
What rights do the CCPA and the GDPR give people?
The differences also show up in the rights available to individuals. Both regulations give users control over their data, but the specifics differ.
Under the GDPR, individuals have eight core rights. These inform how their data is used, enabling them to request access to the information a company holds, correct inaccuracies, or ask for deletion in certain cases.
They can also restrict processing without deleting anything, request their data in a portable format, and object to specific types of processing, particularly for marketing. The GDPR also includes safeguards against major decisions made solely through automated systems.
The CCPA offers a smaller but still meaningful set of rights. People can know what data is collected, used, sold, or shared. They can request deletion with some exceptions, opt out of data selling or sharing, and expect no discrimination for doing so.
The CPRA expanded this by adding the right to correct inaccurate information and limit how sensitive data is used, while also strengthening rules around automated decision-making.
Consent works differently, too, when it comes to GDPR vs CCPA compliance. The GDPR generally requires opt-in consent, meaning businesses need clear permission before processing most types of personal data.
However, the CCPA allows collection by default in most cases — the general exceptions being sensitive data or that belonging to children — as long as people have a clear way to opt out of sales or sharing.
These differences influence the design of your cookie banner, disclosures, and data flows.
How GDPR and CCPA handle data governance and accountability
Differences in GDPR vs CCPA compliance also show up in the day-to-day governance work that sits underneath compliance.
For instance, the GDPR puts a heavy emphasis on proving compliance. This means you need to maintain detailed records of what data you process and why. This includes documenting your legal basis for processing, running data protection impact assessments for risky activities, and putting appropriate security measures in place.
The accountability principle means the burden is on companies to demonstrate compliance. You can’t just say you’re compliant — you need documentation, audit trails, and processes that show you’re taking privacy seriously. It’s best practice to also build privacy into products and services from the start (privacy by design) and make privacy the default setting.
Some organizations need a Data Protection Officer (DPO) under the GDPR. This applies to public authorities and organizations that do large-scale monitoring or process lots of special category data. A DPO oversees compliance and works with regulators.
The CCPA is lighter on accountability requirements. Companies need to update their privacy policy, create ways for people to submit rights requests, and honor opt-out choices. But companies don’t need the same level of ongoing documentation as for the GDPR.
The CPRA added more accountability measures. Businesses need to run cybersecurity audits, honor universal opt-out signals like Global Privacy Control (GPC), and maintain reasonable security for personal information. The California Privacy Protection Agency, now known as CalPrivacy, can also ask for compliance audits.
Data breach notification requirements for CCPA vs GDPR compliance
Both laws require reporting data breaches, but their timelines and triggers differ.
The GDPR mandates notifying your supervisory authority within 72 hours of discovering a breach, unless it’s unlikely to harm people’s rights and freedoms. If you miss the deadline, you must explain the delay.
High-risk breaches also require direct notification to affected individuals, including details on what happened, potential consequences, contacts, and your corrective actions.
Every breach must be documented, even those that don’t require notification, since regulators can request the records during audits.
The CCPA originally didn’t include specific breach notification rules beyond California’s existing breach law. The CPRA changed this by adding fines for certain breaches involving unencrypted personal information.
California’s breach law requires you to notify affected residents without unreasonable delay when unauthorized people access their personal information. If more than 500 California residents are affected, you also need to tell the California Attorney General.
Penalties for noncompliance with the GDPR and CCPA
The financial consequences under GDPR and CCPA differ sharply.
GDPR penalties can reach EUR 20 million or 4 percent of global annual revenue, with first-time or less serious violations capped at EUR 10 million or 2 percent. Regulators consider factors like severity, intent, mitigation efforts, cooperation, prior violations, and the company’s financial situation.
Authorities can also order data processing and certain business operations to cease, the deletion of data, and submission to ongoing review and audits.
CCPA penalties are smaller but can add up. Violations cost up to USD 2,500 per incident, or USD 7,500 if intentional, and individuals can sue over breaches, seeking USD 100–USD 750 per person. These penalties are also updated every two years according to the Consumer Price Index.
The CPRA introduced the California Privacy Protection Agency/CalPrivacy to enforce these rules more actively, though the Attorney General’s office still has a role in enforcement.
GDPR vs CCPA compliance summarized
Here’s an overview of the GDPR vs the CCPA.
| Aspect | GDPR | CCPA/CPRA |
| Geographic scope | Global (any business processing EU data) | California-focused for-profit businesses |
| Applicability thresholds | None (any amount of EU data) | $25M revenue, >100K consumers, or >50% revenue from data sales |
| Consent model | Opt-in (explicit consent required) | Opt-out (for sales/sharing) |
| Protected individuals | Anyone in the EU | California residents and households |
| Key rights | 8 rights (access, erasure, portability, object, etc.) | 6 rights (know, delete, opt-out, correct, limit) |
| Sensitive data | Special category data requiring explicit consent | Sensitive personal information with the right to limit use |
| DPO requirement | Required for public authorities and high-risk processing | No equivalent |
| Breach notification | 72 hours to notify regulator | Without unreasonable delay to notify residents |
| Maximum penalties | €20M or 4% global revenue and private right of action | $7,500 per intentional violation and private right of action |
| Private right of action | Yes (under Art. 82 GDPR) | Yes (for data breaches) |
| Documentation | Extensive records required | Moderate requirements |
5 tools for managing GDPR and CCPA compliance
Managing data privacy compliance across jurisdictions is easier with the right platform. A good consent management platform (CMP) handles different regulatory requirements, adapts to where users are located, and scales as your business grows.
Here are five platforms that support both GDPR and CCPA compliance.
Usercentrics
Usercentrics provides a consent management solution designed for businesses operating in multiple jurisdictions. Our platform handles consent collection, preference management, and documentation for both GDPR and CCPA through a single interface.
Our CMP scans your website to detect tracking technologies, creates consent banners that adapt based on user location, and integrates with over many popular marketing and analytics tools.
Key features
- Automated scanning of tracking technologies across websites and apps
- Location-based consent flows for coverage of GDPR and CCPA requirements
- Centralized consent database with audit-ready documentation
- Pre-built integrations with major ad platforms and analytics tools
- Data subject request portal for access, deletion, and correction requests
Pricing
- Free 14-day trial
- Paid plans start from EUR 7/month and are based on the number of sessions
| Pros | Cons |
| 2,200+ legal templates | Analytics data only available for 90 days |
| 60+ languages supported | |
| Consent management for websites, mobile apps, and connected TVs |
Ketch
Ketch is a design-first CMP that emphasizes the look and feel of data privacy notices, as well as compliance requirements. This no-code solution is aimed at teams that don’t have much technical expertise.
Key features
- Recognize users across digital channels and devices and automatically apply their consent preferences.
- Use the Ketch Smart Tag to add privacy notices to your website with a lightweight script that aligns with current web design best practices.
- Access up-to-date records of your customers’ privacy choices and retrieve records of processing activities with one click.
Pricing
- Ketch offers a free plan
- Paid plans start from USD 150/month
| Pros | Cons |
| Easy to use | Free plan only supports 5,000 monthly visitors |
| No-code solution | |
| More than 1,000 pre-built integrations |
OneTrust
OneTrust comes with an extensive set of data privacy management tools for websites and apps, including cookie scanners, functionality for cookie consent management, and autoblocking functionality.
Key features
- Identify sensitive data and understand data risks.
- Automate repetitive tasks through workflows to save time and reduce errors in processes such as DSAR fulfillment.
- Identify and manage risks associated with vendors.
Pricing
- OneTrust uses custom pricing based on user needs. Contact OneTrust for a quote.
| Pros | Cons |
| In-depth support and documentation via the Knowledge Base | Non-transparent pricing |
| Includes incident and breach management | More complex implementation |
| A system for automating compliance assessments |
Osano
Osano offers a unified consent and preference hub. The company states a bold pledge to pay any fine or penalty — up to USD 500,000 — that a business incurs due to noncompliance with data privacy regulations while using its CMP. However, this only applies to select plans for customers who implemented products in line with Osano’s documentation.
Key features
- The CMP can help you comply with regulations in over 50 countries.
- Generate visualizations of your data collection and processing practices to help identify potential risks and opportunities.
- Receive notifications about changes to the data privacy laws and regulations applicable to your business.
Pricing
- Free 30-day trial today
- Pricing plans for GDPR compliance start at USD 199/month
| Pros | Cons |
| Easy to implement | Users report limited customization and limited features for the price points |
| $500,000 “No Fines, No Penalties” Pledge | |
| Secure blockchain storage |
TrustArc
TrustArc provides businesses with automated privacy solutions to help them achieve compliance while increasing user trust. Once it’s up and running, the platform is easy to implement at scale.
Key features
- TrustArc offers auto-law identification so you can gain a better understanding of privacy regulations and standards to support compliance.
- TrustArc has a trust center, which displays all data privacy information in one place to build trust with your customers.
- Integrate third-party applications and tools into your website with Rapid and REST APIs for compliant data collection.
Pricing
- Contact TrustArc for pricing.
| Pros | Cons |
| Google-certified CMP provider | Poor customer support, according to some users |
| Drag-and-drop customization | |
| Easy to use |
Comply with the GDPR and the CCPA
Both the GDPR and CCPA protect user data, but they take different approaches. GDPR emphasizes consent and accountability, with strict opt-in requirements. The CCPA focuses on transparency and choice, with opt-out mechanisms for sales and sharing.
If you operate in both jurisdictions, you need systems that adapt to each law’s requirements while keeping operations efficient. A CMP can help by handling the collection, management, and documentation of user consent. It takes care of the hard work and helps you better serve your target audience without multiplying your privacy compliance workload.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
