While both the GDPR and CCPA protect user privacy and regulate how companies that collect user information handle this sensitive data, there are some differences in how they apply.
The GDPR applies to any organization that processes data from users in the EU, regardless of where the company is located. The CCPA only applies to organizations that process data from California residents.
Additionally, the company has to receive, process, or transfer data from 100,000 or more consumers or households in California per year, or have a gross annual revenue (in the previous year) exceeding US $25 million, or earn at least 50% annually from selling or sharing users’ data.
Like the GDPR, the company’s location has no bearing on whether the CCPA applies, if they are processing the personal data of California residents. Second, the GDPR requires that companies must have a legal basis for collecting user data, while the CCPA has no such requirement. Third, the GDPR requires explicit user consent before personal data can be collected and used. Users must actively opt in before a company can collect their data. The CCPA doesn’t require user consent to collect, process, or sell data. Instead, it requires users to opt out and request that their personal data not be collected or sold.. While the GDPR doesn’t require any explicit language in cookie consent banners or elsewhere, the CCPA requires companies to have a link titled “Do Not Sell Or Share My Personal Information” clearly visible on their website.