CCPA vs GDPR: key differences and similarities

The CCPA/CPRA and the GDPR are landmark data privacy regulations that impact organizations worldwide. We look at the differences and similarities between the two laws, and how organizations can achieve compliance with both.
Resources / Blog / CCPA vs GDPR: key differences and similarities
Published by Usercentrics
18 mins to read
Dec 3, 2024

As organizations handle people’s personal data across borders, regulations like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) have become central to protecting privacy rights. Both regulations establish rules for when and how organizations can collect, use, and share personal data to give individuals control over their information.

Although the GDPR and the CCPA/CPRA share common goals, their scope, requirements, and enforcement mechanisms vary significantly. Understanding these differences is essential for organizations to avoid penalties and build trust with the people whose data they handle. 

We cover who these regulations apply to, their similarities and differences, and how organizations can implement compliance measures effectively.

CCPA vs GDPR: understanding the basics

The GDPR and the CCPA/CPRA are landmark data privacy laws, each setting standards for how personal data is managed and protected. Before going into details about their scope and application, let’s look at what these laws are.

What is the GDPR?

The General Data Protection Regulation (GDPR) governs data collection and processing for individuals located in 27 European Union (EU) member states and the European Economic Area (EEA) countries of Iceland, Liechtenstein, and Norway. It is designed to protect individuals’ privacy rights and establish consistent data protection standards across the EU/EEA. The GDPR applies to organizations that either offer goods or services to or monitor the behavior of individuals within these regions, regardless of where the business is located.

Effective since May 25, 2018, the GDPR has become a global benchmark for data protection, influencing data privacy legislation worldwide.

What is the CCPA?

The California Consumer Privacy Act (CCPA), effective January 1, 2020, is the first comprehensive data privacy law passed in the United States. It establishes a framework for protecting the personal information of California residents and regulates how businesses collect, share, and process this data.

The California Privacy Rights Act (CPRA) amended and expanded the CCPA, increasing consumer protections and introducing stricter obligations for businesses, such as increased transparency and limits on the use of sensitive information. The CPRA also created the California Privacy Protection Agency (CPPA) to enforce privacy laws in the state.

While the CPRA took effect on January 1, 2023, enforcement began in February 2024 following a delay caused by legal challenges.

The CPRA does not fully replace the CCPA, but instead builds on it. Both laws remain in effect and work together to regulate data privacy in California. They are sometimes known as “the California GDPR.”

CCPA vs GDPR: who do the regulations apply to?

The GDPR and the CCPA/CPRA each specify which types of entities are subject to their rules, with notable differences in scope and applicability.

Infographic comparing the scope and application of CCPA vs GDPR

GDPR scope and application

The GDPR applies to any entity — whether a legal or natural person — that processes the personal data of individuals located within the EU/EEA, provided the processing is connected to either:

  • offering them goods or services 
  • monitoring their behavior

Entities based outside the EU are included if they process the personal data of individuals located within the EU/EEA. The GDPR applies to EU organizations regardless of where the processing takes place.

Under the GDPR, entities are classified as either data controllers or data processors. Controllers determine the purposes and means of processing personal data, while processors act on behalf of the controller to process data.

The regulation does not apply to individuals collecting data for purely personal or household purposes. However, if an individual collects or processes personal data of EU residents — for example as a sole proprietor — they must comply with GDPR requirements.

The GDPR is not limited to businesses and applies to nonprofit organizations and government agencies as well.

CCPA/CPRA scope and application 

Unlike the GDPR’s broad application, the CCPA/CPRA applies to for-profit businesses that do business in California and meet one of the following thresholds: 

  • have a gross annual revenue exceeding USD 25 million in the previous calendar year
  • buy, sell, or share the personal data of more than 100,000 consumers or households
  • earn more than 50 percent of their revenue from the sale of consumers’ personal information

The regulation defines such entities as “businesses” and extends compliance obligations to their service providers, third parties, and contractors through contractual agreements.

Like the GDPR, the CCPA/CPRA has extraterritorial reach. Businesses outside California — even those outside the US — must comply if they process the personal data of California residents and meet at least one of the regulation’s thresholds.

CCPA vs GDPR: who is protected?

The scope of protection under the CCPA/CPRA and the GDPR differs based on individuals’ residency status or location, which reflects the regulations’ distinct approaches to safeguarding individual rights.

Who is protected under the GDPR?

The GDPR protects the rights of any individual who is in the EU/EEA and whose data is processed. They are referred to as “data subjects” under the GDPR.

Who is protected under the CCPA/CPRA?

The CCPA/CPRA applies to individuals who meet California’s legal definition of a “resident.” A California resident is anyone who resides in the state other than for temporary reasons or anyone domiciled in California but who is currently outside the state for temporary reasons.

It does not include people who are in the state for temporary purposes. This definition may be clarified further as case law develops through rulings on alleged violations.

Individuals covered by the CCPA/CPRA are referred to as “consumers.”

CCPA vs GDPR: what data is protected?

Both the GDPR and the CCPA/CPRA regulate the collection and use of individuals’ personal data.

Personal data under the GDPR

The GDPR defines personal data as any information relating to ”an identified or identifiable individual,” or data subject. This includes basic identifiers such as names, addresses, and phone numbers, as well as more indirect identifiers like IP addresses or location data that can be linked to an individual.

The GDPR also imposes stricter obligations on the processing of certain types of data known as “special categories of personal data,” which may reveal specific characteristics and pose greater risk of harm to an individual if misused or abused. The following are considered special categories of personal data under the regulation: 

  • data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
  • genetic data
  • biometric data used for unique identification
  • health information
  • data related to a person’s sex life or sexual orientation

Personal information under the CCPA/CPRA

The CCPA/CPRA protects personal information, which it defines as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples include names, email addresses, geolocation data, browsing history, and purchase records.

The CPRA introduced a new category called “sensitive personal information,” which has additional protections and obligations for businesses. It includes, among other things:

  • Social Security numbers
  • driver’s license numbers
  • financial account information
  • precise geolocation data used to accurately identify a person within a radius of 1850 feet (563 meters)
  • racial or ethnic origin
  • religious beliefs
  • genetic or biometric data

CCPA vs GDPR: when can data be processed?

The GDPR and the CCPA take fundamentally different approaches to regulating when personal data can be processed.

Data processing under the GDPR

The GDPR requires data controllers to have a valid legal basis to process personal data. There are six legal bases under the regulation:

  • Consent: When the data controller has obtained consent from the data subject that is ”freely given, specific, informed, and unambiguous.” Consent must be voluntary and explicit to be considered valid.
  • Contract: When processing is necessary to fulfill or prepare a contract with the data subject.
  • Legal obligation: To comply with an obligation under a law laid down by the EU or the member state that applies to the data controllers.
  • Vital interests: When processing is necessary in the vital interests of the data subject or of another person, such as in an emergency.
  • Public interest: When processing is necessary for tasks carried out in the interest of the public, or for tasks carried out by the data controllers as an official authority, as determined by the EU or the member state that applies to the data controllers.
  • Legitimate interests: When data processing is essential for the legitimate interests of the data controller or a third party, provided that the rights and freedoms of the data subject don’t override a legitimate interest.

These legal bases establish clear conditions under which organizations can collect, store, and use personal data, in an effort to ensure that processing aligns with lawful purposes. Companies may be required by data protection authorities to provide proof to back up their legal basis, e.g. if they claim legitimate interests instead of obtaining valid user consent.

Data processing under the CCPA/CPRA

The CCPA/CPRA does not require businesses to establish a legal basis for processing personal information. Instead, businesses are free to collect and process data under most circumstances, provided they comply with the law’s consumer-focused mechanisms. These include giving consumers the right to:

  • opt out of the sale or sharing of their personal information
  • opt out of use of their personal data for targeted advertising or profiling
  • limit the use and disclosure of sensitive personal information

Businesses must also transparently disclose processing purposes and practices under the regulation.

Rather than restricting data processing upfront, the CCPA/CPRA places responsibility on businesses to provide clear mechanisms and processes for consumers to exercise their rights and control how their data is used.

The CCPA/CPRA and the GDPR differ significantly in their approaches to consent. The GDPR relies on explicit opt-in consent, while the CCPA/CPRA generally uses an opt-out model, with exceptions for specific cases.

Consent is one of the legal bases for processing personal data under the GDPR. The regulation requires data controllers to obtain explicit consent from users before collecting or processing their data. 

Consent given must be “freely given, specific, informed, and unambiguous.” This means individuals need to actively agree to their data being processed by taking an action such as ticking a box on a form or selecting specific settings.

Consent cannot be assumed from pre-checked boxes, ignoring the consent mechanism, or inactivity. Further, each purpose for processing data requires separate consent, and individuals must be able to withdraw their consent at any time. The process for withdrawing must be as simple and accessible as the process for giving consent.

The age of consent under the GDPR is 16 years. For minors under 16, the GDPR requires consent to be obtained from a parent or legal guardian. However, the GDPR permits member states to lower the age of consent to as young as 13 through their national laws.

The CCPA/CPRA does not require businesses to obtain opt-in consent to collect or process personal information in most cases. Instead, it operates primarily on an opt-out model, where businesses must provide clear methods for consumers to decline the sale or sharing of their information.

However, there are specific scenarios in which prior consent is required under the CCPA/CCPA:

  • Collecting, selling, or sharing the personal information of minors requires opt-in consent. For minors between the ages of 13 and 16, consent must be obtained directly from the minor. For those under 13, consent must come from a parent or legal guardian.
  • Selling or sharing the personal information of consumers who have previously opted out requires a business to obtain the consumer’s consent.
  • If a consumer dictates that a business only use sensitive personal information to provide the goods and services it offers, the business cannot use or disclose this information for any other reason without the consumer’s consent.
  • Entering a consumer into financial incentive programs tied to the collection or retention of personal information requires explicit consent.

For cases requiring consent, the CCPA/CPRA’s definition of consent closely aligns with the GDPR’s requirements: it must be freely given, specific, informed, and unambiguous.

CCPA vs GDPR: what are users’ rights?

Both the GDPR and the CCPA/CPRA grant individuals specific rights over their personal data, which enable them to understand, access, and control how their information is used.

Data subjects’ rights under the GDPR

Under the GDPR, data subjects are entitled to the following rights:

  • Right to be informed: Individuals must be informed about how their data is collected, used, and shared, by whom, for what reason, and which third parties are receiving their data, if any.
  • Right to access: Individuals can request confirmation of whether their data is being processed and obtain a copy of their data from the data controller.
  • Right to rectification: Individuals can request corrections to incomplete or inaccurate personal data.
  • Right to erasure (right to be forgotten): Individuals can ask for their personal data to be deleted under certain conditions, such as when it is no longer needed for its original purpose or when they withdraw consent, among others.
  • Right to restrict processing: Individuals can request that their data isn’t processed in certain situations. These include instances when there is no legal basis for processing or the controller doesn’t require the data for the original purposes anymore, among others.
  • Right to data portability: Individuals can receive the data collected on the basis of consent or contract in a structured, commonly used, and machine-readable format and transfer it to another controller.
  • Right to object: Individuals can object to data processing on certain grounds, including when it is used for direct marketing purposes.
  • Rights related to automated decision-making: Individuals can contest decisions made solely by automated processes that significantly affect them, such as profiling.

Consumers’ rights under the CCPA/CPRA

The CCPA/CPRA grants California residents the following rights over their personal information:

  • Right to know and access: Consumers have a right to know what personal information is being collected about them, for what reason, and whether it is sold or shared. They also have a right to request a copy of their personal information collected by a business.
  • Right to delete: Consumers can request that businesses delete their personal information, with some exceptions. For example, businesses do not have to delete data that is needed to comply with legal obligations.
  • Right to correct: Consumers can request that inaccurate personal information be corrected.
  • Right to opt out: Consumers can opt out of the sale or sharing of their personal information, as well as its use for targeted advertising or profiling. Businesses must include a “Do Not Sell Or Share My Personal Information” link on their websites.
  • Right to limit: Consumers can limit the use or disclosure of their sensitive personal information for purposes other than obtaining the goods or services that the business provides.
  • Right to nondiscrimination: Consumers are protected from being penalized or denied services for exercising their privacy rights under the regulation.
  • Right to data portability: Consumers can request their personal information in a “structured, commonly used, machine‐readable format,” to transfer it to another service or business.

CCPA vs GDPR: transparency requirements

Both the GDPR and the CCPA/CPRA require businesses to provide transparency in their data handling practices, though they approach this requirement in different ways.

Transparency requirements under the GDPR

While the GDPR does not explicitly mandate publishing a privacy policy, it requires data controllers to provide detailed and specific information about their data processing policies in a way that is concise, transparent, and easy to understand. It must use clear and simple language, especially when communicating with children. This information should be easily accessible and provided in writing, electronically, or through other appropriate means. This requirement is typically achieved through a privacy policy published on a data controller’s website, often located in the footer so that it is easily accessible on every page.

A GDPR-compliant privacy policy must include:

  • the data controller’s identity and contact information, and, if applicable, the contact details of the Data Protection Officer
  • purpose(s) of and legal bases for data processing
  • who will have access to the personal data
  • categories of personal data being processed 
  • whether the data will be transferred internationally and the safeguards in place if so
  • for how long the data will be retained
  • information on data subjects’ rights and how to exercise them, as well as the right to lodge a complaint with a supervisory authority
  • how to withdraw consent

Transparency requirements under the CCPA/CPRA

The CCPA/CPRA requires businesses to provide specific notices to consumers to ensure transparency about how their personal information is used.

Notice at or before the point of collection

Businesses are required to inform consumers about the personal information they collect at or before the time it is collected. This includes details on what types of information (including sensitive personal information, if any) are being collected, the purpose(s) of collection, how long they will keep the information, and whether it will be sold or shared. If the business sells personal information, the notice must include a “Do Not Sell Or Share My Personal Information” link so users can easily opt out. The notice should also provide a link to the business’s privacy policy, where consumers can find more detailed information about their rights and the company’s privacy practices.

Privacy policy

Businesses must have a privacy policy that is easy to access and includes:

  • a list of the types of personal information the business collects, sells, or shares, which is updated at least once per year
  • where the business collects the personal information from
  • business or commercial purposes for collecting, selling, or sharing personal information
  • who the business shares or discloses the information with
  • what rights consumers have under the CCPA/CPRA and how they can exercise them
  • a “Do Not Sell Or Share My Personal Information” link that takes consumers to a page where they can opt out of their information being sold or shared
  • a “Limit The Use Of My Sensitive Personal Information” link (if applicable) so consumers can control how their sensitive information is used.

The privacy policy must be updated once every 12 months or when there are changes to privacy practices. It must be written in plain, simple language that the average person could understand, and it must be accessible to all readers, including those with disabilities.

CCPA vs GDPR: security requirements

Both the CCPA/CPRA and the GDPR require entities that process data to take steps to secure the personal information they collect, though their specific obligations differ.

Security requirements under the GDPR

Keeping personal data secure is a foundational principle of processing under the GDPR. The regulation requires that personal data is processed in a way that keeps it safe by protecting it against unauthorized or unlawful processing as well as accidental loss, destruction, or damage. 

Controllers and processors are required to adopt technical and organizational security measures that are suitable to the risks posed to personal data. These measures may include pseudonymization, encryption, and robust access controls to prevent unauthorized processing.

Controllers are required to conduct Data Protection Impact Assessments (DPIAs) for processing activities likely to result in high risks to individuals’ rights and freedoms, such as profiling, large-scale processing, or handling sensitive data. These assessments identify potential risks and determine the safeguards needed to mitigate them.

Security requirements under the CCPA/CPRA

The CCPA as it was originally passed did not include specific security requirements. The CPRA’s amendments to the regulation introduced provisions to address data protection more directly.

The CCPA/CPRA now requires businesses that collect consumers’ personal information to implement reasonable security measures appropriate to the nature of the personal information. These measures aim to protect against unauthorized or illegal access, destruction, use, modification, or disclosure.

For data processing activities that pose significant risks to privacy or security, businesses must conduct regular risk assessments and annual cybersecurity audits. These reviews assess factors like how sensitive personal information is used and the possible effects on consumer rights, balanced against the purpose of the data processing. While the CPRA outlines these obligations, the exact requirements businesses must follow are still being defined.

CCPA vs GDPR: enforcement and penalties

Both the GDPR and the CCPA/CPRA include enforcement mechanisms and penalties to ensure compliance, but the process and scale differ significantly between the two laws.

Infographic comparing the level of enforcement and penalties for CCPA and GDPR

Enforcement and penalties under the GDPR

Each EU member state enforces the GDPR through its own Data Protection Authority (DPA), an independent public body responsible for overseeing compliance. DPAs have the authority to investigate compliance, address complaints, and impose penalties for violations. Data subjects can lodge complaints with a DPA in their country of residence, workplace, or where the violation occurred.

GDPR penalties are among the highest globally for data protection violations. Fines are divided into two tiers based on the severity of the offense:

  • for less severe violations, fines are up to 2 percent of annual global turnover or EU 10 million, whichever is higher
  • for more serious violations, fines can be up to 4 percent of annual global turnover or EU 20 million, whichever is higher

Enforcement and penalties under the CCPA/CPRA

The CCPA/CPRA are enforced by both the California Attorney General (AG) and the California Privacy Protection Agency (CPPA), a new enforcement body that was established under the CPRA. The CPPA has the authority to investigate violations and impose penalties, but it cannot limit the AG’s enforcement powers. The CPPA must halt its investigation if the AG requests, and businesses cannot be penalized by both authorities for the same violation.

Penalties under the CCPA/CPRA include:

  • up to USD 2,500 for each unintentional violation
  • up to USD 7,500 for each intentional violation
  • up to USD 7,500 for each violation involving the personal information of minors

The regulation also provides consumers with the right to take legal action in the event of a data breach. Consumers can claim statutory damages of USD 100 to USD 750 per incident or seek actual damages, whichever is greater, along with injunctive relief. Private rights of action are limited to data breaches, while civil penalties apply only to violations pursued by the AG or CPPA.

CCPA vs GDPR: how to comply

The first step toward compliance is determining whether your organization collects personal data or personal information from individuals protected under these laws. For California residents, businesses must also confirm whether they meet the legal definition of a “business” under the CCPA/CPRA.

We strongly recommend consulting a qualified legal expert who can give you advice specific to your organization to achieve compliance with both data privacy regulations.

GDPR compliance

Here is a non-exhaustive list of steps to take for GDPR compliance:

  • create a privacy policy that clearly outlines data collection, processing, and storage practices
  • obtain specific, informed, and freely given consent from data subjects before collecting or processing personal data
  • maintain detailed records of all data processing activities, including the purposes, data categories, and data retention periods
  • enter into Data Processing Agreements (DPAs) with data processors, setting out clear terms for processing activities and mandating compliance with GDPR standards

A consent management platform (CMP) can simplify compliance with the GDPR’s consent and record-keeping requirements. CMPs enable businesses to collect and document explicit user consent for data processing, including cookies, in a manner that aligns with GDPR standards. They can also help maintain records of consent, link these to processing activities, and integrate cookie banners to promote transparency.

CCPA/CPRA compliance 

To comply with the CCPA/CPRA, businesses should focus on the following key actions:

  • provide a notice at or before the point of data collection that details what personal and sensitive information is collected, how it will be used, and whether it will be sold or shared
  • ensure your privacy policy includes information about what data categories are collected and for what purpose, as well as instructions on how consumers can exercise their rights
  • add visible opt-out links to your website — labelled “Do Not Sell Or Share My Personal Information” and “Limit The Use Of My Sensitive Personal Information” — to enable consumers to exercise their opt-out rights
  • provide at least two ways for consumers to exercise their rights, such as a toll-free phone number or a web form
  • secure opt-in consent for selling or sharing data for individuals between the ages of 13 to 16, and obtain consent from a parent or guardian for minors under 13
  • ensure your organization does not penalize or discriminate against consumers who exercise their privacy rights

A CMP can enable businesses to implement opt-out mechanisms for the sale or sharing of personal information and manage limitations on sensitive personal information. CMPs also make it easier to display a notice at the point of collection through a cookie banner to inform consumers about data collection practices.

Table presenting who has to comply with the GDPR and the CCPA/CPRA
Table presenting the enforcement and penalties applied for GDPR and CCPA/CPRA

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Frequently asked questions

What is the GDPR?

The General Data Protection Regulation (GDPR) is a data privacy law that protects individuals in the European Union (EU) and the European Economic Area (EEA). In effect since May 25, 2018, it sets rules for how entities collect, use, and share the personal data of these individuals. The GDPR has become a global standard for data protection, inspiring similar laws in other parts of the world.

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a US state-level data privacy law that gives California residents rights over their personal information. It went into effect on January 1, 2020, and is the first major privacy law in the US. The California Privacy Rights Act (CPRA), which amends and expands the CCPA, added stricter obligations on businesses, expanded protections, and created a new enforcement authority.

Who needs to comply with the GDPR and the CCPA/CPRA?

The GDPR applies to any natural or legal person, anywhere in the world, that processes personal data from people in the EU/EEA if they offer them goods or services or track their behavior. The CCPA/CPRA applies to for-profit businesses operating in California that meet specific thresholds, including having annual revenue over USD 25 million, handling data from 100,000 or more consumers, or making at least 50 percent of their revenue from selling personal information.

Does the GDPR apply to businesses outside the EU?

Yes, the GDPR applies to businesses outside the EU if they handle personal data from people in the EU/EEA and offer them goods or services or monitor their behavior.

How do the GDPR and the CCPA/CPRA differ on consent?

The GDPR focuses on opt-in consent, meaning people must actively agree to their data being used, such as by ticking a box or clicking “accept.” The CCPA/CPRA usually works on an opt-out system, where businesses can process data unless someone says no. That said, the CCPA/CPRA does require opt-in consent in certain cases, like for processing minors’ data.

What are the penalties for noncompliance with the GDPR or the CCPA/CPRA?

The GDPR can impose hefty fines of up to EU 20 million or 4 percent of a company’s worldwide annual revenue, whichever is greater. The CCPA/CPRA fines businesses USD 2,500 per unintentional violation and USD 7,500 per intentional violation, with higher penalties for mishandling minors’ data. It also allows consumers to sue for damages of USD 100 to USD 750 per incident if a data breach occurs. Both regulations also allow for a private right of action, meaning individuals can sue companies in the event of a breach or other damaging violation.

Do businesses need consent for data processing under the CCPA/CPRA?

Not always. The CCPA/CPRA generally lets businesses process data without consent, as long as consumers have an option to opt out. However, it does require consent in specific situations, like when selling or sharing data from minors between the ages of 13 to 16, or when handling data from children under 13, which needs parental approval. Under the GDPR, businesses often need consent to process personal data. However, there are other legal bases for processing data, such as contracts or legal obligations, where consent is not required.

Dec 3, 2024
The CCPA and CPRA give consumers control over their personal information and impose obligations on businesses. This guide explains differences between the two laws, ways the CPRA amends or replaces the CCPA, new consumer rights under the CPRA, and businesses’ compliance requirements.
Understanding and preventing sensitive data exposure
Sep 19, 2024
Sensitive data exposure is a growing concern in the digital age, where personal, business, and classified information can be vulnerable to unauthorized access. Understanding what sensitive data is and how to protect it is crucial for organizations to prevent costly breaches and maintain trust.
Golden Gate Bridge
Sep 19, 2024
In effect since January 1, 2020, the California Consumer Privacy Act (CCPA) was the first US state-level consumer privacy law. It established consumers’ rights, set obligations for businesses, and influenced subsequent privacy regulations in other states.