Key Takeaways
| Point |
Summary |
| Consent model |
GDPR requires opt-in; CCPA uses opt-out for sales/sharing |
| Scope |
GDPR has no size thresholds; CCPA has revenue and data volume thresholds |
| Penalties |
GDPR up to €20M/4% revenue; CCPA up to $7,988 per violation |
| Private action |
CCPA allows lawsuits for breaches; GDPR has limited private rights |
| Legal basis |
GDPR requires legal basis; CCPA permits collection with notice |
Quick Answer: GDPR is generally stricter, requiring opt-in consent and applying to all organizations processing EU data. CCPA uses an opt-out model, has business size thresholds, and provides a private right of action for data breaches. Most organizations serving both markets apply GDPR standards globally for consistency.
Comparison Overview
| Aspect |
CCPA |
GDPR |
| Effective Date |
January 1, 2020 (CPRA: 2023) |
May 25, 2018 |
| Geographic Scope |
California consumers |
EU/EEA residents |
| Applicability |
For-profit businesses meeting thresholds |
Any organization processing EU data |
| Revenue Threshold |
$26.625M+ |
None |
| Data Threshold |
100,000+ consumers |
None |
| Consent Model |
Opt-out (for sales/sharing) |
Opt-in |
| Maximum Fine |
$7,988 per violation |
€20M or 4% global revenue |
| Private Lawsuits |
Yes (data breaches) |
Limited |
| Enforcement |
California AG, CPPA |
National DPAs |
Scope and Applicability
Who Must Comply
| Criterion |
CCPA |
GDPR |
| Location |
Any business with CA consumers |
Any org processing EU data |
| Revenue requirement |
$26.625M+ or thresholds |
None |
| Size requirement |
Specific thresholds |
None |
| Non-profits |
Exempt |
Included |
| Government |
Exempt |
Subject to (with some exemptions) |
CCPA Thresholds
To fall under CCPA, businesses must meet at least one:
- $26.625 million+ annual gross revenue
- 100,000+ California consumers' data
- 50%+ revenue from selling/sharing data
GDPR Territorial Scope
GDPR applies to organizations that:
- Are established in the EU/EEA
- Offer goods/services to EU residents (even if free)
- Monitor behavior of EU residents
Consent and Legal Basis
GDPR Legal Basis Requirements
| Legal Basis |
Description |
| Consent |
Freely given, specific, informed, unambiguous |
| Contract |
Necessary for contract performance |
| Legal obligation |
Required by law |
| Vital interests |
Protecting life |
| Public task |
Official authority or public interest |
| Legitimate interests |
Balanced against data subject rights |
GDPR requires a legal basis before processing. Default is no processing without basis.
CCPA Approach
| Activity |
CCPA Requirement |
| Collection |
Notice at or before collection |
| Use |
Consistent with disclosed purposes |
| Sale/sharing |
Consumer can opt out |
| Sensitive PI |
Consumer can limit use |
CCPA permits collection with notice. Consumer action required to stop sale/sharing.
Opt-In vs. Opt-Out
| Aspect |
GDPR |
CCPA |
| Default state |
No processing without basis |
Processing permitted with notice |
| Consumer action |
Opt-in before processing |
Opt-out after collection |
| Consent withdrawal |
Right to withdraw |
12-month wait for re-authorization |
| Children |
Parental consent under 16 (default; member states may lower to 13) |
Opt-in for under 16 (sale/sharing) |
Consumer Rights Comparison
For detailed CCPA rights guidance, see consumer rights explained.
| Right |
CCPA |
GDPR |
| Right to Know/Access |
Yes |
Yes |
| Right to Delete |
Yes |
Yes (Right to Erasure) |
| Right to Correct |
Yes (CPRA) |
Yes (Rectification) |
| Right to Portability |
Yes |
Yes |
| Right to Restrict |
No direct equivalent |
Yes |
| Right to Object |
No direct equivalent |
Yes |
| Right to Opt-Out |
Yes (sale/sharing) |
Not applicable (different model) |
| Right to Limit SPI |
Yes |
Not applicable (different approach) |
| Non-Discrimination |
Yes (explicit) |
Implicit |
Response Timelines
| Aspect |
CCPA |
GDPR |
| Standard response |
45 days |
One month |
| Extension |
Additional 45 days |
Two additional months |
| Total possible |
90 days |
Three months |
Sensitive Data
For detailed CCPA SPI categories, see sensitive personal information guide.
GDPR Special Categories
| Category |
Description |
| Racial/ethnic origin |
Protected characteristic |
| Political opinions |
Political views |
| Religious/philosophical beliefs |
Faith and convictions |
| Trade union membership |
Labor organization |
| Genetic data |
Inherited characteristics |
| Biometric data |
Physical identifiers |
| Health data |
Medical information |
| Sex life/sexual orientation |
Intimate information |
GDPR prohibits processing of special categories by default, with specific exemptions.
CCPA Sensitive Personal Information
| Category |
Description |
| Government IDs |
SSN, driver's license, etc. |
| Financial credentials |
Account numbers with passwords |
| Precise geolocation |
GPS-level location |
| Race/ethnicity/religion |
Protected characteristics |
| Union membership |
Labor organization |
| Private communications |
Mail, email, text contents |
| Genetic data |
DNA, genetic tests |
| Biometric data |
For identification |
| Health data |
Medical information |
| Sex life/orientation |
Intimate information |
| Immigration status |
Citizenship status |
CCPA permits collection but gives consumers right to limit use.
Data Transfers
GDPR International Transfers
| Mechanism |
Description |
| Adequacy decision |
Country deemed adequate by EU |
| Standard Contractual Clauses |
Approved contract terms |
| Binding Corporate Rules |
Intra-group approved policies |
| Consent |
Explicit, informed consent |
GDPR restricts transfers outside EU/EEA unless mechanisms in place.
CCPA International Transfers
| Aspect |
CCPA Approach |
| Transfer restrictions |
None specific |
| Obligations |
All CCPA requirements apply regardless of location |
| Service providers |
Contract must include restrictions |
CCPA has no transfer restrictions but obligations follow the data.
Penalties and Enforcement
GDPR Penalties
| Tier |
Maximum |
Examples |
| Lower |
€10M or 2% global revenue |
Records failures, inadequate security |
| Upper |
€20M or 4% global revenue |
Unlawful processing, rights violations |
CCPA Penalties
| Type |
Maximum |
Notes |
| Unintentional |
$2,663 per violation |
Per consumer, per violation |
| Intentional |
$7,988 per violation |
Per consumer, per violation |
| Data breach (private) |
$107-$799 per consumer |
Private lawsuit damages |
Enforcement Comparison
| Aspect |
CCPA |
GDPR |
| Primary enforcer |
California AG, CPPA |
National DPAs |
| Private lawsuits |
Yes (breaches) |
Limited |
| Cure period |
30 days |
None (but cooperation considered) |
| Class actions |
Yes |
Varies by country |
Contract Requirements
GDPR Data Processing Agreement
| Requirement |
Details |
| Written contract |
Always required |
| Processor instructions |
Must follow controller's instructions |
| Security |
Appropriate technical/organizational measures |
| Sub-processors |
Prior authorization required |
| Audits |
Must allow audits |
| Deletion/return |
At end of services |
| Assistance |
Help with data subject rights |
CCPA Service Provider Contract
| Requirement |
Details |
| Written contract |
Required |
| Purpose limitation |
Specified business purposes |
| Use restriction |
Cannot use for own purposes |
| Sale/sharing prohibition |
Cannot sell or share |
| Subcontractor flow-down |
Same restrictions apply |
| Consumer rights assistance |
Help with requests |
Privacy by Design
GDPR Data Protection by Design
| Requirement |
Details |
| By design |
Integrate privacy into systems |
| By default |
Privacy-protective settings default |
| Data minimization |
Collect only necessary data |
| Purpose limitation |
Use only for specified purposes |
| Storage limitation |
Retain only as long as needed |
CCPA Data Minimization (CPRA)
| Requirement |
Details |
| Collection |
Reasonably necessary and proportionate |
| Retention |
Not longer than reasonably necessary |
| Disclosure |
Specify retention periods |
GDPR has more prescriptive privacy by design requirements; CCPA (via CPRA) has adopted similar principles.
Documentation Requirements
| Requirement |
CCPA |
GDPR |
| Privacy policy |
Yes |
Yes (more detailed) |
| Records of processing |
24 months requests |
Required (Article 30) |
| DPO appointment |
No |
Required in some cases |
| DPIA |
Risk assessments (2026) |
Required for high-risk processing |
| Breach notification |
State law requirements |
72 hours to DPA |
Harmonizing Compliance
Apply GDPR Standards Globally?
| Consideration |
Recommendation |
| Simplicity |
GDPR standards generally satisfy CCPA |
| Consistency |
Single global policy easier to manage |
| CCPA-specific |
Some CCPA elements require specific implementation |
| Opt-out links |
CCPA-specific requirement |
| SPI limitation |
CCPA-specific right |
CCPA-Specific Requirements
Even with GDPR compliance, CCPA requires:
| Requirement |
Action |
| "Do Not Sell or Share" link |
Add to homepage |
| "Limit Use of SPI" link |
Add if SPI collected |
| GPC compliance |
Honor GPC signals |
| California-specific disclosures |
Categories, metrics (if applicable) |
| Toll-free number |
For request intake |
How Bastion Helps
Navigating dual CCPA and GDPR compliance requires understanding both frameworks.
| Challenge |
How We Help |
| Gap analysis |
Compare current program to both frameworks |
| Harmonization |
Efficient compliance with both |
| Documentation |
Policies meeting both requirements |
| Contract templates |
DPAs covering CCPA and GDPR |
| Implementation |
Practical guidance for dual compliance |
Need help with CCPA and GDPR compliance? Talk to our team →
Sources
