GDPR vs CCPA: Key Differences Explained
The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are the two most influential privacy laws in the world. Understanding their differences is essential for any company handling personal data from EU residents or California consumers.
Key Takeaways
| Point | Summary |
|---|---|
| Jurisdiction | GDPR covers EU residents' data; CCPA covers California residents' data |
| Consent model | GDPR requires opt-in consent; CCPA allows opt-out for data sales |
| Scope threshold | GDPR applies to all data processors; CCPA has revenue/data volume thresholds |
| Maximum penalties | GDPR: €20M or 4% global revenue; CCPA: $7,500 per intentional violation |
| Private right of action | GDPR: Limited; CCPA: Yes, for data breaches ($100-$750 per incident) |
Quick Answer: GDPR is stricter with opt-in consent requirements and applies to any company processing EU residents' data. CCPA has revenue thresholds ($25M+) and uses an opt-out model for data sales. Most companies need both if they serve EU and California customers.
Comparison at a Glance
| Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Effective Date | May 25, 2018 | January 1, 2020 (CPRA: January 1, 2023) |
| Geographic Scope | EU/EEA residents | California residents |
| Who Must Comply | Any organization processing EU data | Businesses meeting thresholds |
| Revenue Threshold | None | $25 million+ annual revenue |
| Data Threshold | None | 100,000+ consumers/households |
| Consent Model | Opt-in required | Opt-out for sales |
| Right to Delete | Yes | Yes |
| Right to Access | Yes | Yes |
| Right to Portability | Yes | Yes |
| Right to Correct | Yes | Yes (CPRA) |
| Right to Limit Use | Via consent withdrawal | Yes (sensitive data) |
| Maximum Fine | €20M or 4% global revenue | $7,500 per intentional violation |
| Private Lawsuits | Limited | Yes (data breaches) |
| Enforcement Body | National DPAs | California AG + CPPA |
Scope and Applicability
GDPR Applies To
Any organization that:
- Is established in the EU/EEA
- Offers goods/services to EU residents (even if free)
- Monitors behavior of EU residents
No size threshold - GDPR applies regardless of company size or revenue.
CCPA Applies To
For-profit businesses that:
- Have $25 million+ in annual gross revenue, OR
- Buy, sell, or share personal information of 100,000+ California consumers/households, OR
- Derive 50%+ of annual revenue from selling personal information
Important: Non-profits and government agencies are exempt from CCPA.
Consent Requirements
GDPR: Opt-In Model
GDPR requires explicit consent before processing personal data (with some exceptions for legitimate interests):
| Consent Requirement | GDPR Standard |
|---|---|
| Type | Opt-in required |
| Timing | Before data collection |
| Granularity | Separate consent per purpose |
| Withdrawal | Must be as easy as giving consent |
| Pre-checked boxes | Not allowed |
| Bundling | Cannot bundle with terms of service |
CCPA: Opt-Out Model
CCPA allows data collection by default, with right to opt out of sales:
| Consent Requirement | CCPA Standard |
|---|---|
| Type | Opt-out for data sales |
| Default | Collection permitted |
| "Do Not Sell" link | Required on website |
| Minors (16-17) | Opt-in required |
| Children (under 16) | Parent/guardian opt-in required |
| Financial incentives | Opt-in required |
Definition of Personal Data
GDPR Personal Data
Any information relating to an identified or identifiable natural person:
| Category | Examples |
|---|---|
| Direct identifiers | Name, email, phone, ID numbers |
| Online identifiers | IP addresses, cookies, device IDs |
| Location data | GPS coordinates, addresses |
| Biometric data | Fingerprints, facial recognition |
| Genetic data | DNA, health records |
| Special categories | Race, religion, political opinions, sexual orientation |
CCPA Personal Information
Information that identifies, relates to, or could be linked with a consumer or household:
| Category | Examples |
|---|---|
| Identifiers | Name, email, SSN, driver's license |
| Commercial info | Purchase history, products considered |
| Internet activity | Browsing history, search history |
| Geolocation | Physical location data |
| Professional info | Employment history, job title |
| Inferences | Consumer profiles, preferences |
| Sensitive (CPRA) | SSN, precise geolocation, race, health, sexual orientation |
Consumer Rights Comparison
| Right | GDPR | CCPA/CPRA |
|---|---|---|
| Right to Know/Access | Yes - detailed information about processing | Yes - categories and specific pieces |
| Right to Delete | Yes (with exceptions) | Yes (with exceptions) |
| Right to Portability | Yes - machine-readable format | Yes - portable format |
| Right to Correct | Yes | Yes (CPRA only) |
| Right to Restrict Processing | Yes | Limited (sensitive data) |
| Right to Object | Yes | No direct equivalent |
| Right to Opt-Out of Sales | Not applicable (different model) | Yes - "Do Not Sell My Info" |
| Right to Non-Discrimination | Implicit in fairness principle | Explicit protection |
| Response Time | One month (extendable by two further months) | 45 days (extendable to 90) |
Penalties and Enforcement
GDPR Penalties
| Violation Tier | Maximum Penalty | Examples |
|---|---|---|
| Lower tier | €10M or 2% global revenue | Failure to maintain records, inadequate DPO |
| Upper tier | €20M or 4% global revenue | Unlawful processing, violating data subject rights |
Notable GDPR fines:
- Meta (Ireland): €1.2 billion (2023) - data transfers
- Amazon (Luxembourg): €746 million (2021) - advertising practices
- WhatsApp (Ireland): €225 million (2021) - transparency violations
CCPA Penalties
| Violation Type | Penalty |
|---|---|
| Unintentional | $2,500 per violation (30-day cure period) |
| Intentional | $7,500 per violation |
| Data breach (consumer) | $100-$750 per consumer per incident |
| CPRA administrative | $7,500 per violation |
Key difference: CCPA allows private lawsuits for data breaches, while GDPR enforcement is primarily through regulatory authorities.
Data Processing Agreements
GDPR Requirements
Controllers must have Data Processing Agreements (DPAs) with processors including:
| Required Element | Description |
|---|---|
| Subject matter | Purpose and duration of processing |
| Nature of processing | Types of operations performed |
| Categories of data | What personal data is processed |
| Data subject categories | Whose data is processed |
| Obligations and rights | Controller and processor responsibilities |
| Sub-processor rules | Authorization for sub-contractors |
| Security measures | Technical and organizational controls |
| Audit rights | Ability to verify compliance |
CCPA Requirements
CCPA requires contracts with service providers that:
| Required Element | Description |
|---|---|
| Purpose limitation | Data used only for specified purposes |
| Prohibition on selling | Service provider cannot sell the data |
| Compliance certification | Service provider certifies understanding |
| Notification of inability | Must inform if cannot meet obligations |
Data Transfer Rules
GDPR International Transfers
Transfers outside EU/EEA require:
| Mechanism | Description |
|---|---|
| Adequacy decision | Country deemed adequate by EU Commission |
| Standard Contractual Clauses | EU-approved contract terms |
| Binding Corporate Rules | Approved intra-group policies |
| Explicit consent | Informed, specific consent (limited use) |
Adequacy countries: UK, Canada (commercial), Japan, South Korea, Argentina, New Zealand, Israel, Switzerland, and others.
CCPA International Transfers
CCPA has no specific restrictions on international data transfers. However:
- All CCPA obligations still apply regardless of where data is stored
- Data breach notification requirements remain in effect
- Service provider contracts must be in place
Breach Notification Requirements
| Aspect | GDPR | CCPA |
|---|---|---|
| Notification to authority | 72 hours (if risk to rights) | No federal requirement |
| Notification to individuals | Without undue delay (high risk) | California AG if 500+ residents |
| Content requirements | Detailed (nature, consequences, measures) | Description and available remedies |
| Exemptions | Encrypted data may be exempt | None specific |
Common Questions?
Do I need to comply with both?
If you process personal data of both EU residents and California residents, you need to comply with both regulations. Many companies choose to apply the stricter GDPR standards globally for consistency.
Which is stricter?
GDPR is generally considered stricter because:
- It requires opt-in consent (vs. opt-out)
- It applies to all organizations (no revenue threshold)
- It has higher maximum fines
- It requires Data Protection Officers in some cases
Can I use one privacy policy for both?
Yes, but your privacy policy must address all requirements of both regulations. Key additions for dual compliance:
- "Do Not Sell My Personal Information" link (CCPA)
- Opt-in consent mechanisms (GDPR)
- Both sets of consumer rights
- Disclosure categories (CCPA-specific)
What about other US state privacy laws?
Several states have enacted CCPA-like laws:
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Utah Consumer Privacy Act (UCPA)
These generally follow the CCPA model with variations.
Compliance Checklist: Both Regulations
| Action | GDPR | CCPA |
|---|---|---|
| Privacy policy update | ✓ | ✓ |
| Data inventory/mapping | ✓ | ✓ |
| Consent management | ✓ (opt-in) | ✓ (opt-out link) |
| Consumer request process | ✓ | ✓ |
| Vendor agreements | DPA required | Service provider contracts |
| Data security measures | ✓ | ✓ |
| Staff training | ✓ | ✓ |
| DPO appointment | Some cases | Not required |
| Data transfer mechanisms | ✓ | N/A |
| Breach response plan | ✓ | ✓ |
How Bastion Helps
Managing compliance with multiple privacy regulations adds complexity, but organizations serving both EU and California markets often find it manageable with the right approach. Working with experienced partners helps streamline dual compliance.
| Challenge | How We Help |
|---|---|
| Policy complexity | Unified privacy policy templates that address both frameworks' requirements |
| Consent management | Guidance on implementing both opt-in and opt-out mechanisms |
| Request handling | Efficient workflows for handling data subject requests under both regulations |
| Vendor management | Tracking for both DPAs and CCPA service provider contracts |
| Evidence collection | Documentation approaches that satisfy both frameworks' accountability requirements |
Having experienced support helps ensure your compliance program addresses both regulations efficiently—avoiding the duplication of effort that often occurs when frameworks are approached separately.
Looking to streamline your privacy compliance across multiple jurisdictions? Talk to our team →
Sources
- GDPR Full Text (EUR-Lex) - Official text of Regulation (EU) 2016/679
- CCPA Text (California Legislature) - California Civil Code 1798.100-1798.199.100
- CPRA Full Text - California Privacy Rights Act of 2020
- EDPB Guidelines - European Data Protection Board guidance
- California AG CCPA - California Attorney General CCPA resources