The GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act, as amended by the CPRA) are the two most significant privacy laws affecting websites today. While both aim to give individuals more control over their personal data, they take fundamentally different approaches. The GDPR requires opt-in consent before data collection, while the CCPA allows data collection by default with an opt-out mechanism.
CCPA vs GDPR at a glance
| GDPR (EU) | CCPA/CPRA (California) | |
|---|---|---|
| Effective date | May 25, 2018 | January 1, 2020 (CPRA: January 1, 2023) |
| Consent model | Opt-in (prior consent required) | Opt-out (collect by default, allow opt-out) |
| Scope | Anyone processing EU residents' data | For-profit businesses meeting revenue/data thresholds |
| Personal data definition | Any data relating to an identifiable person | Information that identifies, relates to, or could be linked to a consumer or household |
| Cookies | Prior consent required for non-essential cookies | Opt-out required if cookies are used to sell/share data |
| Maximum fines | €20M or 4% of global revenue | $2,500-$7,500 per violation |
| Private right of action | Limited (varies by member state) | Yes, for data breaches ($100-$750 per incident) |
| Enforced by | National Data Protection Authorities | California AG + California Privacy Protection Agency |
Who do they apply to?
GDPR scope
The GDPR applies to any organization that processes personal data of individuals in the EU, regardless of the organization's size or location. A small US-based e-commerce site with EU customers must comply. There are no revenue thresholds.
CCPA/CPRA scope
The CCPA applies to for-profit businesses that meet at least one of three thresholds:
- Annual gross revenue exceeding $25 million
- Buy, sell, or share the personal information of 100,000+ California consumers or households annually
- Derive 50% or more of annual revenue from selling or sharing personal information
Non-profits and government agencies are generally exempt. Small businesses that don't meet any threshold are not covered.
Opt-in vs opt-out: the fundamental difference
This is the core distinction between the two laws:
GDPR: opt-in by default
Under the GDPR, no non-essential data processing can occur until the user explicitly consents. Cookies, analytics scripts, marketing pixels, all must be blocked until the user clicks "Accept." Silence or inaction does not equal consent.
CCPA: opt-out by default
Under the CCPA, businesses can collect personal information by default. However, they must provide a clear mechanism for consumers to opt out of the sale or sharing of their personal information. Since the CPRA amendments, this includes a right to opt out of cross-context behavioral advertising.
The CCPA also requires that businesses honor the Global Privacy Control (GPC) browser signal as a valid opt-out request. If a user's browser sends a GPC signal, your website must treat it as if the user clicked "Do Not Sell or Share."
Consumer rights: GDPR vs CCPA
| Right | GDPR | CCPA/CPRA |
|---|---|---|
| Right to know / access | ✓ (Article 15) | ✓ |
| Right to delete | ✓ (Article 17) | ✓ |
| Right to correct | ✓ (Article 16) | ✓ (added by CPRA) |
| Right to data portability | ✓ (Article 20) | ✓ |
| Right to opt out of sale | N/A (consent required upfront) | ✓ (core right) |
| Right to opt out of profiling | ✓ (Article 22) | ✓ (added by CPRA) |
| Right to non-discrimination | ✓ (implied) | ✓ (explicit) |
| Right to limit sensitive data use | ✓ (Article 9, special categories) | ✓ (added by CPRA) |
Penalties and enforcement
GDPR fines
The GDPR allows fines at two tiers: up to €10 million or 2% of global turnover for procedural violations, and up to €20 million or 4% of global turnover for substantive violations (including consent). Fines are issued by national Data Protection Authorities (DPAs) and have reached hundreds of millions of euros.
CCPA fines
The CCPA allows fines of $2,500 per unintentional violation and $7,500 per intentional violation. While these seem modest compared to the GDPR, they are assessed per violation, meaning per affected consumer, per incident. A data breach affecting 100,000 consumers could theoretically result in fines exceeding $750 million.
The CCPA also grants consumers a private right of action for data breaches, with statutory damages of $100-$750 per consumer per incident. Class action lawsuits under this provision are increasingly common.
How to comply with both GDPR and CCPA
If your website serves users in both the EU and California, you need to satisfy both laws simultaneously. The good news: if you're GDPR-compliant, you're most of the way to CCPA compliance, since the GDPR is stricter in almost every area.
- Use geo-targeting to show the right consent experience per region
- Implement a full opt-in consent banner for EU visitors
- Add a "Do Not Sell or Share" mechanism for California visitors
- Honor GPC signals from all visitors
- Maintain consent records and data processing logs
- Provide a way for users to exercise their rights (access, delete, correct)
- Keep your privacy policy up to date with both GDPR and CCPA disclosures
Frequently asked questions
Does the CCPA apply to businesses outside California?
Yes. The CCPA applies to any for-profit business that meets the thresholds and collects personal information from California residents, regardless of where the business is located.
Is the CPRA a separate law from the CCPA?
The CPRA (California Privacy Rights Act) is an amendment to the CCPA that took effect January 1, 2023. It added new consumer rights (correction, limiting sensitive data use), created the California Privacy Protection Agency (CPPA), and strengthened opt-out requirements. The laws are typically referred to together as "CCPA/CPRA."
Can I just show a GDPR banner to everyone?
You can, but it's not ideal. Showing a full opt-in consent banner to users in regions without consent requirements creates unnecessary friction and can reduce analytics data and ad revenue. Geo-targeting lets you show the appropriate experience for each visitor's location.
What is the Global Privacy Control (GPC)?
GPC is a browser-level signal (similar to the old Do Not Track) that tells websites the user wants to opt out of data selling and sharing. Under the CCPA, businesses must honor GPC signals. Browsers like Firefox, Brave, and DuckDuckGo send GPC by default.
Sources & References
- General Data Protection Regulation (EU) 2016/679, Articles 3, 4(11), 6, 7, 9, 15-22, 83
- California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100-1798.199.100)
- California Privacy Rights Act of 2020 (Proposition 24)
- CCPA/CPRA Regulations, California Privacy Protection Agency
- California AG: CCPA enforcement actions
This guide is for informational purposes only and does not constitute legal advice.