If your website has visitors from both Europe and California, you need to comply with both GDPR and CCPA. While they share the same goal — protecting personal data — their approach, scope, and requirements differ significantly. Understanding these differences is critical for building a compliance strategy that works worldwide.
Scope: Who Must Comply?
| Criteria | GDPR | CCPA |
|---|---|---|
| Geography | EU/EEA residents | California residents |
| Who it applies to | Any organization processing EU resident data, regardless of size | Businesses with $25M+ revenue, 100k+ consumers, or 50%+ revenue from selling data |
| Type of data | Any personal data (name, IP, cookies, etc.) | Personal information linked to a consumer or household |
| Small business exempt? | No — applies to all | Yes — thresholds must be met |
Consent Model: Opt-In vs Opt-Out
This is the most fundamental difference between the two laws:
- GDPR requires opt-in consent — you cannot process personal data (including setting cookies) until the user explicitly agrees. No pre-checked boxes. No tracking before consent.
- CCPA follows an opt-out model — you can collect and use data by default, but you must provide a "Do Not Sell My Personal Information" link and honor opt-out requests.
In practice, if you comply with GDPR's stricter opt-in model, you're largely covered for CCPA as well. But CCPA has specific requirements (like the "Do Not Sell" link) that GDPR doesn't address.
User Rights Comparison
| Right | GDPR | CCPA |
|---|---|---|
| Right to know/access | Yes (Art. 15) | Yes |
| Right to delete | Yes (Art. 17) | Yes |
| Right to data portability | Yes (Art. 20) | Yes |
| Right to rectify | Yes (Art. 16) | No |
| Right to restrict processing | Yes (Art. 18) | No |
| Right to object | Yes (Art. 21) | Opt-out of sale only |
| Right against automated decisions | Yes (Art. 22) | No |
| Non-discrimination | Implied | Explicit protected right |
Penalties and Enforcement
| Aspect | GDPR | CCPA |
|---|---|---|
| Maximum fine | €20M or 4% of global revenue | $7,500 per intentional violation |
| Enforced by | National Data Protection Authorities | California Attorney General |
| Private right of action | Yes (limited) | Yes (for data breaches) |
| Cure period | No automatic cure | 30 days to fix after notice |
While CCPA fines are lower per violation, they can add up quickly with thousands of affected consumers. GDPR fines are percentage-based and have proven devastating — Meta received a €1.2B fine in 2023.
Cookie and Tracker Requirements
GDPR is much stricter on cookies. Under GDPR, you need consent before loading any non-essential cookies. Under CCPA, cookies are considered "selling" data only if they're used for targeted advertising and involve a third party.
Our cookie consent banner guide explains how to implement a banner that satisfies both regulations simultaneously.
Privacy Policy Differences
Both laws require a privacy policy, but the specific disclosures differ:
- GDPR: Legal basis for processing, DPO contact, international transfers, right to lodge a complaint
- CCPA: Categories of data collected, purpose of collection, third parties data is shared with, "Do Not Sell" instructions
A combined privacy policy that covers both is the most practical approach for most businesses.
What About CPRA?
The California Privacy Rights Act (CPRA) amended CCPA in 2023, adding new requirements:
- Right to correct personal information (similar to GDPR's right to rectification)
- Right to limit use of sensitive personal information
- Data minimization and purpose limitation principles
- New enforcement agency: California Privacy Protection Agency (CPPA)
CPRA makes CCPA more GDPR-like, narrowing the gap between the two regulations.
Practical Compliance Strategy
If you need to comply with both laws, here's the most efficient approach:
- Implement GDPR-level consent (opt-in) — this covers CCPA's opt-out requirement automatically
- Add a "Do Not Sell My Information" link for CCPA compliance
- Write a unified privacy policy with sections for both jurisdictions
- Set up data subject request mechanisms that handle both GDPR and CCPA rights
- Run a compliance audit to identify gaps across both regulations
Quick Decision Guide
| Your Situation | What You Need |
|---|---|
| EU visitors only | GDPR compliance |
| California visitors only | CCPA compliance |
| Both EU and US visitors | Both GDPR + CCPA (implement GDPR-level consent) |
| Global audience | GDPR as baseline + region-specific additions |
Not sure which regulations apply to your website? PrivacyChecker automatically detects which laws are relevant based on your visitors and technology stack, and shows you exactly what to fix.