TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. GDPR and CCPA: Key Differences and How to Comply
Legal Compliance

GDPR and CCPA: Key Differences and How to Comply

Understand the differences between GDPR and CCPA, what each law requires, and how to comply with both. Covers scope, rights, penalties, and practical steps.

TermsBox Team|April 3, 202615 min read

The GDPR and CCPA are two of the most consequential privacy laws affecting businesses that operate online. The GDPR (General Data Protection Regulation) governs how organizations handle personal data of EU and EEA residents. The CCPA (California Consumer Privacy Act) gives California residents control over how businesses collect and use their personal information. If your business has a web presence, understanding what GDPR and CCPA require, and where they differ, is foundational to legal compliance.

This guide breaks down both laws side by side, covering scope, consumer rights, compliance obligations, penalties, and practical steps for meeting both standards. This is educational content and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.

What Is GDPR and CCPA?

Understanding what GDPR and CCPA are starts with recognizing that they solve the same core problem, personal data protection, but from different legal traditions and with different mechanisms.

The GDPR

The General Data Protection Regulation (EU Regulation 2016/679) took effect on May 25, 2018. It applies to any organization that processes personal data of individuals located in the EU or EEA, regardless of where the organization itself is based. The GDPR replaced the 1995 Data Protection Directive and established a unified framework across all EU member states.

The GDPR operates on an opt-in model: businesses must have a lawful basis (such as explicit consent) before collecting or processing personal data. Article 6 defines six lawful bases, with consent being the most commonly referenced for consumer-facing services.

The CCPA

The California Consumer Privacy Act (California Civil Code Sections 1798.100 through 1798.199.100) took effect on January 1, 2020, and was significantly amended by the California Privacy Rights Act (CPRA) with enforcement beginning July 1, 2023. The CCPA applies to for-profit businesses that meet specific revenue or data volume thresholds and collect personal information from California residents.

The CCPA operates on an opt-out model: businesses may collect personal information by default but must give consumers the right to opt out of its sale or sharing. This fundamental difference in approach, opt-in versus opt-out, shapes nearly every aspect of how the two laws work in practice.

Who Must Comply with GDPR and CCPA

The scope of each law determines which businesses fall under its jurisdiction. Many businesses must comply with both CCPA and GDPR simultaneously.

GDPR applicability

The GDPR applies broadly to:

  • Any organization established in the EU/EEA that processes personal data
  • Any organization outside the EU/EEA that offers goods or services to EU/EEA residents
  • Any organization that monitors the behavior of EU/EEA residents (e.g., through website tracking)

There is no revenue threshold or company size minimum. A one-person business with a website that tracks visitors from the EU using Google Analytics is subject to the GDPR. The only exemptions are for purely personal activities and law enforcement purposes under separate directives.

CCPA applicability

The CCPA is narrower. It applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:

  1. Annual gross revenue exceeding $25 million
  2. Annually buying, selling, or sharing the personal information of 100,000 or more consumers, households, or devices
  3. Deriving 50% or more of annual revenue from selling or sharing personal information

Nonprofit organizations and government entities are exempt from the CCPA. Small businesses below all three thresholds are also exempt, though they may be covered by other state privacy laws.

Overlap in practice

Most online businesses that meet the CCPA thresholds will also fall under the GDPR if they have any EU visitors. If your website uses analytics or advertising tools that track visitors globally, you are likely subject to both laws. This dual applicability is why understanding GDPR and CCPA together matters more than studying either law in isolation.

GDPR vs. CCPA: Key Differences

While GDPR and CCPA share the goal of protecting personal data, they differ in structure, scope, and specific requirements. Here is how they compare across the areas that matter most for compliance.

Consent model

This is the most significant difference between CCPA and GDPR:

  • GDPR: Opt-in. Businesses must obtain explicit consent or establish another lawful basis (Article 6) before processing personal data. For cookies and tracking, the ePrivacy Directive requires consent before placing non-essential cookies.
  • CCPA: Opt-out. Businesses may collect personal information by default. Consumers have the right to opt out of the sale or sharing of their data. An exception applies to minors: businesses must obtain opt-in consent for consumers under 16 (and parental consent for those under 13).

Definition of personal data

Both laws define personal data broadly, but with distinct scopes:

  • GDPR "personal data": Any information relating to an identified or identifiable natural person (Article 4(1)). Includes names, email addresses, IP addresses, cookie identifiers, location data, and biometric data.
  • CCPA "personal information": Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household (Section 1798.140(v)). Explicitly includes household-level data and inferences drawn from other data.

The CCPA's inclusion of household-level data and inferences gives it a slightly broader scope in certain contexts.

Individual rights

Both laws grant individuals significant control over their data, but the specific rights differ:

Right GDPR CCPA
Right to know/access Article 15 Section 1798.100
Right to delete Article 17 Section 1798.105
Right to correct Article 16 Section 1798.106 (CPRA)
Right to data portability Article 20 Section 1798.100
Right to opt out of sale Not applicable (consent is opt-in) Section 1798.120
Right to limit sensitive data use Not directly (covered by consent) Section 1798.121 (CPRA)
Right to non-discrimination Not explicit (but protected broadly) Section 1798.125
Right to object to processing Article 21 Not directly equivalent
Right to restrict processing Article 18 Not directly equivalent

Penalties and enforcement

The penalty structures reflect the different regulatory philosophies:

  • GDPR: Administrative fines up to 20 million EUR or 4% of global annual turnover, whichever is higher (Article 83). Enforced by Data Protection Authorities in each EU member state. Major fines include 1.2 billion EUR against Meta (2023) and 746 million EUR against Amazon (2021).
  • CCPA: Civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Attorney General and the California Privacy Protection Agency (CPPA). Consumers also have a private right of action for data breaches involving unencrypted personal information, with statutory damages of $100 to $750 per consumer per incident.

The GDPR's percentage-based fines create substantially larger exposure for large enterprises, while the CCPA's per-violation structure can compound rapidly when violations affect many consumers.

What GDPR and CCPA Require for Your Privacy Policy

Both laws impose specific disclosure requirements on your privacy policy. If you need to create or update one, a privacy policy generator can help you cover the required elements.

GDPR privacy policy requirements

Under Articles 13 and 14 of the GDPR, your privacy policy must disclose:

  • The identity and contact details of the data controller
  • Contact details of your Data Protection Officer (if applicable)
  • The purposes and lawful basis for each type of processing
  • Categories of personal data collected
  • Recipients or categories of recipients of the data
  • Whether data is transferred outside the EU/EEA, and the legal mechanisms used
  • Data retention periods or the criteria used to determine them
  • All individual rights available under the GDPR
  • The right to lodge a complaint with a supervisory authority
  • Whether provision of data is a statutory or contractual requirement

CCPA privacy policy requirements

Under Section 1798.100 of the CCPA (as amended by the CPRA), your privacy policy must disclose:

  • Categories of personal information collected in the preceding 12 months
  • The purposes for which each category is collected and used
  • Categories of sources from which personal information is collected
  • Categories of third parties to whom personal information is disclosed
  • Whether personal information is sold or shared, and the categories involved
  • Retention periods for each category of personal information
  • Instructions for submitting access, deletion, and correction requests
  • The consumer's right to opt out of sale or sharing
  • The consumer's right to limit use of sensitive personal information
  • A "Do Not Sell or Share My Personal Information" link if applicable

Combined approach

If your business is subject to both GDPR and CCPA, maintaining a single comprehensive privacy policy that addresses both sets of requirements is the most practical approach. Many businesses add a California-specific section to their GDPR-compliant policy, covering the CCPA's unique disclosure requirements like categories of data sold and the opt-out right.

How to Comply with Both GDPR and CCPA

Meeting both standards simultaneously requires a systematic approach. The good news is that GDPR compliance covers most of what the CCPA requires, so building on a GDPR foundation is the most efficient path.

Step 1: Map your data processing

Before implementing any compliance measures, document exactly what personal data you collect and how it flows through your business:

  1. Identify every source of personal data collection (website forms, cookies, third-party integrations, offline sources)
  2. Categorize the data types collected at each point
  3. Document the purpose for each type of data collection
  4. Map where data is stored, who has access, and whether it is shared with third parties
  5. Record retention periods for each data category

This data map serves as the foundation for both GDPR's Records of Processing Activities (Article 30) and the CCPA's disclosure requirements.

Step 2: Implement consent management

Your consent approach must satisfy the stricter standard, which is the GDPR's opt-in requirement:

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now
  • Deploy a cookie consent banner that blocks non-essential cookies before consent (GDPR requirement)
  • Configure geo-based consent modes: opt-in for EU/EEA visitors, opt-out for California visitors
  • Implement a "Do Not Sell or Share My Personal Information" link for CCPA compliance
  • Store consent records with timestamps and specific categories for GDPR accountability

A compliance platform like TermsBox can handle consent management with a cookie banner that adapts its behavior based on visitor location, applying opt-in for EU visitors and opt-out for California visitors under a single implementation.

Step 3: Build rights fulfillment processes

Both laws give individuals the right to request access, deletion, and (under the CPRA) correction of their data. You need processes to:

  • Receive and verify identity for data subject requests (GDPR: Article 12, CCPA: Section 1798.130)
  • Respond within the required timeframes (GDPR: one month, CCPA: 45 days)
  • Fulfill requests across all systems where the individual's data is stored
  • Document your response for accountability

Provide at least two methods for submitting requests. The CCPA requires a toll-free number for businesses that operate offline. Both laws accept web forms, email addresses, or dedicated portals.

Step 4: Update your privacy policy

Create a privacy policy that satisfies both GDPR and CCPA requirements. Start with the GDPR's more extensive disclosure requirements, then add CCPA-specific sections:

  • A California-specific notice describing categories of information collected, sold, and shared
  • A clear "Do Not Sell or Share" section with opt-out instructions
  • Disclosure of financial incentives related to personal information (if applicable)
  • Specific mention of the consumer's right to non-discrimination

Use a privacy policy generator to create a compliant document that covers both frameworks, then have it reviewed by legal counsel.

Step 5: Implement technical safeguards

Both GDPR and CCPA require appropriate security measures to protect personal data:

  • Encrypt personal data in transit (TLS/HTTPS) and at rest
  • Implement access controls limiting who can view or modify personal data
  • Maintain audit logs for data access and modifications
  • Establish a breach notification process (GDPR: 72 hours to supervisory authority, CCPA: "expeditious" notification to affected consumers)

GDPR and CCPA for Specific Business Types

Compliance requirements under CCPA and GDPR vary depending on your business model. Here is how the two laws apply to common scenarios.

E-commerce businesses

Online stores typically collect extensive personal data through accounts, orders, payment processing, and marketing. Key considerations:

  • Product recommendations: Using purchase history for personalized recommendations constitutes "profiling" under GDPR Article 22 and may involve "sale" or "sharing" of data under the CCPA if third-party tools are involved
  • Abandoned cart emails: Require consent under GDPR. Under CCPA, consumers can opt out of data used for retargeting
  • Customer reviews: Collecting names and email addresses for reviews requires disclosure under both laws
  • Payment data: PCI DSS compliance supplements but does not replace GDPR and CCPA requirements

SaaS and subscription businesses

Software companies processing user data face additional considerations:

  • Usage analytics: Tracking in-app behavior collects personal data under both laws. Cookie consent rules apply to web-based SaaS
  • Sub-processors: GDPR Article 28 requires Data Processing Agreements with every sub-processor. The CCPA requires service provider agreements (Section 1798.100(d))
  • Data portability: GDPR Article 20 gives users the right to receive their data in a machine-readable format. The CCPA provides a similar right under Section 1798.100

Content publishers and blogs

Even sites that primarily publish content must comply if they use tracking:

  • Analytics: Google Analytics, heatmaps, and A/B testing tools collect personal data
  • Advertising: Display ads, affiliate links, and sponsored content often involve cookie-based tracking
  • Comment systems: Collecting names and email addresses for comments triggers both laws
  • Newsletter signups: Require explicit consent under GDPR. The CCPA does not require consent but mandates disclosure

The Expanding Privacy Law Landscape Beyond GDPR and CCPA

Understanding GDPR and CCPA is essential, but the privacy law landscape continues to expand. Building your compliance program for only these two laws risks falling behind.

US state privacy laws

Since the CCPA, multiple US states have enacted comprehensive privacy laws:

  • Virginia (VCDPA): Effective January 1, 2023
  • Colorado (CPA): Effective July 1, 2023
  • Connecticut (CTDPA): Effective July 1, 2023
  • Utah (UCPA): Effective December 31, 2023
  • Texas (TDPSA): Effective July 1, 2024
  • Oregon (OCPA): Effective July 1, 2024
  • Montana (MCDPA): Effective October 1, 2024

Each law has different applicability thresholds, consumer rights, and enforcement mechanisms. The trend is clearly toward more regulation, not less.

International privacy laws

Outside the US and EU, significant privacy laws include:

  • LGPD (Brazil): Closely modeled on the GDPR, with fines up to 2% of revenue in Brazil (capped at 50 million BRL per infraction)
  • PIPEDA (Canada): Federal privacy law with provincial equivalents, being replaced by the proposed Consumer Privacy Protection Act
  • POPIA (South Africa): Requires lawful processing bases similar to the GDPR
  • PDPA (Thailand): Heavily influenced by the GDPR, with consent as a primary processing basis

Building for scalability

Rather than implementing one-off compliance measures for each law, build a privacy program that scales:

  • Maintain a single, comprehensive privacy policy that addresses all applicable laws with jurisdiction-specific sections
  • Implement consent management that adapts based on visitor location
  • Design data subject request processes that fulfill requirements across multiple laws simultaneously
  • Use compliance tools that update as laws change, rather than static documents that require manual revision

A privacy policy generator can create a document covering GDPR and CCPA requirements as a starting point, but ongoing compliance requires monitoring regulatory changes and updating your practices accordingly.

Frequently Asked Questions

What is the main difference between GDPR and CCPA?

The GDPR requires businesses to obtain explicit consent before collecting personal data (opt-in model), while the CCPA allows businesses to collect data by default and gives consumers the right to opt out of its sale or sharing (opt-out model). The GDPR applies to any organization processing EU residents' data regardless of size, whereas the CCPA only applies to for-profit businesses meeting specific revenue or data volume thresholds.

Do I need to comply with both GDPR and CCPA?

If your business serves customers in both the EU/EEA and California, and you meet the applicability thresholds for each law, then yes. Many online businesses fall under both because they have a global audience. Complying with the GDPR generally covers most CCPA requirements, but the CCPA has distinct obligations like honoring "Do Not Sell or Share My Personal Information" opt-out requests that require separate implementation.

What are the penalties for violating GDPR and CCPA?

GDPR penalties reach up to 20 million EUR or 4% of global annual turnover, whichever is higher. CCPA civil penalties range from $2,500 per unintentional violation to $7,500 per intentional violation. The CCPA also grants consumers a private right of action for data breaches with statutory damages of $100 to $750 per consumer per incident. Both laws have issued significant fines, with GDPR enforcement resulting in multi-billion-euro penalties against major tech companies.

Does GDPR compliance mean I am also CCPA compliant?

Not automatically. While GDPR compliance covers many CCPA requirements because the GDPR is stricter in most areas, the CCPA has specific obligations that the GDPR does not address. These include the "Do Not Sell or Share" opt-out right, the requirement to disclose the financial value of consumer data, and specific notice requirements like a "Do Not Sell My Personal Information" link on your website. You need to address these CCPA-specific items separately.

What counts as personal data under GDPR and CCPA?

Both laws define personal data broadly, but the CCPA's definition of "personal information" is slightly wider. The GDPR covers any information relating to an identified or identifiable natural person. The CCPA covers information that identifies, relates to, describes, or could reasonably be linked to a consumer or household. Notably, the CCPA explicitly includes household-level data and inferences drawn from other data points, which the GDPR addresses through its broad interpretive framework rather than explicit text.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is GDPR and CCPA?
  • The GDPR
  • The CCPA
  • Who Must Comply with GDPR and CCPA
  • GDPR applicability
  • CCPA applicability
  • Overlap in practice
  • GDPR vs. CCPA: Key Differences
  • Consent model
  • Definition of personal data
  • Individual rights
  • Penalties and enforcement
  • What GDPR and CCPA Require for Your Privacy Policy
  • GDPR privacy policy requirements
  • CCPA privacy policy requirements
  • Combined approach
  • How to Comply with Both GDPR and CCPA
  • Step 1: Map your data processing
  • Step 2: Implement consent management
  • Step 3: Build rights fulfillment processes
  • Step 4: Update your privacy policy
  • Step 5: Implement technical safeguards
  • GDPR and CCPA for Specific Business Types
  • E-commerce businesses
  • SaaS and subscription businesses
  • Content publishers and blogs
  • The Expanding Privacy Law Landscape Beyond GDPR and CCPA
  • US state privacy laws
  • International privacy laws
  • Building for scalability
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.