Data privacy has become one of the defining issues of our digital age, and with AI systems now training on vast datasets, the stakes have only gotten higher. Two laws that sit at the center of most data privacy-related compliance conversations are the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR). Though both laws aim to give individuals more control over their personal information, they differ in scope, structure, geography, and enforcement.
Here’s a breakdown of how each law works, where they overlap, and where they are different.
Background
The CCPA took effect on January 1, 2020. In November 2020, California voters approved Proposition 24, known as the California Privacy Rights Act (CPRA), which expanded and strengthened the original law. The CPRA amendments came into force on January 1, 2023, and represent the current version of the law. References to the CCPA today should be understood to mean the CCPA as amended by the CPRA.
The GDPR, on the other hand, came into effect on May 25, 2018, and serves as the EU’s primary framework for data protection. It applies to any organization, anywhere in the world, that processes personal data belonging to EU residents. It is broadly regarded as the most comprehensive privacy law in existence and has influenced data protection legislation in many other countries.
What the Two Laws Share
For all their differences, the CCPA and GDPR share the same fundamental premise: people deserve a real say in how their personal information is used.
Both laws give individuals the right to access, correct, and request deletion of their data. Both require organizations to be upfront about what they’re collecting and why. Both mandate reasonable security practices. And both impose real penalties for organizations that don’t comply.
Key Differences
Though both laws have the same goal, there are differences in scope and structure.
Scope of Application
The CCPA applies to for-profit businesses that operate in California and meet at least one of the following criteria:
- Annual gross revenue exceeding $25 million.
- Buying, selling, receiving, or sharing the personal information of 100,000 or more California consumers or households per year.
- Generating 50% or more of annual revenue from selling or sharing California residents’ personal information.
The GDPR has a far broader scope. It applies to any organization that processes the personal data of EU residents, regardless of the organization’s size, location, or whether it operates for profit. A small company outside the EU that collects data from European customers is still subject to GDPR.
Definition of Personal Data
Both laws define personal information broadly, though the GDPR’s definition is generally considered more expansive. The GDPR explicitly includes indirect identifiers, like cookies, IP addresses, and other online identifiers that can be used to identify a person. The CCPA covers a similarly wide range of information, including names, addresses, browsing history, and geolocation data, but the GDPR’s scope is wider in practice.
Consumer Rights
Under the CCPA (as amended by the CPRA), California consumers have the right to:
- Know what personal information a business collects, uses, shares, or sells
- Delete their personal information, subject to certain exceptions
- Correct inaccurate personal information
- Opt out of the sale or sharing of their personal information
- Limit the use and disclosure of sensitive personal information
- Non-discrimination, meaning businesses may not penalize consumers for exercising these rights
On the other hand, under the GDPR, EU residents have the right to:
- Access the personal data an organization holds about them
- Rectification of inaccurate or incomplete data
- Erasure of their data under certain conditions, commonly referred to as the Right to Be Forgotten
- Data portability, allowing individuals to receive their data in a structured, machine-readable format
- Restriction of processing in certain circumstances, such as when the accuracy of data is disputed
- Object to the processing of their data in specific situations, including direct marketing
A quick comparison shows that the GDPR offers a broader set of rights, but the CPRA’s additions of the right to correct and the right to limit sensitive data use have brought the two frameworks closer together.
Consent Model: Opt-Out vs. Opt-In
One of the key structural differences between the two laws is in consent handling. The CCPA operates on an opt-out basis, meaning businesses may collect and use personal data by default, and consumers must actively choose to opt out.
The GDPR works differently. It takes an opt-in approach, where organizations must obtain explicit consent from individuals before processing their data. This distinction explains why websites operating under GDPR rules tend to present more prominent consent notices before collecting any information.
Enforcement and Penalties
The CPRA established the California Privacy Protection Agency (CPPA), a dedicated regulatory body that shares enforcement authority with the Attorney General and district attorneys. Penalties under the CCPA stand at up to $2,500 per unintentional violation and up to $7,500 per intentional violation. Consumers retain the right to bring private lawsuits in the event of a qualifying data breach.
The GDPR imposes substantially higher financial consequences. Organizations found in violation can face fines of up to 4% of annual global revenue or €20 million, whichever is greater. These are not merely theoretical figures; major fines have been issued against large organizations. Unlike the CCPA, the GDPR does not generally provide for a private right of action, but the scale of regulatory penalties makes compliance a serious financial consideration.
Third-Party Data Sharing
The CCPA requires businesses to disclose when they sell or share consumer data with third parties and to honor consumer requests to opt out of such practices. The CPRA built on these requirements and introduced specific contractual requirements governing relationships with service providers, contractors, and third parties to strengthen accountability throughout the data supply chain.
The GDPR takes a broader approach to this issue. It requires organizations to have a lawful basis for any data sharing, whether or not a sale is involved, and to be transparent about who receives personal data and for what purpose.
Data Breach Notification
The GDPR requires organizations to notify the relevant supervisory authority of a data breach within 72 hours of becoming aware of it, provided the breach presents a risk to individuals’ rights and freedoms. Where the risk is significant, affected individuals must also be informed.
The CCPA does not contain a standalone breach notification requirement. However, California’s existing data breach notification law applies. Under California law, businesses must notify California residents if unencrypted personal information is acquired by unauthorized persons, with notification required within 30 days of discovery. A “private right of action” allows consumers to sue for statutory damages ($100–$750) per incident if breaches result from poor security.
Data Protection Officer
The GDPR requires certain organizations to appoint a Data Protection Officer (DPO), particularly those that carry out large-scale processing of sensitive data or systematic monitoring of individuals. The DPO is responsible for overseeing compliance and serves as a point of contact for both the organization and regulators.
The CCPA imposes no equivalent obligation. Businesses subject to the CCPA are not required to designate a DPO.
Thus, these are the key differences between CCPA and GDPR.
Which Law Applies to Your Organization?
For organizations that handle personal data belonging to EU residents, GDPR compliance is mandatory regardless of where the organization is based. Since the GDPR is stricter across most dimensions, meeting its requirements will generally satisfy CCPA obligations as well.
Organizations that only handle data from California residents and meet the applicable thresholds can focus on just CCPA compliance. The CCPA is a narrower framework and is generally less resource-intensive to implement than the GDPR.
However, organizations operating across both markets will need to satisfy the requirements of both laws. In practice, building a privacy program around GDPR standards from the outset is often the more efficient path, as it avoids having to revise processes later to meet a stricter standard.
Key Takeaway
The CCPA and GDPR are renowned privacy laws that reflect a shared commitment to protecting individuals’ personal data. The GDPR remains the more comprehensive of the two, with a broader scope, more extensive consumer rights, and higher financial penalties. The CPRA amendments have strengthened the CCPA, adding new consumer rights and establishing a dedicated enforcement agency in the CPPA, but the GDPR still sets the higher standard overall.
For businesses working out their obligations, the starting point is simple: know which law applies to you, understand what data you’re collecting and how you’re using it, and make sure your compliance program reflects the current version of each law — not older iterations that have since been updated.
It also helps to leverage software platforms that automate many of the repetitive tasks, reduce compliance gaps, and improve the overall outcomes.