GDPR vs CCPA: What's the Difference?

Published July 7, 2026 · PolicyAI

The GDPR and CCPA both protect personal data, but they differ in scope, rights, penalties, and who they apply to. A clear side-by-side breakdown for site owners.

Skip the legalese — generate a compliant privacy policy in under a minute.

Try PolicyAI free →

Navigating the world of data privacy can feel like learning a new language. Two of the most prominent “dialects” are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), now largely superseded by the California Privacy Rights Act (CPRA). While both aim to protect personal data, they originate from different legal traditions and have distinct requirements. This article breaks down the key differences between GDPR and CCPA/CPRA, providing you with practical insights to understand which regulations apply to your business and how to achieve compliance.

GDPR: The European Standard

The GDPR, enacted by the European Union in 2018, is widely considered the gold standard in data protection. It applies to any organization – regardless of location – that processes the personal data of individuals located within the EU. This is known as extraterritorial reach, and it’s a crucial point for businesses outside of Europe. “Personal data” is broadly defined and includes any information relating to an identified or identifiable natural person.

Key Principles of GDPR

  1. Lawfulness, Fairness, and Transparency: You must have a legitimate basis for processing data (consent, contract, legitimate interest, legal obligation, etc.) and be transparent about how you use it.
  2. Purpose Limitation: You can only collect data for specified, explicit, and legitimate purposes, and cannot reuse it for different, incompatible purposes without fresh consent.
  3. Data Minimization: You should only collect data that is adequate, relevant, and limited to what is necessary for the specified purpose.
  4. Accuracy: Data must be accurate and kept up-to-date.
  5. Storage Limitation: You should only retain data for as long as necessary for the purpose for which it was collected.
  6. Integrity and Confidentiality: You must protect data against unauthorized access, processing, loss, or destruction.
  7. Accountability: You are responsible for demonstrating compliance with the GDPR principles.

Key GDPR Requirements for You

  • Consent: Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes are a no-go. You need to be able to demonstrate *when* and *how* consent was obtained.
  • Data Subject Rights: Individuals have the right to access, rectify, erase, restrict processing, data portability, and object to processing of their personal data. You must have procedures in place to handle these requests within one calendar month.
  • Data Protection Officer (DPO): Depending on the scale and nature of your data processing, you may be required to appoint a DPO.
  • Data Protection Impact Assessments (DPIAs): Required for high-risk processing activities.
  • Breach Notification: You must notify the relevant supervisory authority (and, in some cases, affected individuals) of data breaches within 72 hours.

CCPA/CPRA: The California Approach

The CCPA, which came into effect in 2020, and the CPRA, which amended it in 2023, grant California consumers significant control over their personal information. While inspired by the GDPR, the CCPA/CPRA takes a different approach. It focuses more on consumer rights and less on the detailed process requirements of the GDPR.

Who Does CCPA/CPRA Apply To?

The CCPA/CPRA applies to businesses that:

  1. Do business in California.
  2. Meet *one* of the following thresholds:
    • Annual gross revenues exceed $25 million.
    • Process the personal information of 50,000 or more California consumers, households, or devices.
    • Derive 50% or more of their annual revenues from selling or sharing personal information.

The CPRA introduced the concept of “sharing” personal information for behavioral advertising purposes, broadening the scope of the law. It also created the California Privacy Protection Agency (CPPA) to enforce the regulations.

Key CCPA/CPRA Rights for Consumers

  • Right to Know: Consumers can request information about the personal information a business collects about them, the sources of that information, the purposes for collecting it, and the categories of third parties with whom it’s shared.
  • Right to Delete: Consumers can request that a business delete their personal information.
  • Right to Opt-Out of Sale or Sharing: Consumers can opt-out of the sale or sharing of their personal information. This is a significant difference from GDPR, where consent is key. CCPA/CPRA focuses on providing an opt-out mechanism.
  • Right to Correct: (Introduced by CPRA) Consumers can request that inaccurate personal information be corrected.
  • Right to Limit Use of Sensitive Personal Information: (Introduced by CPRA) Consumers can limit the use of their sensitive personal information (e.g., social security number, financial account details).

GDPR vs. CCPA/CPRA: A Side-by-Side Comparison

Here’s a table summarizing the key differences:

| Feature | GDPR | CCPA/CPRA | |---|---|---| | **Geographic Scope** | EU – applies to processing of EU residents’ data regardless of where the business is located | California – applies to businesses meeting specific thresholds and processing data of California residents | | **Legal Basis for Processing** | Requires a lawful basis (consent, contract, legitimate interest, etc.) | Primarily focuses on consumer rights to know, delete, and opt-out; less emphasis on lawful basis | | **Consent** | Requires explicit, freely given, specific, informed, and unambiguous consent | Doesn’t require consent for all processing; opt-out mechanisms are central | | **Data Minimization** | Strong emphasis on collecting only necessary data | Less strict data minimization requirements | | **Enforcement** | EU Data Protection Authorities (DPAs) | California Privacy Protection Agency (CPPA) | | **Fines** | Up to €20 million or 4% of annual global turnover, whichever is higher | Up to $7,500 per intentional violation; $2,500 per unintentional violation | | **Data Subject Rights** | Broad range of rights, including access, rectification, erasure, portability, and objection | Focuses on right to know, delete, opt-out, correct, and limit use of sensitive information | | **DPO Requirement** | May be required | Not required |

Beyond GDPR and CCPA/CPRA: Other Relevant Laws

It’s important to remember that GDPR and CCPA/CPRA are not the only data privacy laws. Other relevant regulations include:

  • ePrivacy Directive (EU): Governs electronic communications, including cookies and direct marketing. Often referred to as the “Cookie Law.”
  • PIPEDA (Canada): Canada’s Personal Information Protection and Electronic Documents Act.
  • LGPD (Brazil): Brazil’s General Data Protection Law, similar in many ways to the GDPR.
  • Various State Privacy Laws (US): More US states are enacting comprehensive privacy laws, such as Virginia, Colorado, Connecticut, and Utah.

What Should You Do Now?

  1. Determine Applicability: Identify which laws apply to your business based on your location, the location of your customers, and your data processing activities.
  2. Conduct a Data Audit: Map out what personal data you collect, how you use it, where it’s stored, and with whom you share it.
  3. Update Your Privacy Policy: Ensure your privacy policy accurately reflects your data processing practices and complies with applicable laws.
  4. Implement Data Subject Request Mechanisms: Establish procedures for handling data subject requests (access, deletion, correction, etc.).
  5. Train Your Employees: Educate your employees about data privacy principles and your organization’s compliance program.
  6. Stay Informed: Data privacy laws are constantly evolving. Keep up-to-date with the latest changes and best practices.

Successfully navigating these regulations requires ongoing effort and a commitment to protecting personal data. Remember, this information is for general educational purposes and should not be considered legal advice. Consult with a qualified legal professional for guidance specific to your situation.

Ready to get compliant?

Answer a few questions about your website, store, or app — PolicyAI generates a customized, compliant privacy policy in under a minute.

Start free →