CCPA vs GDPR – Key Differences and What They Mean for Your Business

CCPA vs GDPR — these are the two most influential data privacy laws currently in force, and understanding how they differ is essential for any organization operating across the EU and the US.

But they are not the same law, and compliance with one does not guarantee compliance with the other. Understanding where they overlap — and where they diverge — is essential for any organization operating across the EU and the US.

What Is GDPR?

The General Data Protection Regulation is the European Union’s comprehensive data protection framework, in force since May 2018. It governs how organizations collect, process, store, and share the personal data of individuals in the EU and the European Economic Area.

GDPR applies to any organization that processes EU residents’ personal data — regardless of where the organization is based. A US company with no EU office is still subject to GDPR if it offers goods or services to EU residents or monitors their behavior online.

Key features of GDPR:

• Requires a lawful legal basis before any personal data is processed
• Grants individuals eight rights over their personal data
• Requires a record of processing activities (RoPA) documenting all data processing
• Requires data processing agreements with all vendors handling personal data
• Mandates breach notification to supervisory authorities within 72 hours
• Fines of up to €20 million or 4% of global annual turnover, whichever is higher

What Is CCPA?

The California Consumer Privacy Act entered into force on 1 January 2020 and was significantly strengthened by the California Privacy Rights Act (CPRA), which took effect on 1 January 2023. The CPRA introduced sensitive personal information as a distinct category, added data minimization requirements, established the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, and extended opt-out rights to cover data sharing, not just data sales.

References to CCPA in this article include the CPRA amendments unless otherwise noted.

CCPA applies to for-profit businesses doing business in California that meet at least one of the following thresholds:

• Annual gross revenue exceeding $26,625,000 (2025-2026 inflation-adjusted figure)
• Processing personal information of 100,000 or more California residents or households annually
• Deriving 50% or more of annual revenue from selling or sharing personal information

A business does not need to be physically located in California to be subject to CCPA. An online retailer based in New York that sells to California residents and meets one of the above thresholds must comply.

Key features of CCPA:

• Operates on an opt-out model — data collection is permitted by default
• Grants California residents rights to know, delete, correct, and opt out of data sales and sharing
• Requires a “Do Not Sell or Share My Personal Information” mechanism
• Requires service provider agreements with vendors handling personal data
• Fines of $2,663 per violation / $7,988 per intentional violation or violation involving minors
• Civil damages of $107–$799 per consumer per incident for data breaches

CCPA vs GDPR: The Fundamental Difference – Opt-In vs Opt-Out

The most important distinction between GDPR and CCPA is their approach to data processing consent.

Under GDPR, an organization cannot collect or process personal data without first establishing one of six legal bases for processing personal data: consent, contract, legal obligation, vital interests, public task, or legitimate interest. Data collection is prohibited by default until a legal basis is identified and documented. This applies to every processing activity — not just marketing or data sales.

Under CCPA, data collection is permitted by default. Businesses may collect and process personal information unless the consumer opts out. The opt-out right applies specifically to the sale and sharing of personal information — not to collection itself. Businesses must provide a mechanism for consumers to opt out, but they do not need prior consent to collect data.

This difference has practical consequences. A business that is already GDPR-compliant has established legal bases for all its processing activities, which gives it a structural advantage when approaching CCPA. But the reverse is not necessarily true — CCPA compliance does not mean GDPR requirements are met.

Scope and Applicability

Individual Rights

Both laws grant individuals rights over their personal data, but the scope differs.

Rights under GDPR: access, rectification, erasure, restriction of processing, data portability, objection, and rights related to automated decision-making. These rights apply to all personal data processing, regardless of the purpose.

Rights under CCPA: right to know what data is collected and how it is used, right to delete, right to correct, right to opt out of sale or sharing, right to limit use of sensitive personal information, right to non-discrimination for exercising rights.

Response timelines also differ. GDPR requires a response within one month. CCPA requires a response within 45 days, with a possible 45-day extension.

Both laws prohibit businesses from discriminating against individuals who exercise their privacy rights.

Vendor Obligations

Both laws impose obligations on how organizations manage third-party vendors that handle personal data.

Under GDPR, any vendor that processes personal data on behalf of your organization is a data processor and must sign a data processing agreement that specifies the nature, purpose, and duration of processing, as well as the rights and obligations of each party. The controller remains accountable for how the processor handles the data.

Under CCPA, vendors are classified as service providers or contractors depending on how they use the data. A binding written contract is required, restricting the vendor to processing data only for the specified business purpose and prohibiting the sale or sharing of that data.

The practical requirements are similar — both frameworks demand documented vendor agreements — but the legal terminology, required contract provisions, and compliance obligations differ.

Cross-Border Data Transfers

GDPR imposes strict restrictions on transferring personal data outside the EU/EEA. Data may only be transferred to countries that the European Commission has deemed to provide an adequate level of protection, or where specific safeguards are in place — such as standard contractual clauses, binding corporate rules, or the EU-US Data Privacy Framework. See our full guide on data transfers outside the EEA.

CCPA imposes no equivalent restrictions on international data transfers. A California business may transfer personal data to any country without additional safeguards under CCPA, provided the data is handled in accordance with the consumer’s rights and the business’s privacy policy.

Penalties

GDPR fines are calculated on worldwide revenue, not just EU operations. This means a US company with modest EU revenue but significant global turnover faces proportionally larger exposure under GDPR than under CCPA.

Do Both Laws Apply to You?

If your organization processes personal data of both EU residents and California residents, both laws may apply simultaneously — and they must be met independently. Compliance with one does not satisfy the other.

Organizations subject to both typically find that GDPR is the more demanding framework in terms of upfront documentation, legal basis requirements, and vendor management. Building GDPR compliance first tends to create a foundation that simplifies CCPA compliance, because many of the operational processes — data mapping, rights request workflows, vendor agreements — overlap in structure even where they differ in specifics.

For a detailed guide on GDPR obligations for US-based businesses, see GDPR compliance for US companies.

What to Prioritize if Both Apply

Data mapping first. Both laws require that you know what personal data you hold, where it comes from, where it goes, and how long you keep it. This is the foundation of compliance under both frameworks — without it, neither RoPA requirements (GDPR) nor privacy policy disclosures (CCPA) can be completed accurately.

Separate workflows for EU and California requests. Response timelines differ (one month vs 45 days), verification requirements differ, and the data delivered in response to access requests may differ. A single rights-request workflow is unlikely to satisfy both laws without jurisdiction-specific adaptations.

Vendor contracts need dual compliance. A GDPR-compliant data processing agreement and a CCPA-compliant service provider agreement are not identical. If you have vendors who process both EU and California personal data, your contracts need to address both frameworks — typically through additional clauses rather than separate agreements.

Privacy policy must cover both. GDPR requires certain disclosures in a privacy notice. CCPA requires different — though often overlapping — disclosures in a privacy policy. Many organizations maintain a single comprehensive privacy policy that addresses both, with jurisdiction-specific sections where the requirements diverge.

Managing Dual Compliance Operationally

The operational challenge of managing GDPR and CCPA simultaneously is primarily one of documentation and process. Both laws require that you maintain records, respond to requests, manage vendors, and demonstrate accountability. When processes for one law are already in place, adapting them for the other is significantly more efficient than building from scratch.

iGDPR supports organizations managing records of processing activities, data subject and consumer rights requests, vendor agreements, and risk assessments in a single system — including for organizations operating across multiple entities or jurisdictions.

Frequently Asked Questions