Why These Two Laws Dominate Global Privacy Discussions
The General Data Protection Regulation (GDPR), enforced by the European Union since May 2018, and the California Consumer Privacy Act (CCPA), effective since January 2020, represent landmark moments in data privacy legislation. Together, they have reshaped how companies worldwide collect, process, and protect personal data — and their influence has inspired privacy laws in dozens of other jurisdictions.
If your organization handles data belonging to EU residents or California consumers, understanding both frameworks is not optional. This guide breaks down their key similarities, differences, and practical compliance implications.
Side-by-Side Comparison
| Attribute | GDPR | CCPA / CPRA |
|---|---|---|
| Jurisdiction | European Union | California, USA |
| Who It Applies To | Any org processing EU resident data | For-profit businesses meeting size/revenue thresholds |
| Legal Basis for Processing | Required (consent, legitimate interest, etc.) | Not required; opt-out model for sale of data |
| Consumer Rights | Access, rectification, erasure, portability, restriction, objection | Access, deletion, opt-out of sale, non-discrimination |
| Data Breach Notification | 72 hours to supervisory authority | Expedient notice to affected consumers |
| Maximum Penalties | €20 million or 4% of global annual turnover | $7,500 per intentional violation |
| Enforcement Body | Data Protection Authorities (DPAs) | California Attorney General / California Privacy Protection Agency |
Key Similarities
- Both grant individuals the right to access the personal data held about them.
- Both require the right to deletion (though with different scope and exceptions).
- Both mandate transparency through privacy notices explaining data collection practices.
- Both prohibit discrimination against individuals for exercising their privacy rights.
Critical Differences to Understand
Opt-In vs. Opt-Out
GDPR generally requires an opt-in model: organizations must establish a lawful basis for processing, and where consent is used, it must be freely given, specific, and unambiguous. CCPA, by contrast, follows an opt-out model — businesses can collect and sell personal data by default, but consumers must be provided a clear mechanism to opt out of the sale of their data.
Scope of "Personal Data"
GDPR's definition is broad and covers any information relating to an identified or identifiable natural person. CCPA's scope is similarly broad but explicitly includes household-level data, which GDPR does not directly address.
Extraterritorial Reach
GDPR applies to any organization worldwide that processes EU residents' data, regardless of where the company is based. CCPA applies to for-profit businesses that meet certain thresholds (annual gross revenue over $25 million, data on 100,000+ consumers/households, or deriving 50%+ of annual revenue from selling personal data).
Practical Compliance Steps That Satisfy Both Laws
- Conduct a comprehensive data inventory to understand what personal data you collect, where it's stored, and how it flows.
- Update your privacy notice to clearly describe collection purposes, data categories, and consumer rights under both laws.
- Implement a unified rights request workflow to handle access, deletion, and correction requests efficiently.
- Review third-party data sharing agreements to ensure downstream processors are also compliant.
- Establish a breach response plan that meets both the 72-hour GDPR requirement and CCPA notification standards.
Looking Ahead
The CCPA has been significantly strengthened by the California Privacy Rights Act (CPRA), which added rights around sensitive personal information and established a dedicated enforcement agency. Meanwhile, the EU continues to expand its digital regulatory framework. Organizations that build privacy compliance into their operations — rather than treating it as a checkbox — will be best positioned as the regulatory landscape continues to evolve.