Data protection comparison
GDPR vs CCPA: Key Differences Explained
GDPR and CCPA both grant data subject rights but differ in scope, consent model, and enforcement. GDPR applies to any organisation processing EU residents' data worldwide and requires a positive lawful basis; CCPA/CPRA applies to for-profit California businesses meeting revenue or data thresholds and uses an opt-out model for data sales. US companies with EU users need GDPR; EU companies with California users above the thresholds need CCPA. Most multinational tech companies need both.
What is the difference between GDPR and CCPA?
GDPR and CCPA both grant data subject rights but differ in scope, consent model, and enforcement. GDPR applies to any organisation processing EU residents' data worldwide and requires a positive lawful basis; CCPA/CPRA applies to for-profit California businesses meeting revenue or data thresholds and uses an opt-out model for data sales. US companies with EU users need GDPR; EU companies with California users above the thresholds need CCPA. Most multinational tech companies need both.
- GDPR requires opt-in lawful basis; CCPA uses opt-out for data sales
- GDPR fines: up to β¬20M or 4% global turnover β CCPA: $7,500 per intentional violation
- GDPR scope: any org processing EEA data β CCPA: California businesses above revenue/data thresholds
- Both apply simultaneously if you have EU and California users
Side-by-side comparison
| Aspect | EUGDPR | US-CACCPA / CPRA |
|---|---|---|
| Legal basis | Requires one of 6 lawful bases (Art. 6) β opt-in for consent | Opt-out model for data sales and sharing; consent required only for sensitive data (CPRA) |
| Geographic scope | Any organisation processing EEA residents' data, wherever based | For-profit businesses in California meeting revenue (>$25M), data volume (>100k consumers), or revenue-from-sale (>50%) thresholds |
| Maximum fine | β¬20M or 4% of global annual turnover (higher of the two) | $7,500 per intentional violation; $2,500 per unintentional violation (CPPA enforcement) |
| Data subject rights | 8 rights: access, rectification, erasure, portability, restriction, objection, automated decisions, withdraw consent | 7 rights: know, delete, opt-out of sale/sharing, non-discrimination, correct, limit sensitive use (CPRA) |
| Consent model | Opt-in required for consent-based processing; no pre-ticked boxes | Opt-out required for sale/sharing of personal information; opt-in for under-16s |
| DPO requirement | Mandatory for public bodies, large-scale processing, or high-risk special categories | No equivalent requirement |
| International transfers | Requires adequacy decision, SCCs, or BCRs for transfers outside EEA | No equivalent cross-border transfer mechanism |
| Enforcement body | National DPAs (e.g. CNIL, BfDI, ICO) + EDPB for cross-border cases | California Privacy Protection Agency (CPPA) + California Attorney General |
| Special categories | Explicit consent or specific Art. 9 derogation required for sensitive data | CPRA adds 'sensitive personal information' category with opt-out right |
Who needs to comply with both?
You need both GDPR and CCPA/CPRA if you are a for-profit business that (a) has users, visitors, or employees in the EU/EEA and (b) either has annual gross revenue above $25M, buys/sells/receives data on 100,000+ California consumers per year, or derives more than 50% of annual revenue from selling California consumers' personal information.
In practice: most SaaS companies over ~$20M revenue with international traffic need both. A single privacy policy can cover both β but must include CCPA-specific sections (categories of data sold, opt-out mechanism) and GDPR-specific sections (lawful bases, DPA contact, transfer mechanisms).
Frequently asked questions
What is the main difference between GDPR and CCPA?
GDPR is a European regulation requiring a positive lawful basis for any personal data processing with an opt-in default for consent; CCPA is a California law using an opt-out model for data sales. GDPR fines reach up to 4% of global turnover; CCPA fines are per-violation. GDPR also has broader data subject rights and mandatory DPO requirements in some cases.
Do I need to comply with both GDPR and CCPA?
Yes, if you have both EU/EEA users and California users (and meet CCPA revenue/data thresholds). Most SaaS companies over $25M revenue with international users need to comply with both. A single privacy policy can address both but must meet each law's specific disclosure requirements.
Is CCPA stricter than GDPR?
GDPR is generally considered stricter: it requires a positive lawful basis before processing (not just an opt-out), has higher maximum fines (4% global turnover vs $7,500/violation), and includes more data subject rights. CCPA/CPRA is specifically strong on opt-out rights for data sales and sharing.
Does GDPR apply to US companies?
Yes. GDPR applies to any organisation that processes personal data of people in the EU/EEA, regardless of where the company is based. A US company with EU customers, website visitors, or employees in the EU must comply with GDPR.
Check whether GDPR applies to you
Use the EU Compliance Checker to answer 10 questions and see which EU regulations β including GDPR β apply to your business.
Related comparisons
Informational only. Not legal advice β consult qualified legal counsel for your specific situation.
Last reviewed: