GDPR vs CCPA: Key Differences Explained
The GDPR and CCPA are the world's two most influential privacy laws, but they work differently. Here is a detailed comparison of who they cover, what rights they grant, and how they are enforced.
Published April 9, 2026 in Privacy BasicsGDPR vs CCPA: Key Differences Explained
TL;DR: The GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) are the two most influential privacy laws in the world, but they differ in fundamental ways. The GDPR uses an opt-in consent model, covers all individuals in the EU, and imposes fines up to 4% of global revenue. The CCPA uses an opt-out model, covers California residents, and allows fines up to $7,500 per violation. Both give individuals rights over their personal data, but the GDPR is broader in scope and stricter in enforcement.
GDPR vs CCPA: What Are They?
The GDPR and CCPA are data privacy laws that give individuals control over their personal information. Both regulate how companies collect, store, share, and use personal data -- but they were designed for different populations and built on different legal philosophies.
The GDPR (General Data Protection Regulation) went into effect on May 25, 2018. It applies to all organizations that process personal data of individuals in the European Union, regardless of where the organization is based. The GDPR is considered the gold standard of privacy legislation worldwide.
The CCPA (California Consumer Privacy Act) went into effect on January 1, 2020. It applies to for-profit businesses that collect personal data of California residents and meet certain revenue or data volume thresholds. The CCPA was later amended and expanded by the CPRA (California Privacy Rights Act), which took full effect on January 1, 2023.
Both laws have forced companies worldwide to change how they handle personal data. PrivacyFetch tracks compliance signals for both regulations across every company in its directory.
Side-by-Side Comparison Table
| Feature | GDPR (EU) | CCPA/CPRA (California) |
|---|---|---|
| Effective date | May 25, 2018 | Jan 1, 2020 (CCPA); Jan 1, 2023 (CPRA amendments) |
| Who it covers | All individuals in the EU/EEA | California residents |
| Who it applies to | Any organization processing EU data, regardless of size | For-profit businesses meeting revenue/data thresholds |
| Business thresholds | None -- applies to all data controllers | $25M+ revenue, 100K+ consumers' data, or 50%+ revenue from data sales |
| Consent model | Opt-in (must get consent before collecting) | Opt-out (can collect, but must allow opt-out of sales) |
| Definition of personal data | Broad: any data relating to an identifiable person | Broad: information that identifies, relates to, or could be linked to a consumer or household |
| Right to access | Yes | Yes |
| Right to delete | Yes ("right to be forgotten") | Yes |
| Right to correct | Yes | Yes (added by CPRA) |
| Right to data portability | Yes | Yes (added by CPRA) |
| Right to opt out of sales | N/A (consent required upfront) | Yes -- "Do Not Sell My Personal Information" |
| Right to opt out of profiling | Yes | Yes (added by CPRA for automated decision-making) |
| Right to restrict processing | Yes | Limited |
| Right to object | Yes | Limited |
| Data breach notification | 72 hours to authorities | "In the most expedient time possible" |
| Maximum fines | 4% of global annual revenue or EUR 20M | $2,500 per violation; $7,500 per intentional violation |
| Enforcement body | National Data Protection Authorities (DPAs) | California Privacy Protection Agency (CPPA); Attorney General |
| Private right of action | Limited (varies by member state) | Yes, for data breaches ($100-$750 per consumer per incident) |
| Data Protection Officer required | Yes, in many cases | No |
| Data Processing Agreements required | Yes | Yes (service provider agreements) |
| Applies to nonprofits | Yes | No |
| Extraterritorial reach | Yes -- applies to any company processing EU data | Yes -- applies to any company processing CA residents' data |
Consent: Opt-In vs Opt-Out
This is the most important philosophical difference between the two laws.
GDPR: Opt-In by Default
Under the GDPR, companies must obtain explicit consent before collecting most types of personal data. This means:
- Cookie consent banners must get your approval before loading tracking scripts
- Companies need a lawful basis for every data processing activity
- Consent must be "freely given, specific, informed, and unambiguous"
- Pre-checked boxes do not count as consent
- You must be able to withdraw consent as easily as you gave it
The six lawful bases for processing under GDPR are: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interests.
CCPA: Opt-Out by Default
Under the CCPA, companies can collect and process your data without asking permission first. The law gives you the right to opt out after the fact:
- Companies can collect data immediately upon your visit
- You must actively find and use the "Do Not Sell My Personal Information" link
- Companies must honor the Global Privacy Control (GPC) browser signal
- Opt-out applies to data sales and sharing for cross-context behavioral advertising
The practical difference is significant. Under GDPR, a company starts with no data and must ask before collecting. Under CCPA, a company starts collecting immediately and you must take action to stop sales.
This is why European websites show cookie consent pop-ups and American websites generally do not (unless the company has chosen to comply with GDPR globally).
Who Is Covered?
GDPR Scope
The GDPR covers all individuals located in the EU/EEA, regardless of citizenship. It applies to every organization that processes their data, no matter where that organization is based. A company in Texas that has users in Germany must comply with the GDPR for those users.
There are no revenue thresholds or business size exemptions. A one-person business blog that collects email addresses from EU visitors is technically subject to the GDPR.
CCPA Scope
The CCPA covers California residents only. And it only applies to for-profit businesses that meet at least one of these thresholds:
- Annual gross revenue over $25 million
- Buys, sells, or shares the personal information of 100,000 or more California consumers or households per year
- Derives 50% or more of annual revenue from selling California consumers' personal information
Small businesses, nonprofits, and companies below these thresholds are exempt. This means the CCPA covers far fewer businesses than the GDPR.
What Counts as Personal Data?
Both laws define personal data broadly, but with differences:
| Data Type | GDPR | CCPA |
|---|---|---|
| Name, email, phone number | Yes | Yes |
| IP address | Yes | Yes |
| Cookie identifiers | Yes | Yes |
| Device identifiers | Yes | Yes |
| Location data | Yes | Yes |
| Biometric data | Yes (special category) | Yes (sensitive personal information) |
| Health data | Yes (special category) | Yes (sensitive personal information) |
| Racial or ethnic origin | Yes (special category) | Yes (sensitive personal information) |
| Household-level data | Ambiguous | Yes -- CCPA explicitly covers household data |
| Publicly available information | Depends on context | Generally excluded |
| Employee data | Yes | Yes (as of CPRA) |
| B2B contact data | Yes | Yes (as of CPRA) |
The GDPR recognizes "special categories" of data (biometric, health, racial, religious, sexual orientation, political opinions, trade union membership) that receive extra restrictions. The CCPA's equivalent is "sensitive personal information," which requires separate opt-in consent under the CPRA.
Penalties and Enforcement
GDPR Penalties
GDPR fines are designed to be significant enough to change corporate behavior:
- Tier 1: Up to EUR 10 million or 2% of global annual revenue (whichever is higher) for administrative violations
- Tier 2: Up to EUR 20 million or 4% of global annual revenue (whichever is higher) for violations of core principles or data subject rights
Major GDPR fines to date include:
| Company | Fine | Year | Reason |
|---|---|---|---|
| Meta (Ireland) | EUR 1.2 billion | 2023 | Unauthorized EU-US data transfers |
| Amazon (Luxembourg) | EUR 746 million | 2021 | Non-compliant ad targeting |
| Meta/WhatsApp (Ireland) | EUR 225 million | 2021 | Transparency violations |
| Google (France) | EUR 150 million | 2022 | Cookie consent violations |
Enforcement is handled by national Data Protection Authorities (DPAs) in each EU member state. Companies must designate a "lead supervisory authority" based on their main establishment.
CCPA Penalties
CCPA fines are smaller per violation but can add up:
- $2,500 per unintentional violation
- $7,500 per intentional violation
- $100-$750 per consumer per data breach incident (private right of action)
The California Privacy Protection Agency (CPPA), created by the CPRA, is the primary enforcement body. The California Attorney General can also bring actions.
The CCPA's private right of action is unique -- individual consumers can sue companies directly for data breaches without waiting for a government investigation. Class action lawsuits under this provision have resulted in multi-million dollar settlements.
Enforcement Comparison
In practice, GDPR enforcement has resulted in far larger individual fines. But the CCPA's private right of action means companies face litigation risk from consumers, not just regulators. Both create meaningful financial incentives for compliance.
How Many Companies Support Each?
Based on PrivacyFetch's analysis of companies in its directory, the compliance landscape is uneven:
- GDPR compliance signals: The majority of companies analyzed show some level of GDPR awareness -- publishing privacy policies, mentioning EU data subject rights, and including Data Processing Agreements. However, full compliance (proper consent mechanisms, DPO appointment, lawful basis documentation) is less common.
- CCPA compliance signals: Many large companies include "Do Not Sell My Personal Information" links and reference California consumer rights. Compliance is strongly correlated with company size -- companies above the $25M revenue threshold show significantly higher compliance rates.
- Both: Companies that operate globally tend to comply with both, often applying GDPR standards worldwide since it is the stricter standard.
You can check any company's compliance indicators on their PrivacyFetch profile under the User Rights tab.
Which Law Is Stronger?
The GDPR is the stronger law by most measures:
- Broader scope: Covers all data processors, not just large businesses
- Stricter consent: Requires opt-in, not opt-out
- Higher fines: Up to 4% of global revenue vs $7,500 per violation
- More rights: Includes rights to restrict processing and object to profiling
- Dedicated enforcement: Each EU country has its own DPA with investigative powers
However, the CCPA has one advantage: the private right of action. GDPR enforcement relies on government regulators, who have limited resources. The CCPA lets individual consumers and class action attorneys sue directly for data breaches, creating a powerful private enforcement mechanism.
Key Differences That Matter for Consumers
If You Are in the EU
You have strong default controls. Companies must ask before collecting your data. You can request deletion, portability, and correction. If a company violates your rights, your national DPA can investigate and impose significant fines.
If You Are in California
You have the right to opt out of data sales and request deletion. But companies can collect your data by default -- you must take action to stop them. The "Do Not Sell" mechanism is your primary tool. If a company suffers a data breach that affects you, you can sue.
If You Are in Another US State
Many states have passed their own privacy laws modeled on the CCPA: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and others. These vary in scope and strength. Check your state's specific provisions.
How PrivacyFetch Tracks Compliance
PrivacyFetch analyzes every company's privacy practices against both GDPR and CCPA standards. The User Rights dimension (15% of the overall privacy score) specifically measures:
- Rights mentioned in the privacy policy: access, deletion, correction, portability, opt-out, consent withdrawal, restrict processing, object to processing
- Request channels available: online form, email, phone, mail
- Deletion difficulty: how easy or hard it is to actually exercise your rights
- GPC/DNT support: whether the company honors privacy browser signals
Companies that support a broad range of rights and make them easy to exercise score higher. Companies that acknowledge rights but make them difficult to use (requiring phone calls, identity verification, or multi-step processes) receive penalties.
Browse companies by their rights support and compliance indicators in the PrivacyFetch directory.
Key Takeaways
- The GDPR (EU) and CCPA (California) are the world's two most important privacy laws, but they use fundamentally different approaches: opt-in vs opt-out
- The GDPR applies to all organizations processing EU residents' data, regardless of size. The CCPA applies only to larger for-profit businesses handling California residents' data
- GDPR fines reach up to 4% of global revenue (billions of dollars for large companies). CCPA fines are $2,500-$7,500 per violation, but consumers can sue directly for data breaches
- Both laws give you rights to access, delete, and correct your data -- but the GDPR grants more rights with stricter enforcement
- Use PrivacyFetch to check how any company performs on user rights, including GDPR and CCPA compliance indicators
This analysis is based on PrivacyFetch's automated privacy policy analysis. Check any company's privacy score