GDPR vs CCPA: Key Differences Explained (2026)
The European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), represent the two most influential data privacy frameworks in the world. While both aim to give individuals more control over their personal data, they differ in scope, enforcement mechanisms, and the obligations they place on organizations.
This guide breaks down every major difference between the GDPR and CCPA so businesses and privacy professionals can understand where the two laws align and where they diverge.
Geographic Scope and Applicability
The GDPR applies to any organization that processes personal data of individuals located in the European Economic Area (EEA), regardless of where that organization is based. A company in Texas that sells products to customers in Germany falls under the GDPR's jurisdiction. The regulation took effect on May 25, 2018, and applies across all 27 EU member states plus Iceland, Liechtenstein, and Norway through the EEA agreement.
The CCPA, effective January 1, 2020, and significantly amended by the CPRA effective January 1, 2023, applies to for-profit businesses that collect personal information from California residents and meet at least one of three thresholds: annual gross revenue exceeding $25 million, buying/selling/sharing the personal information of 100,000 or more consumers or households annually, or deriving 50% or more of revenue from selling or sharing personal information.
Nonprofit organizations and government agencies fall outside the CCPA's scope entirely. The GDPR, by contrast, covers virtually all organizations that handle personal data, including nonprofits and public bodies, with narrow exceptions for purely personal or household activities.
Definitions: Personal Data vs Personal Information
One of the most significant structural differences lies in how each law defines protected data.
The GDPR defines "personal data" broadly as any information relating to an identified or identifiable natural person. This includes names, identification numbers, location data, online identifiers, and factors specific to a person's physical, physiological, genetic, mental, economic, cultural, or social identity. The GDPR also creates a special category for "sensitive personal data" covering racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation. Processing sensitive data requires explicit consent or another specific legal basis under Article 9 of the GDPR.
The CCPA defines "personal information" as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household. The CCPA also introduced the concept of "sensitive personal information" through the CPRA amendments, covering Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, contents of communications, genetic data, biometric data, health information, and sex life or sexual orientation data.
| Category | GDPR | CCPA/CPRA |
|---|---|---|
| Protected data term | Personal data | Personal information |
| Applies to | Identified or identifiable natural person | Consumer or household |
| Household-level data | Not explicitly included | Included |
| Publicly available data | Still personal data if it identifies someone | Excluded from definition |
| Employee/B2B data | Fully covered | Covered (exemptions expired Jan 2023) |
| Sensitive data category | Special categories (Art. 9) | Sensitive personal information (CPRA) |
Legal Bases for Processing
This area represents perhaps the sharpest philosophical divide between the two frameworks.
The GDPR operates on a permission-based model. Organizations cannot process personal data without first establishing one of six lawful bases defined in Article 6: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. Organizations must identify and document their legal basis before processing begins.
The CCPA takes an activity-based approach. Businesses can collect and use personal information without obtaining prior consent, but consumers have the right to know what data is collected, to request deletion, and to opt out of the sale or sharing of their data. The CPRA added the right to limit the use of sensitive personal information.
In practice, this means a GDPR-covered business in France must obtain consent (or identify another lawful basis) before collecting a website visitor's email address. A CCPA-covered business in California can collect that same email address at the point of transaction but must disclose that it does so and honor opt-out requests.
Consumer and Data Subject Rights
Both frameworks grant individuals a suite of rights, but the specific rights and their scope differ.
| Right | GDPR | CCPA/CPRA |
|---|---|---|
| Right to know/access | Yes (Art. 15) | Yes |
| Right to delete/erasure | Yes, "right to be forgotten" (Art. 17) | Yes, with broader business exceptions |
| Right to rectification | Yes (Art. 16) | No equivalent |
| Right to data portability | Yes (Art. 20) | Yes (added by CPRA) |
| Right to restrict processing | Yes (Art. 18) | Limited to sensitive PI |
| Right to object | Yes (Art. 21) | No direct equivalent |
| Right to opt out of sale | N/A (no "sale" concept) | Yes, core CCPA right |
| Right to opt out of sharing | N/A | Yes (added by CPRA) |
| Right to limit sensitive data use | Covered by Art. 9 restrictions | Yes (added by CPRA) |
| Right to non-discrimination | Covered by general principles | Explicit right |
| Automated decision-making | Right to human review (Art. 22) | Right to opt out of automated decision-making technology (CPRA) |
The GDPR's right to data portability allows individuals to receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller. The CCPA added a similar right through the CPRA, though it is narrower in scope.
Consent Models: Opt-In vs Opt-Out
The GDPR generally requires opt-in consent for data processing where consent is the chosen legal basis. Under Article 7, consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes, silence, or inactivity do not constitute valid consent. For sensitive data and children's data, the GDPR requires explicit consent, a higher standard.
The CCPA follows an opt-out model for most data processing. Businesses can collect and process personal information without prior consent but must provide a clear "Do Not Sell or Share My Personal Information" link on their website. Consumers exercise their rights by affirmatively opting out.
Two notable exceptions exist in the CCPA: businesses must obtain opt-in consent before selling the personal information of consumers they know to be under 16 years old (with parental consent required for those under 13), and the CPRA requires businesses to provide consumers the right to limit the use of sensitive personal information.
| Consent Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Default model | Opt-in | Opt-out |
| Children under 16 | Parental consent required under 16 (member states may lower to 13) | Opt-in required for sale of minors' data |
| Sensitive data | Explicit consent required | Right to limit use (opt-out) |
| Consent withdrawal | Must be as easy as giving consent | Must honor opt-out; 12-month wait before re-asking |
| Cookie consent | Required via ePrivacy Directive | Not specifically required (follows general CCPA rules) |
Enforcement and Penalties
The GDPR is enforced by independent Data Protection Authorities (DPAs) in each EU/EEA member state. The regulation establishes a two-tier penalty system under Article 83:
- Lower tier: Up to EUR 10 million or 2% of global annual turnover, whichever is higher, for violations of obligations on controllers and processors, certification bodies, or monitoring bodies.
- Upper tier: Up to EUR 20 million or 4% of global annual turnover, whichever is higher, for violations of data processing principles, conditions for consent, data subject rights, or international transfer rules.
As of 2026, DPAs across Europe have issued billions of euros in cumulative fines. Ireland's Data Protection Commission fined Meta EUR 1.2 billion in May 2023 for unlawful data transfers to the United States, the largest GDPR fine to date.
The CCPA is enforced by the California Attorney General and, since July 2024, the California Privacy Protection Agency (CPPA), the first dedicated state-level privacy enforcement agency in the United States. Penalties include:
- Civil penalties: Up to $2,500 per unintentional violation and $7,500 per intentional violation.
- Private right of action: Consumers can sue directly for data breaches involving certain personal information, with statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater.
| Enforcement Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Enforcing authority | National DPAs (27+ authorities) | CA Attorney General + CPPA |
| Maximum fine | EUR 20 million or 4% global revenue | $7,500 per intentional violation |
| Private right of action | Limited (varies by member state) | Yes, for data breaches |
| Cure period | No mandatory cure period | 30-day cure period (AG enforcement only; removed for CPPA enforcement under CPRA) |
| Cross-border enforcement | One-stop-shop mechanism via lead DPA | California jurisdiction only |
Extraterritorial Reach
Both laws extend beyond their geographic borders, but through different mechanisms.
The GDPR applies to organizations outside the EU/EEA that offer goods or services to individuals in the EEA or monitor their behavior within the EEA. Article 3 makes this explicit. Organizations outside the EU that fall under the GDPR's scope must appoint a representative within the EU under Article 27.
The CCPA applies to any for-profit entity that "does business in the State of California" and meets the revenue or data-processing thresholds, even if the business has no physical presence in California. The practical reach is significant: any business with a website accessible to California residents that meets the thresholds is likely covered.
International Data Transfers
The GDPR strictly regulates transfers of personal data outside the EEA. Organizations can transfer data only to countries with an EU adequacy decision, or through mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or the EU-US Data Privacy Framework.
The CCPA does not restrict international transfers of personal information. Businesses can transfer data to any country, though the sale of data to a third party in another country would still be subject to opt-out rights.
Data Protection Officers and Compliance Requirements
The GDPR requires certain organizations to appoint a Data Protection Officer (DPO) under Article 37: public authorities, organizations whose core activities involve systematic monitoring of individuals at scale, or organizations processing sensitive data at scale. The DPO must be independent, report directly to senior management, and cannot be dismissed or penalized for performing their duties.
The CCPA does not require a DPO or similar role. Businesses must respond to consumer requests and maintain reasonable security practices, but there is no mandated internal privacy governance structure.
Both laws require organizations to maintain data processing records. The GDPR's Article 30 requires detailed Records of Processing Activities (RoPAs). The CCPA requires businesses to maintain records of consumer requests and how they were fulfilled for at least 24 months.
Data Breach Notification
Under the GDPR, organizations must notify their supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. If the breach poses a high risk, the organization must also notify affected individuals directly and without undue delay.
The CCPA does not contain its own breach notification requirements. Instead, California relies on its existing breach notification statute, Cal. Civ. Code 1798.82, which requires notification to affected residents "in the most expedient time possible and without unreasonable delay." The CCPA's private right of action, however, applies specifically to breaches involving unencrypted or unredacted personal information.
Practical Compliance: Dual-Framework Approach
Organizations that serve both EU/EEA and California markets often adopt a unified privacy program that meets both standards. Because the GDPR is the stricter framework in most areas, a GDPR-compliant program typically satisfies most CCPA requirements. The reverse is not true.
Key areas where businesses must address CCPA-specific obligations even with GDPR compliance in place include:
- "Do Not Sell or Share" link: Required on websites under the CCPA, with no GDPR equivalent.
- Financial incentive disclosures: The CCPA requires businesses that offer financial incentives tied to data collection to explain the incentive's value and how it was calculated.
- Service provider vs processor contracts: The CCPA's contract requirements for service providers differ in terminology and some specifics from the GDPR's processor requirements.
For a detailed walkthrough of GDPR compliance steps, see our GDPR compliance checklist. For CCPA-specific requirements, see our CCPA compliance checklist.
Comprehensive GDPR vs CCPA Comparison Table
| Feature | GDPR | CCPA/CPRA |
|---|---|---|
| Effective date | May 25, 2018 | Jan 1, 2020 (CCPA); Jan 1, 2023 (CPRA amendments) |
| Geographic scope | EU/EEA + extraterritorial | California + extraterritorial |
| Who is covered | Nearly all organizations processing EU data | For-profit businesses meeting thresholds |
| Revenue threshold | None | $25 million annual gross revenue |
| Data threshold | None | 100,000+ consumers/households |
| Protected data | Personal data (any identified/identifiable person) | Personal information (consumer or household) |
| Consent model | Opt-in | Opt-out |
| Legal bases required | 6 lawful bases (Art. 6) | No lawful basis requirement |
| DPO required | Yes (certain organizations) | No |
| Breach notification | 72 hours to DPA | "Most expedient time possible" (separate CA statute) |
| Maximum penalty | EUR 20M or 4% global revenue | $7,500 per intentional violation |
| Private right of action | Limited | Yes (data breaches) |
| International transfers | Restricted (adequacy, SCCs, BCRs) | Not restricted |
| Right to opt out of sale | N/A | Yes |
| Right to rectification | Yes | No |
| Automated decision-making | Right to human review | Right to opt out (CPRA) |
This information reflects the law as of March 2026. Both the GDPR and CCPA frameworks continue to evolve through regulatory guidance, enforcement actions, and legislative amendments. Consult an attorney for advice specific to your situation.
Sources and References
- GDPR Article 6 - Lawfulness of Processing(gdpr-info.eu)
- GDPR Article 9 - Special Categories of Personal Data(gdpr-info.eu)
- GDPR Article 83 - General Conditions for Imposing Fines(gdpr-info.eu)
- California Consumer Privacy Act (CCPA) Full Text(leginfo.legislature.ca.gov).gov
- California Privacy Rights Act (CPRA) - Proposition 24(oag.ca.gov).gov
- GDPR Article 3 - Territorial Scope(gdpr-info.eu)
- GDPR Article 37 - Designation of the Data Protection Officer(gdpr-info.eu)
- European Commission - Data Protection in the EU(commission.europa.eu).gov