If your business operates online, you've heard of both CCPA and GDPR. But figuring out which applies — and what each actually requires — is confusing. They both deal with data privacy, but they come from different legal traditions and have very different enforcement.
Quick Comparison
| Feature | CCPA/CPRA | GDPR |
|---|---|---|
| Who it protects | California residents | EU/EEA residents |
| Who must comply | For-profit businesses meeting thresholds | Any org processing EU residents' data |
| Legal basis | Opt-out (process unless told not to) | Opt-in (need legal basis first) |
| Consent required? | Only for selling/sharing data | Yes, for most processing |
| Maximum fine | $7,500 per violation | €20M or 4% of global revenue |
| Private lawsuits? | Yes (data breaches only) | Yes (broader scope) |
Who Does CCPA Apply To?
The California Consumer Privacy Act applies to for-profit businesses that collect personal information from California residents AND meet at least one threshold:
- Annual gross revenue over $25 million
- Buy/sell/share data of 100,000+ California consumers or households
- Derive 50%+ of revenue from selling/sharing personal information
Your business doesn't need to be in California. If you have customers or website visitors in California and meet the thresholds, CCPA applies.
Who Does GDPR Apply To?
GDPR applies to any organization that:
- Has an establishment in the EU and processes personal data, OR
- Offers goods or services to people in the EU (even for free), OR
- Monitors the behavior of people in the EU (cookies, analytics, profiling)
GDPR has no revenue threshold. A one-person startup with a website accessible in Europe that uses Google Analytics could technically fall under GDPR.
The Core Philosophical Difference
CCPA = opt-out. Businesses can collect and process data by default. Consumers have the right to say "stop." The burden is on the consumer.
GDPR = opt-in. Businesses must have a lawful basis before processing any personal data. In many cases, this means getting explicit consent first. The burden is on the business.
This is why European websites have prominent cookie consent banners while American websites often don't — it reflects the underlying legal philosophy.
Consumer Rights: Side by Side
Right to know/access: Both laws require businesses to tell consumers what data they collect. GDPR goes further by requiring a portable, machine-readable format.
Right to delete: Both laws allow deletion requests. GDPR has fewer exceptions.
Right to opt out: Under CCPA, consumers can opt out of data selling/sharing. GDPR doesn't need this because selling data requires consent in the first place.
Right to correct: Both laws allow consumers to correct inaccurate data.
Right to non-discrimination: CCPA explicitly prohibits discrimination against consumers who exercise their rights.
Not sure which privacy laws apply to your business? ComplyZen analyzes your location, customer base, and data practices to identify every applicable regulation — including state-level privacy laws.
Check Your Privacy Obligations →Penalties: Very Different Stakes
GDPR fines are famously severe — up to €20 million or 4% of global annual turnover. Major companies have been fined hundreds of millions. For small businesses, even lower-tier fines are existentially threatening.
CCPA fines are per-violation: $2,500 unintentional, $7,500 intentional. But CCPA's private right of action for data breaches means consumers can sue for $100-$750 per incident. A breach affecting 100,000 Californians could mean $10-$75 million in class action liability.
If You Need Both: The Pragmatic Approach
Build your privacy program to GDPR standards — it's stricter, so GDPR compliance generally satisfies CCPA with minor additions:
- Publish a comprehensive privacy policy covering both laws
- Implement cookie consent management (opt-in for EU users)
- Create mechanisms for all consumer rights requests
- Maintain records of processing activities
- Appoint a Data Protection Officer if required by GDPR
- Conduct data protection impact assessments for high-risk processing
Don't Forget State Privacy Laws
As of 2026, over 15 US states have enacted comprehensive privacy laws. Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others each have unique provisions. This patchwork makes compliance increasingly complex for businesses operating across multiple states.
An AI-powered compliance tool can track which laws apply to your specific situation — saving you from reading 15 different state statutes.