If your website serves users in both the European Union and California, you are likely subject to two of the world’s most influential privacy regulations: the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). While both laws aim to protect personal data, they differ fundamentally in their approach, scope, and enforcement. Understanding these differences is not optional — it is essential for building a compliance strategy that satisfies both frameworks without unnecessary duplication or gaps.
Philosophical Foundations: Opt-In vs Opt-Out
The most fundamental difference between the GDPR and the CCPA lies in their default consent model.
The GDPR operates on an opt-in basis. Under Article 6 of the GDPR, processing personal data requires a lawful basis before any collection occurs. For many types of processing — particularly marketing, profiling, and analytics — explicit consent must be obtained from the data subject before data is collected. This means that when a European user first visits your website, you cannot set non-essential cookies, fire tracking pixels, or collect behavioral data until the user affirmatively opts in.
The CCPA operates on an opt-out basis. Businesses may collect and use personal information without obtaining prior consent (with certain exceptions for minors under 16). Instead, the CCPA gives consumers the right to opt out of the sale or sharing of their personal information after the fact. The business must provide a “Do Not Sell or Share My Personal Information” link, but it can process data by default until the consumer exercises that right.
This distinction has profound practical implications. A GDPR-compliant website that blocks all tracking until consent is given will also satisfy the CCPA’s less restrictive requirements. But a CCPA-compliant website that tracks users by default and relies on opt-out will violate the GDPR if it serves European users without prior consent.
Scope and Applicability
Who is protected
GDPR: Any “data subject” who is in the European Union, regardless of nationality or residence. A US tourist browsing a website while visiting Paris is protected by the GDPR during that visit. The regulation protects individuals (natural persons), not businesses.
CCPA: California “consumers,” defined as natural persons who are California residents. The protection follows the person’s residency, not their physical location. A California resident browsing a website while on vacation in Tokyo is still protected by the CCPA.
Which businesses must comply
GDPR: Any organization, anywhere in the world, that processes the personal data of individuals in the EU, provided the organization offers goods or services to EU residents or monitors their behavior (Article 3). There is no revenue threshold, no data volume minimum. A one-person blog that collects email addresses from EU visitors must comply.
CCPA: For-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue over $25 million; buying, selling, or sharing personal information of 100,000 or more consumers or households; or deriving 50% or more of annual revenue from selling or sharing personal information (Cal. Civ. Code section 1798.140(d)). Non-profits and government entities are exempt.
This difference means the GDPR has a much broader reach. A small online shop with a handful of EU customers is subject to the GDPR, while the same business might fall below all CCPA thresholds and be exempt from California law.
For a deeper dive into CCPA-specific requirements, read our guide on what your CCPA privacy policy must include.
Definition of Personal Data
GDPR: “Personal data” means any information relating to an identified or identifiable natural person (Article 4(1)). This includes names, email addresses, IP addresses, cookie identifiers, location data, online identifiers, and even pseudonymized data if re-identification is possible.
CCPA: “Personal information” is defined more broadly in some respects, covering information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (Cal. Civ. Code section 1798.140(v)). The addition of “household” extends coverage beyond the individual. However, publicly available information is explicitly excluded from the CCPA’s definition, while the GDPR makes no such exclusion.
Both laws cover the same core categories (names, emails, IP addresses, device identifiers, browsing history, purchase records), but the CCPA’s household-level scope and the GDPR’s inclusion of publicly available data create divergences that matter in practice.
Consumer/Data Subject Rights
Both laws grant individuals rights over their personal data, but the specifics differ:
| Right | GDPR | CCPA/CPRA |
|---|---|---|
| Right to access/know | Article 15: right to obtain confirmation and a copy of all personal data | Section 1798.100: right to know categories and specific pieces collected in preceding 12 months |
| Right to delete | Article 17: right to erasure (“right to be forgotten”) with broad exceptions | Section 1798.105: right to delete with specified exceptions |
| Right to portability | Article 20: right to receive data in machine-readable format | No equivalent in CCPA |
| Right to correction | Article 16: right to rectification | Section 1798.106 (added by CPRA): right to correct inaccurate information |
| Right to opt out of sale | Not directly applicable (consent-based model) | Section 1798.120: right to opt out of sale and sharing |
| Right to limit sensitive data use | Article 9: special categories require explicit consent | Section 1798.121 (CPRA): right to limit use of sensitive personal information |
| Right to non-discrimination | Implied under general principles | Section 1798.125: explicit prohibition on discriminating against consumers who exercise rights |
| Response time | 1 month (extendable to 3) | 45 days (extendable to 90) |
The GDPR’s rights are generally broader and more established through years of case law and regulatory guidance. The CCPA’s rights are more specifically defined in statute but newer and still evolving through CPPA rulemaking.
Not sure which regulations apply to your website? WebLegal’s free compliance scanner analyses your site and identifies which legal documents and privacy requirements you need to address.
Legal Bases for Processing
This is where the two frameworks diverge most sharply.
GDPR: Article 6 requires one of six lawful bases for every processing activity: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. The choice of lawful basis must be documented and disclosed to data subjects. For special categories of data (Article 9), an additional condition must be met, typically explicit consent.
CCPA: There is no concept of “lawful basis” in the CCPA. Businesses may collect and process personal information for any disclosed business purpose. The law regulates disclosure and opt-out rights rather than requiring affirmative justification for each processing activity. This is a fundamentally different regulatory architecture.
For businesses subject to both laws, the GDPR’s lawful basis requirements effectively become the governing standard, since you must establish a lawful basis for EU data subjects regardless of what the CCPA permits.
Enforcement and Penalties
GDPR enforcement
Enforcement is carried out by data protection authorities (DPAs) in each EU member state. Maximum penalties under Article 83 are:
- Up to EUR 10 million or 2% of annual global turnover for lesser infringements
- Up to EUR 20 million or 4% of annual global turnover for serious violations
Major enforcement actions have reached hundreds of millions of euros. DPAs can also issue orders to cease processing, ban data transfers, and require specific remediation measures.
CCPA enforcement
Enforcement is shared between the California Attorney General and the California Privacy Protection Agency (CPPA):
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation or violation involving minors
- Private right of action for data breaches: $100 to $750 per consumer per incident (statutory damages)
While the per-violation amounts are lower than GDPR maximums, the CCPA’s per-record calculation can produce enormous aggregate penalties. A breach affecting 500,000 California consumers could yield $50 million to $375 million in statutory damages under the private right of action alone. For details on CCPA enforcement trends, see our article on CCPA penalties.
Data Transfers
GDPR: Transfers of personal data outside the EU/EEA are restricted under Chapter V of the GDPR. Transfers require an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or another approved transfer mechanism. The Schrems II ruling invalidated the EU-US Privacy Shield, and the EU-US Data Privacy Framework that replaced it remains subject to ongoing legal scrutiny.
CCPA: There are no restrictions on international data transfers under the CCPA. The law regulates how data is collected, used, sold, and shared, but does not restrict where it is stored or processed geographically.
This means a US business receiving EU data must comply with GDPR transfer rules (SCCs, Data Privacy Framework certification), but a business receiving California data can process it anywhere without additional legal mechanisms.
Practical Compliance Strategy for Dual-Jurisdiction Businesses
If your website serves both EU and California users, here is a practical approach:
1. Start with GDPR compliance. The GDPR’s requirements are generally stricter. A GDPR-compliant privacy policy, consent mechanism, and data handling practice will satisfy most CCPA requirements.
2. Layer CCPA-specific elements. Add the disclosures and mechanisms the CCPA requires that the GDPR does not: the “Do Not Sell or Share” link, the 12-category disclosure framework, the sensitive personal information opt-out, and the annual update with date stamp.
3. Implement geolocation-based consent. Use a consent management platform that detects user location and applies the appropriate consent model: opt-in for EU visitors, opt-out rights for California visitors. WebLegal’s free cookie banner handles GDPR consent out of the box and can serve as the foundation for your multi-jurisdiction approach.
4. Maintain separate records. The GDPR requires Records of Processing Activities (Article 30). The CCPA requires documentation of consumer requests and responses. Maintain both.
5. Review vendor contracts. Ensure your contracts with data processors (GDPR) and service providers (CCPA) meet both frameworks’ requirements. The terminology differs, but the underlying obligation — controlling how third parties handle your users’ data — is the same.
For businesses that also need to understand how Canadian privacy law compares, our article on PIPEDA vs GDPR provides a similar analysis for the Canadian framework.
Conclusion
The GDPR and CCPA represent two distinct approaches to privacy regulation: European comprehensive consent versus Californian targeted transparency. Neither subsumes the other. A business serving users in both jurisdictions needs a compliance strategy that addresses the GDPR’s consent requirements, lawful basis framework, and data transfer restrictions alongside the CCPA’s specific disclosure categories, opt-out mechanisms, and per-violation penalty structure.
The cost of dual non-compliance is substantial. The cost of building a unified privacy strategy that satisfies both frameworks is manageable — and far lower than the enforcement risk of getting it wrong. Whether you engage specialized legal counsel or use a purpose-built compliance tool, the priority is to address both frameworks now rather than retroactively after an enforcement action.
For further reading on CCPA compliance, see our articles on CCPA penalties and what happens if you don’t comply and what your CCPA privacy policy needs.