If your website serves users in both the European Union and California, you are likely subject to two of the world’s most influential privacy regulations: the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). While both laws aim to protect personal data, they differ fundamentally in their approach, scope, and enforcement. Understanding these differences is not optional — it is essential for building a compliance strategy that satisfies both frameworks without unnecessary duplication or gaps.
Philosophical Foundations: Opt-In vs Opt-Out
The most fundamental difference between the GDPR and the CCPA lies in their default consent model.
The GDPR operates on an opt-in basis. Under Article 6 of the GDPR, processing personal data requires a lawful basis before any collection occurs. For many types of processing — particularly marketing, profiling, and analytics — explicit consent must be obtained from the data subject before data is collected. This means that when a European user first visits your website, you cannot set non-essential cookies, fire tracking pixels, or collect behavioral data until the user affirmatively opts in.
The CCPA operates on an opt-out basis. Businesses may collect and use personal information without obtaining prior consent (with certain exceptions for minors under 16). Instead, the CCPA gives consumers the right to opt out of the sale or sharing of their personal information after the fact. The business must provide a “Do Not Sell or Share My Personal Information” link, but it can process data by default until the consumer exercises that right.
This distinction has profound practical implications. A GDPR-compliant website that blocks all tracking until consent is given will also satisfy the CCPA’s less restrictive requirements. But a CCPA-compliant website that tracks users by default and relies on opt-out will violate the GDPR if it serves European users without prior consent.
Scope and Applicability
Who is protected
GDPR: Any “data subject” who is in the European Union, regardless of nationality or residence. A US tourist browsing a website while visiting Paris is protected by the GDPR during that visit. The regulation protects individuals (natural persons), not businesses.
CCPA: California “consumers,” defined as natural persons who are California residents. The protection follows the person’s residency, not their physical location. A California resident browsing a website while on vacation in Tokyo is still protected by the CCPA.
Which businesses must comply
GDPR: Any organization, anywhere in the world, that processes the personal data of individuals in the EU, provided the organization offers goods or services to EU residents or monitors their behavior (Article 3). There is no revenue threshold, no data volume minimum. A one-person blog that collects email addresses from EU visitors must comply.
CCPA: For-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue over $25 million; buying, selling, or sharing personal information of 100,000 or more consumers or households; or deriving 50% or more of annual revenue from selling or sharing personal information (Cal. Civ. Code section 1798.140(d)). Non-profits and government entities are exempt.
This difference means the GDPR has a much broader reach. A small online shop with a handful of EU customers is subject to the GDPR, while the same business might fall below all CCPA thresholds and be exempt from California law.
For a deeper dive into CCPA-specific requirements, read our guide on what your CCPA privacy policy must include.
Definition of Personal Data
GDPR: “Personal data” means any information relating to an identified or identifiable natural person (Article 4(1)). This includes names, email addresses, IP addresses, cookie identifiers, location data, online identifiers, and even pseudonymized data if re-identification is possible.
CCPA: “Personal information” is defined more broadly in some respects, covering information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (Cal. Civ. Code section 1798.140(v)). The addition of “household” extends coverage beyond the individual. However, publicly available information is explicitly excluded from the CCPA’s definition, while the GDPR makes no such exclusion.
Both laws cover the same core categories (names, emails, IP addresses, device identifiers, browsing history, purchase records), but the CCPA’s household-level scope and the GDPR’s inclusion of publicly available data create divergences that matter in practice.
Consumer/Data Subject Rights
Both laws grant individuals rights over their personal data, but the specifics differ:
| Right | GDPR | CCPA/CPRA |
|---|---|---|
| Right to access/know | Article 15: right to obtain confirmation and a copy of all personal data | Section 1798.100: right to know categories and specific pieces collected in preceding 12 months |
| Right to delete | Article 17: right to erasure (“right to be forgotten”) with broad exceptions | Section 1798.105: right to delete with specified exceptions |
| Right to portability | Article 20: right to receive data in machine-readable format | No equivalent in CCPA |
| Right to correction | Article 16: right to rectification | Section 1798.106 (added by CPRA): right to correct inaccurate information |
| Right to opt out of sale | Not directly applicable (consent-based model) | Section 1798.120: right to opt out of sale and sharing |
| Right to limit sensitive data use | Article 9: special categories require explicit consent | Section 1798.121 (CPRA): right to limit use of sensitive personal information |
| Right to non-discrimination | Implied under general principles | Section 1798.125: explicit prohibition on discriminating against consumers who exercise rights |
| Response time | 1 month (extendable to 3) | 45 days (extendable to 90) |
The GDPR’s rights are generally broader and more established through years of case law and regulatory guidance. The CCPA’s rights are more specifically defined in statute but newer and still evolving through CPPA rulemaking — see our breakdown of the seven 2026 CCPA changes for the latest enforceable requirements around automated decision-making, GPC signals and sensitive data.
Not sure which regulations apply to your website? WebLegal’s free compliance scanner analyses your site and identifies which legal documents and privacy requirements you need to address.
What changed in 2026
The CCPA-GDPR comparison shifted materially on January 1, 2026, with three convergent developments that website operators must factor into any dual-jurisdiction strategy.
GPC is now a binding signal under §7025. The CCPA Regulations effective January 2026 made the Global Privacy Control (GPC) — a browser-level signal that communicates a user’s intent to opt out of the sale or sharing of personal information — mandatory to honor. Under section 7025 of the regulations, every business subject to the CCPA MUST treat a GPC signal as a valid opt-out request and process it automatically, without requiring the consumer to click a “Do Not Sell or Share My Personal Information” link. This is no longer optional or aspirational: ignoring GPC is itself an enforceable CCPA violation. The GDPR has no equivalent technical mandate, although several EU regulators recommend honoring such signals as part of a layered consent approach.
CPPA enforcement coordination is intensifying. The California Privacy Protection Agency (CPPA) — the dedicated regulator created by the CPRA — has publicly announced enforcement actions in 2024 and 2025, targeting businesses for deficient opt-out mechanisms, inadequate privacy disclosures, and violations involving minors. The CPPA increasingly coordinates with the California Attorney General and other state regulators, signaling a more aggressive enforcement posture than the early “warning letter” phase of CCPA.
Multi-state coordination is now the norm. Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Texas (TDPSA), Utah (UCPA), Oregon (OCPA), Tennessee (TIPA) and Iowa have all converged on similar opt-out mechanics — universal opt-out signals, consumer rights to access/delete/correct, and disclosure obligations. A privacy program designed for the CCPA in 2026 increasingly satisfies the other state laws as well, but the inverse is not true: CCPA-specific elements (the GPC §7025 mandate, the ADMT opt-out, sensitive personal information disclosures) remain distinctively Californian.
For a deeper breakdown of what specifically changed in California, see our analysis of the seven 2026 CCPA changes for your website. For parallel views of the other major Anglo-Saxon frameworks, see our coverage of the UK Data (Use and Access) Act and what changes in 2026, and note that Australian small businesses face a December 2026 deadline when the Privacy Act exemption is removed. For penalty-side details, our updated guide on CCPA penalties — what happens if you don’t comply walks through the post-§7025 enforcement landscape.
Legal Bases for Processing
This is where the two frameworks diverge most sharply.
GDPR: Article 6 requires one of six lawful bases for every processing activity: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. The choice of lawful basis must be documented and disclosed to data subjects. For special categories of data (Article 9), an additional condition must be met, typically explicit consent.
CCPA: There is no concept of “lawful basis” in the CCPA. Businesses may collect and process personal information for any disclosed business purpose. The law regulates disclosure and opt-out rights rather than requiring affirmative justification for each processing activity. This is a fundamentally different regulatory architecture.
For businesses subject to both laws, the GDPR’s lawful basis requirements effectively become the governing standard, since you must establish a lawful basis for EU data subjects regardless of what the CCPA permits.
Enforcement and Penalties
GDPR enforcement
Enforcement is carried out by data protection authorities (DPAs) in each EU member state. Maximum penalties under Article 83 are:
- Up to EUR 10 million or 2% of annual global turnover for lesser infringements
- Up to EUR 20 million or 4% of annual global turnover for serious violations
Major enforcement actions have reached hundreds of millions of euros. DPAs can also issue orders to cease processing, ban data transfers, and require specific remediation measures.
CCPA enforcement
Enforcement is shared between the California Attorney General and the California Privacy Protection Agency (CPPA):
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation or violation involving minors
- Private right of action for data breaches: $100 to $750 per consumer per incident (statutory damages)
While the per-violation amounts are lower than GDPR maximums, the CCPA’s per-record calculation can produce enormous aggregate penalties. A breach affecting 500,000 California consumers could yield $50 million to $375 million in statutory damages under the private right of action alone. For details on CCPA enforcement trends, see our article on CCPA penalties.
Data Transfers
GDPR: Transfers of personal data outside the EU/EEA are restricted under Chapter V of the GDPR. Transfers require an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or another approved transfer mechanism. The Schrems II ruling invalidated the EU-US Privacy Shield, and the EU-US Data Privacy Framework that replaced it remains subject to ongoing legal scrutiny.
CCPA: There are no restrictions on international data transfers under the CCPA. The law regulates how data is collected, used, sold, and shared, but does not restrict where it is stored or processed geographically.
This means a US business receiving EU data must comply with GDPR transfer rules (SCCs, Data Privacy Framework certification), but a business receiving California data can process it anywhere without additional legal mechanisms.
Practical Compliance Strategy for Dual-Jurisdiction Businesses
If your website serves both EU and California users, here is a practical approach:
1. Start with GDPR compliance. The GDPR’s requirements are generally stricter. A GDPR-compliant privacy policy, consent mechanism, and data handling practice will satisfy most CCPA requirements.
2. Layer CCPA-specific elements. Add the disclosures and mechanisms the CCPA requires that the GDPR does not: the “Do Not Sell or Share” link, the 12-category disclosure framework, the sensitive personal information opt-out, and the annual update with date stamp.
3. Implement geolocation-based consent. Use a consent management platform that detects user location and applies the appropriate consent model: opt-in for EU visitors, opt-out rights for California visitors. WebLegal’s free cookie banner handles GDPR consent out of the box and can serve as the foundation for your multi-jurisdiction approach.
4. Maintain separate records. The GDPR requires Records of Processing Activities (Article 30). The CCPA requires documentation of consumer requests and responses. Maintain both.
5. Review vendor contracts. Ensure your contracts with data processors (GDPR) and service providers (CCPA) meet both frameworks’ requirements. The terminology differs, but the underlying obligation — controlling how third parties handle your users’ data — is the same.
For businesses that also need to understand how Canadian privacy law compares, our article on PIPEDA vs GDPR provides a similar analysis for the Canadian framework.
Conclusion
The GDPR and CCPA represent two distinct approaches to privacy regulation: European comprehensive consent versus Californian targeted transparency. Neither subsumes the other. A business serving users in both jurisdictions needs a compliance strategy that addresses the GDPR’s consent requirements, lawful basis framework, and data transfer restrictions alongside the CCPA’s specific disclosure categories, opt-out mechanisms, and per-violation penalty structure.
The cost of dual non-compliance is substantial. The cost of building a unified privacy strategy that satisfies both frameworks is manageable — and far lower than the enforcement risk of getting it wrong. Whether you engage specialized legal counsel or use a purpose-built compliance tool, the priority is to address both frameworks now rather than retroactively after an enforcement action.
For further reading on CCPA compliance, see our articles on CCPA penalties and what happens if you don’t comply and what your CCPA privacy policy needs.
Further reading
If you want to dig deeper:
- CCPA 2026: seven new changes for your website — what changed this year in California
