Why These Two Laws Dominate the Privacy Landscape
The General Data Protection Regulation (GDPR), enforced in the European Union since May 2018, and the California Consumer Privacy Act (CCPA), effective since January 2020, have together reshaped how organizations around the world collect, process, and share personal data.
If your organization handles data from EU residents or California consumers — even if you're headquartered elsewhere — these laws likely apply to you. Understanding how they differ is essential for building a compliant privacy program.
Scope: Who Do These Laws Cover?
GDPR
GDPR applies to any organization that processes the personal data of individuals located in the EU or EEA, regardless of where the organization itself is based. It covers both controllers (who determine the purpose of data processing) and processors (who process data on behalf of controllers).
CCPA / CPRA
The CCPA (as amended by the California Privacy Rights Act, CPRA) applies to for-profit businesses that do business in California and meet at least one of the following thresholds:
- Annual gross revenues exceeding $25 million
- Buy, sell, or share personal information of 100,000+ consumers or households annually
- Derive 50% or more of annual revenue from selling or sharing consumers' personal information
Consent: Opt-In vs. Opt-Out
This is one of the most significant practical differences between the two laws:
| Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Default model | Opt-in (affirmative consent required for most processing) | Opt-out (data can be sold unless consumer objects) |
| Consent for minors | Age 16 (or lower if member state permits, minimum 13) | Age 16 for sale of data; parental consent required under 13 |
| Withdrawal of consent | Must be as easy as giving consent | Right to opt out at any time via "Do Not Sell" link |
| Sensitive data | Explicit consent required for special categories | Opt-in required for sensitive personal information (CPRA) |
Individual Rights Under Each Law
Rights Under GDPR
- Right to access your data
- Right to rectification (correction of inaccurate data)
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to object to processing
- Rights related to automated decision-making and profiling
Rights Under CCPA/CPRA
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt out of the sale or sharing of personal information
- Right to non-discrimination for exercising privacy rights
- Right to correct inaccurate personal information (CPRA addition)
- Right to limit use of sensitive personal information (CPRA addition)
Enforcement and Penalties
GDPR penalties are among the steepest in any regulatory framework: up to €20 million or 4% of global annual turnover, whichever is higher. Enforcement actions have been issued against major tech companies for hundreds of millions of euros.
CCPA/CPRA civil penalties are up to $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Privacy Protection Agency (CPPA). Consumers also have a private right of action for certain data breaches.
What Compliance Looks Like in Practice
- Conduct a data inventory to understand what personal data you collect and why
- Update your privacy policy to reflect rights under both laws if you serve EU and California users
- Implement consent management mechanisms appropriate to each law's standard
- Build workflows to respond to data subject/consumer requests within required timeframes (30 days under GDPR; 45 days under CCPA)
- Train staff who handle personal data on compliance obligations
- Review vendor and data processor agreements for compliance alignment
Bottom Line
GDPR and CCPA share the same underlying goal — giving individuals meaningful control over their personal data — but they take different approaches. GDPR casts a wider net and demands more affirmative action from organizations. CCPA focuses on transparency and the right to opt out. Organizations serving both audiences need a privacy program robust enough to satisfy the stricter requirements of each.