As privacy laws spread worldwide, the two most influential are the EU’s GDPR and California’s Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA). They share a goal — giving people control over their data — but differ in scope, mechanics and philosophy, which matters for any business pursuing GDPR compliance while also serving US customers.
This guide compares the two side by side and shows how to build a single programme that satisfies both without duplicating effort.
The short answer
GDPR and the CCPA (as amended by the CPRA) both protect personal information and grant individuals rights over their data — but they take fundamentally different approaches. GDPR is a comprehensive, rights-based regime that requires a lawful basis for all processing. The CCPA is a consumer-protection law focused on transparency and the right to opt out of the sale or sharing of data.
If you serve customers in both the EU and California, you generally need to satisfy both. The good news is that a strong GDPR programme covers much of what the CCPA asks, with some California-specific additions.
GDPR vs CCPA at a glance
The table below summarises the main differences. We unpack the most important ones below it.
| Aspect | GDPR (EU) | CCPA / CPRA (California) |
|---|---|---|
| Who it protects | Anyone in the EU/EEA (“data subjects”) | California residents (“consumers”) |
| Who must comply | Any controller/processor handling EU data | For-profit businesses meeting size or revenue thresholds |
| Legal basis to process | Required (one of six lawful bases) | Not required; based on notice and opt-out |
| Consent model | Opt-in for many activities | Opt-out of “sale” or sharing of data |
| Core rights | Access, erasure, rectification, portability, object, restrict | Know, delete, correct, opt-out of sale/sharing, limit sensitive data |
| Regulator | National DPAs / EDPB | California Privacy Protection Agency & Attorney General |
| Maximum penalty | €20m or 4% of global turnover | Civil penalties per violation (higher for those involving minors) |
Free resource
The Ultimate Guide to GDPR
Build one privacy programme that satisfies GDPR and overlapping laws like the CCPA.
Scope: who is protected and who must comply
GDPR protects anyone in the EU/EEA and applies to any organisation worldwide that targets or monitors them. The CCPA protects California residents and applies only to for-profit businesses that meet certain thresholds — broadly, significant revenue, large-scale data handling, or deriving substantial revenue from selling personal information.
This means a small EU-facing business can be fully in scope of GDPR while a similar business might fall below the CCPA thresholds. Always check the specific thresholds rather than assuming one maps onto the other.
Legal basis vs notice-and-opt-out
The biggest philosophical difference is here. GDPR requires you to identify a lawful basis — such as consent, contract or legitimate interests — before you process any personal data. Without one, the processing is unlawful.
The CCPA does not require a lawful basis. Instead it is built around transparency and choice: tell consumers what you collect and why, and give them the right to opt out of having their data sold or shared. In short, GDPR asks “do you have permission to do this?”, while the CCPA asks “have you told people and let them opt out?”.
Consent: opt-in vs opt-out
GDPR leans toward an opt-in model for many activities, particularly marketing and non-essential cookies: people must take a clear affirmative action. The CCPA generally uses an opt-out model — you can process and even sell data unless the consumer tells you to stop, signalled through a “Do Not Sell or Share My Personal Information” link.
For minors, the CPRA flips to opt-in for the sale of data, bringing it closer to GDPR. If you operate in both regimes, designing for opt-in by default is the safest way to satisfy both.
Individual rights compared
Both laws grant strong rights, with significant overlap. GDPR provides access, rectification, erasure, restriction, portability and objection. The CCPA/CPRA provides the rights to know, delete, correct, opt out of sale or sharing, and limit the use of sensitive personal information.
The practical implication is that a single, well-built data-subject-request workflow can usually serve both — you just need to map each incoming request to the correct legal framework and apply the right deadlines and exemptions.
Enforcement and penalties
GDPR fines reach up to €20 million or 4% of global annual turnover, whichever is higher, and are issued by national data protection authorities. The CCPA is enforced by the California Privacy Protection Agency and the state Attorney General, with civil penalties assessed per violation and higher amounts for violations involving minors.
The CCPA also gives consumers a limited private right of action for certain data breaches — something GDPR leaves largely to regulators and collective redress mechanisms.
Definitions: personal data vs personal information
Both definitions are broad, but they are framed differently. GDPR’s “personal data” is any information relating to an identified or identifiable person. The CCPA’s “personal information” is information that identifies, relates to, or could reasonably be linked with a consumer or household — the household concept is distinctive to California.
In practice both capture names, identifiers, online activity and more, so a data inventory built for one will largely serve the other, with minor adjustments for the household element and California’s sensitive-information category.
If you must comply with both
Most international businesses find that meeting GDPR gets them most of the way to CCPA, because GDPR’s requirements are generally stricter. The main additions for California are the “Do Not Sell or Share” mechanism, the right to limit use of sensitive information, recognising opt-out preference signals, and California-specific notice language.
Rather than running two programmes, build one privacy framework keyed to the stricter standard and layer jurisdiction-specific elements on top. ISpectra Technologies helps organisations design exactly that — a single, efficient programme that satisfies GDPR, the CCPA and other regimes at once.
Vendors: processors vs service providers
GDPR draws a sharp line between controllers and processors and requires a Data Processing Agreement (Article 28) with every processor. The CCPA uses the concept of a “service provider”: a vendor that processes personal information on your behalf under a contract restricting its use. Disclosing data to a genuine service provider is not treated as a “sale”, which is why these contracts matter so much under the CCPA.
In both regimes the practical takeaway is the same: paper your vendor relationships properly. A single, well-drafted data processing addendum can usually be structured to satisfy both the GDPR’s Article 28 requirements and the CCPA’s service-provider conditions.
The wider trend: build for the strictest standard
GDPR and the CCPA are the headline acts, but they are part of a much larger wave — Virginia, Colorado, Connecticut and many other US states now have their own laws, as do countries from Brazil to India. Building a separate programme for each is unsustainable.
The durable strategy is to anchor your privacy programme to the strictest standard you face — usually GDPR — and treat each new law as a thin configuration layer of notices, opt-out mechanisms and local nuances. That keeps you compliant today and ready for the laws coming tomorrow without rebuilding from scratch each time.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Where to start
If you are approaching both laws for the first time, start with a single data inventory: what personal information you hold, where it comes from, why you have it, and who you share it with. That one artefact underpins your GDPR records, your CCPA disclosures and your response to individual requests under either regime.
From there, layer on a lawful-basis assessment for GDPR and the notice-and-opt-out mechanics for the CCPA. A short expert review at this stage typically saves months of rework later.
Getting this right is a core part of practical GDPR compliance that pays off over time.