GDPR vs CCPA: What's the Difference?
The complete guide to understanding the world's two most important privacy laws. Which applies to you, and what you need to do.
The 30-Second Summary
GDPR (EU)
- • Opt-in consent required
- • Applies to any size organization
- • Fines up to 4% of global revenue
- • Stricter, more comprehensive
CCPA (California)
- • Opt-out model (collect by default)
- • Only businesses meeting thresholds
- • Fines up to $7,500 per violation
- • More business-friendly
Complete Side-by-Side Comparison
| Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Jurisdiction | European Union (27 countries + EEA) | California, USA |
| Effective Date | May 25, 2018 | January 1, 2020 (CPRA: Jan 1, 2023) |
| Who It Applies To | Any organization processing EU residents' data | For-profit businesses meeting revenue/data thresholds |
| Revenue Threshold | None - applies to all sizes | $25M+ revenue OR 100K+ consumers OR 50%+ revenue from data sales |
| Legal Basis Required | Yes - must have lawful basis (consent, contract, etc.) | No - opt-out model instead |
| Consent Model | Opt-in (explicit consent required) | Opt-out (can collect unless consumer opts out) |
| Right to Delete | Yes - "Right to Erasure" | Yes - with some exceptions |
| Right to Access | Yes - within 30 days | Yes - within 45 days |
| Data Portability | Yes - machine-readable format | Yes - but less specific |
| Private Right of Action | Yes - can sue for damages | Limited - only for data breaches |
| Maximum Penalty | €20M or 4% global revenue | $7,500 per intentional violation |
| DPO Required | Yes - for certain organizations | No |
| Data Breach Notification | 72 hours to authority | No specific timeframe (general CA law applies) |
Key Differences That Matter
Consent Model
Opt-in: You must get explicit consent BEFORE collecting personal data. No pre-checked boxes.
Opt-out: You can collect data by default, but must provide a "Do Not Sell My Personal Information" link.
Who Must Comply
ANY organization worldwide that processes EU residents' data, regardless of size.
Only for-profit businesses meeting specific thresholds ($25M revenue, 100K consumers, or 50% data revenue).
Penalties
Up to €20 million or 4% of global annual revenue (whichever is higher). Meta was fined €1.2B in 2023.
$2,500 per unintentional violation, $7,500 per intentional violation. No percentage-based fines.
Enforcement
Enforced by Data Protection Authorities in each EU country. Active enforcement with major fines.
Enforced by California Attorney General. Less aggressive enforcement so far.
Does This Law Apply to You?
GDPR Applies If...
- You have customers or users in the EU
- You offer goods/services to EU residents (even for free)
- You monitor behavior of people in the EU
- You have employees in the EU
- You process data on behalf of EU-based companies
Any ONE of these triggers GDPR compliance
CCPA Applies If...
- You do business in California
- You have $25M+ annual gross revenue
- You buy/sell/share data of 100,000+ California consumers
- You derive 50%+ of revenue from selling consumer data
- You're a data broker registered in California
Must do business in CA AND meet at least one threshold
Real Penalties Are Being Enforced
GDPR Fines (2023-2024):
- • Meta: €1.2 billion
- • Amazon: €746 million
- • TikTok: €345 million
CCPA Enforcement:
- • Sephora: $1.2 million settlement
- • DoorDash: Investigation ongoing
- • 100+ enforcement actions since 2020
Frequently Asked Questions
Do I need to comply with both GDPR and CCPA?
If you have customers in both the EU and California, yes. Many companies create a unified privacy program that meets both requirements. GDPR compliance often covers most CCPA requirements, but not vice versa.
Which law is stricter: GDPR or CCPA?
GDPR is generally stricter. It requires opt-in consent, applies to all organization sizes, has higher penalties (up to 4% of global revenue), and requires a Data Protection Officer for certain organizations.
What happens if I ignore these laws?
GDPR: Fines up to €20M or 4% of global revenue. Amazon was fined €746M, Meta €1.2B. CCPA: $2,500-$7,500 per violation, plus consumers can sue for data breaches ($100-$750 per incident).
Do these laws apply to B2B companies?
GDPR applies to all personal data, including B2B contacts. CCPA originally excluded B2B data but CPRA (effective 2023) now includes it. Both laws apply if you process individual contact information.
What's the difference between CCPA and CPRA?
CPRA (California Privacy Rights Act) is the 2023 amendment to CCPA. It added new rights (correction, limiting sensitive data use), created the California Privacy Protection Agency, and removed the B2B exemption.
How do I know if GDPR applies to my US company?
GDPR applies if you: offer goods/services to EU residents (even free), monitor EU residents' behavior (analytics, tracking), or process EU personal data for EU-based clients. Having a .eu domain or EU-language website is strong evidence.
Find Out Which Privacy Laws Apply to You
Take our free compliance check and get a personalized report in under 30 minutes.
Start Free AssessmentReady to Get Compliant?
Start your compliance journey with HAIEC. Free assessment, automated evidence, audit-ready documentation.
Explore compliance frameworks: