GDPR vs CCPA — Key Differences and What Overlaps
If your website has users in both the EU and California, you are subject to two major privacy regulations. The good news: the overlap is significant, and a well-designed compliance setup handles both. Both regulations require cookie consent mechanisms, though GDPR's opt-in requirement is stricter.
Quick summary
GDPR (General Data Protection Regulation) is the EU's comprehensive privacy law, effective May 2018. CCPA (California Consumer Privacy Act) is California's privacy law, effective January 2020, amended by CPRA in 2023. Both give individuals rights over their personal data and impose obligations on organisations that collect it. GDPR also has a more robust concept of legitimate interests as a lawful basis for processing, which CCPA lacks.
Side-by-side comparison
Jurisdiction
GDPR (EU)
EU/EEA residents. Applies to any organisation worldwide that targets or monitors EU residents.
CCPA (California)
California residents. Applies to for-profit businesses meeting certain thresholds (revenue, data volume, or data sales).
Legal basis for processing
GDPR (EU)
Must have one of 6 lawful bases (consent, contract, legitimate interests, etc.). Consent required for non-essential cookies.
CCPA (California)
Does not require a lawful basis — processing is allowed unless the consumer opts out. Opt-in required only for minors under 16.
Consumer rights
GDPR (EU)
Right to access, erasure, rectification, portability, restriction, and objection. Plus right not to be subject to automated decisions.
CCPA (California)
Right to know, delete, opt-out of sale/sharing, correct, and limit use of sensitive personal information.
Privacy Policy
GDPR (EU)
Required. Must cover lawful basis, data retention periods, international transfers, and user rights.
CCPA (California)
Required. Must include "Do Not Sell or Share My Personal Information" link and categories of data collected.
Cookie consent
GDPR (EU)
Opt-in required for non-essential cookies. Equal prominence for Accept/Reject.
CCPA (California)
No cookie consent requirement per se — but requires opt-out of data sales. "Do Not Sell" applies to third-party tracking cookies.
Fines
GDPR (EU)
Up to €20M or 4% of global annual revenue, whichever is higher.
CCPA (California)
$100–$750 per consumer per incident for data breaches. $2,500–$7,500 per intentional violation (enforced by CA AG).
Who is exempt
GDPR (EU)
No general business size exemption. Some lighter obligations for <250 employees.
CCPA (California)
Exempt if: revenue under $25M/year, AND process data of fewer than 100K consumers, AND don't derive 50%+ revenue from selling data.
What you can share between both
If you build GDPR-first, you will already satisfy most CCPA requirements with minimal extra work. Vendor agreements — called Data Processing Agreements under GDPR and service provider agreements under CCPA — are equivalent concepts:
- ✓Privacy policy — covers both (add CCPA-specific sections)
- ✓Data deletion mechanism — satisfies both right-to-erasure (GDPR) and right-to-delete (CCPA)
- ✓Data inventory — knowing what you collect satisfies both regulations' transparency requirements
- ✓Vendor agreements — DPAs (GDPR) and service provider agreements (CCPA) are equivalent concepts
- ✓Cookie consent — opt-in (GDPR) is stricter than opt-out (CCPA), so GDPR compliance covers CCPA here
What you need to add for CCPA specifically
- +"Do Not Sell or Share My Personal Information" link in your footer (if you share data with third-party advertisers)
- +CCPA-specific privacy policy section listing categories of data and sources
- +Opt-in mechanism for selling personal information of consumers aged 13–16
- +Separate "Limit the Use of My Sensitive Personal Information" option (CPRA 2023 amendment)
CCPA support on fixGDPR
fixGDPR currently scans for GDPR and ePrivacy compliance. CCPA-specific checks — including "Do Not Sell" link detection and California-specific consent flows — are on the roadmap and will be released as part of Phase 2.
Check your GDPR compliance now — free
Get a scored GDPR compliance report in 30 seconds. Covers SSL, cookie banners, privacy policy, and more.
Run a free GDPR scan