GDPR vs CCPA: Building a Dual Privacy Program
Privacy compliance documents and data protection regulations on desk with laptop
A unified compliance program covering both GDPR and CCPA reduces duplication and audit risk.
The Compliance Reality in 2026
In May 2023, the Irish Data Protection Commission fined Meta EUR 1.2 billion for unlawful data transfers to the United States. In October 2024, LinkedIn received a EUR 310 million fine for unlawful behavioral advertising. By 2025, cumulative GDPR fines had surpassed EUR 5.8 billion across all EU member states. On the California side, the California Privacy Protection Agency (CPPA) has accelerated enforcement since taking over primary authority in July 2023, issuing settlements including $1.35 million against Tractor Supply Company and $632,500 against American Honda Motor Co.

These numbers tell a clear story: both regulators are enforcing aggressively, and companies operating across jurisdictions cannot afford to treat compliance as a one-region exercise. The CCPA, effective January 1, 2020, and amended significantly by the California Privacy Rights Act (CPRA) effective January 1, 2023, now runs alongside the GDPR as two of the most influential data privacy frameworks in the English-speaking world. As we explored in our GDPR Compliance Checklist for 2026, the paper trail around controls now matters as much as the controls themselves.
The good news: approximately 80% of what the CCPA requires is already covered if you build a solid GDPR program, according to the GDPR & CCPA Compliance Checklist 2026 published by Free Gap Assessment. The challenge lies in the remaining 20% where the two laws diverge sharply in philosophy, scope, consent models, and enforcement mechanisms.
Scope and Applicability: Who Must Comply
The GDPR and CCPA take fundamentally different approaches to determining which organizations fall under their jurisdiction.
GDPR: Broad Extraterritorial Reach
The GDPR applies to any organization, regardless of location, that processes personal data of individuals in the European Economic Area. Under Article 3, this includes organizations that offer goods or services to EEA individuals or monitor their behavior within the EEA. A Chicago-based SaaS company with EU customers falls under the GDPR. A Japanese manufacturer whose website targets EU consumers falls under the GDPR. There is no revenue threshold and no minimum number of affected individuals. Organizations outside the EU must appoint an EU representative under Article 27 unless a narrow exception applies.
CCPA/CPRA: Threshold-Based Applicability
The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of three thresholds:
- Annual gross revenues exceeding $25 million (adjusted to $26.6 million for 2026 per CPI adjustments)
- Buying, selling, receiving, or sharing for commercial purposes the personal information of 100,000 or more consumers or households per year
- Deriving 50% or more of annual revenues from selling or sharing consumers’ personal information
Nonprofit organizations and government agencies fall entirely outside CCPA scope. The GDPR, by contrast, covers virtually all organizations that handle personal data, including nonprofits and public bodies, with narrow exceptions for purely personal or household activities.
Territorial Scope Comparison
| Dimension | GDPR | CCPA/CPRA |
|---|---|---|
| Geographic scope | Global (any organization with EU/EEA data subjects) | California residents + extraterritorial for covered businesses |
| Revenue threshold | None | $25 million annual gross revenue |
| Size threshold | Any size business | 100,000+ consumers or households |
| Nonprofit exemption | No | Yes |
| Employee data coverage | Fully covered | Covered (CPRA removed temporary exemptions as of Jan 2023) |
Consent Models: Opt-In vs Opt-Out
This is the sharpest philosophical divide between the two frameworks. The GDPR is a permission-based system. The CCPA is an activity-based system with consumer opt-out rights.
GDPR: Permission-Based Opt-In
Under the GDPR, organizations cannot process personal data without first establishing one of six lawful bases under Article 6: consent, contract, legal obligation, vital interests, public task, or legitimate interests. The lawful basis must be identified and documented before processing begins. Where consent is the chosen basis, Article 7 demands it be freely given, specific, informed, and unambiguous. Pre-checked boxes, silence, and bundled consents are invalid. For special-category data under Article 9 (health, biometrics, racial origin, political opinions, sexual orientation), explicit consent or another specific legal ground is required.
GDPR consent must be as easy to withdraw as it is to give. Organizations must maintain consent records and audit logs sufficient to prove validity if challenged by a DPA or an individual.
CCPA/CPRA: Notice-and-Opt-Out
The CCPA follows an opt-out model for most processing. Businesses may collect and use personal information without prior consent but must: (1) disclose their data practices in a privacy notice, (2) provide a “Do Not Sell or Share My Personal Information” link, and (3) honor consumer opt-out requests. The CPRA added the right to limit use of sensitive personal information, which functions as a targeted opt-out.
Two notable opt-in exceptions exist: businesses must obtain opt-in consent before selling or sharing personal information of consumers known to be under 16 years old (with parental consent for those under 13), and opt-in consent is required to re-engage a consumer who has opted out for at least 12 months.
As of 2026, the CPPA requires businesses to honor Global Privacy Control (GPC) browser signals automatically as opt-out requests for sale/sharing, without requiring any additional consumer action. The CPPA has already issued fines for GPC non-compliance.
Consent Model Comparison
| Dimension | GDPR | CCPA/CPRA |
|---|---|---|
| Default posture | Processing prohibited until lawful basis established | Processing permitted; consumer can opt out |
| Consent for marketing | Generally required (opt-in) | Not required (but must allow opt-out) |
| Children’s data | Parental consent under 16 (member states may lower to 13) | Opt-in required for sale/sharing of under-16 data |
| Sensitive data | Explicit consent or specific exemption (Art. 9) | Right to limit use (opt-out model) |
| GPC/browser signals | No equivalent | Mandatory honor (2026 CPPA enforcement) |
| Re-engagement after opt-out | No equivalent provision | 12-month wait before re-asking |

Consumer Rights Side by Side
Both laws grant individuals a suite of privacy rights, but GDPR’s rights are broader and the grounds for exceptions are narrower.
Rights Comparison Table
| Right | GDPR | CCPA/CPRA |
|---|---|---|
| Right to know / access | Yes (Art. 15) | Yes (expanded by CPRA to cover 12 months) |
| Right to delete / erasure | Yes (Art. 17) | Yes (with more business exceptions) |
| Right to rectification / correction | Yes (Art. 16) | Yes (added by CPRA effective Jan 2023) |
| Right to data portability | Yes (Art. 20) | Yes (added by CPRA) |
| Right to restrict processing | Yes (Art. 18) | Limited to sensitive PI |
| Right to object | Yes (Art. 21) | No direct equivalent |
| Right to opt out of sale/sharing | No “sale” concept | Yes, core CCPA right |
| Right to non-discrimination | General equality principles | Explicit right; incentive programs permitted with disclosure |
| Automated decision-making | Right to human review (Art. 22) | Right to opt out of ADMT (CPRA + 2025/2026 regulations) |
| Response time | 1 month (extendable to 3) | 45 days (extendable to 90) |
Key Divergences in Rights
The GDPR’s Article 22 right against solely automated decisions is stronger in one respect: it applies by default and requires affirmative justification to override it. The CCPA/CPRA right to opt out of automated decision-making technology (ADMT) is an opt-out right; businesses using ADMT may continue until a consumer exercises the opt-out. Full ADMT enforcement under 2026 CPPA regulations begins January 2027 for existing systems, but new systems deployed after January 2026 must comply immediately.
The right to rectification under the GDPR (Article 16) has a direct parallel in the CPRA’s right to correction, which took effect January 2023. The right to restrict processing under the GDPR (Article 18) has no equivalent under the CCPA; consumers must either opt out of sale/sharing or request deletion instead.
Enforcement and Penalties
The enforcement structures of the two laws reflect their different jurisdictional foundations, but both are increasingly active.
GDPR Enforcement
The GDPR is enforced by independent Data Protection Authorities in each EU/EEA member state. Article 83 establishes a two-tier penalty structure:
- Lower tier (up to EUR 10 million or 2% of global annual turnover): violations of data controller and processor obligations, certification rules, and monitoring body rules.
- Upper tier (up to EUR 20 million or 4% of global annual turnover): violations of core data processing principles, consent conditions, data subject rights, and international transfer rules.
Total cumulative GDPR fines surpassed EUR 5.8 billion by early 2025. The largest single fine on record remains the Irish DPC’s EUR 1.2 billion penalty against Meta in May 2023 for unlawful data transfers to the United States. LinkedIn received EUR 310 million in October 2024 for unlawful behavioral advertising processing.
As we covered in our 2026 Security Audit Preparation guide, procedural compliance matters enormously. In March 2026, a Luxembourg court annulled a EUR 746 million GDPR fine against Amazon and an Italian court threw out a EUR 15 million penalty against OpenAI, both because regulators skipped required procedural steps. The underlying obligations remain intact, but the message is clear: documentation and process matter as much as the controls themselves.
CCPA/CPRA Enforcement
The California Attorney General enforced the CCPA from July 1, 2020 through mid-2023. The CPPA took over primary enforcement authority in July 2023 as the first dedicated state-level privacy enforcement agency in the United States. Penalties under CCPA/CPRA:
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation, or per violation involving a minor’s personal information
- The CPPA adjusts penalty amounts in January of odd-numbered years to reflect CPI changes
Notable 2025 CPPA settlements include Tractor Supply Company ($1.35 million), American Honda Motor Co. ($632,500), and Todd Snyder, Inc. ($345,178 for improperly administering its privacy portal, including requiring consumers to verify identity before exercising opt-out rights).
The CCPA also provides a private right of action for qualifying data breaches under Cal. Civ. Code 1798.150, with statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is higher. The GDPR’s private right of action under Article 82 is more limited and varies by member state.
Enforcement Comparison
| Dimension | GDPR | CCPA/CPRA |
|---|---|---|
| Enforcing authority | National DPAs (27+ in EU/EEA) | California AG + CPPA |
| Maximum regulatory fine | EUR 20M or 4% of global revenue | $7,500 per intentional violation |
| Cure period | No mandatory cure period | 30-day cure (AG enforcement only; none in CPPA enforcement) |
| Cross-border mechanism | One-stop-shop via lead DPA | California jurisdiction only |

Building a Dual Compliance Strategy
The most efficient approach to dual compliance is to build a single privacy operating model with jurisdiction-specific branching where the laws actually diverge. As the Standarity editorial team noted in May 2026, running two separate privacy programs produces inconsistencies that auditors and regulators eventually find.
Shared Infrastructure: What You Build Once
One Record of Processing Activities (ROPA). A single data inventory that covers both GDPR Article 30 requirements and CCPA accountability obligations, tagged with lawful bases (GDPR) and sale/sharing classifications (CCPA).
One consumer rights workflow. A unified intake, verification, and fulfillment system that handles access, deletion, correction, and portability requests. The system branches on jurisdiction for response timelines (1 month for GDPR, 45 days for CCPA) and specific rights (right to object for GDPR, right to opt out of sale for CCPA).
One privacy notice template. A single privacy policy that covers both GDPR transparency requirements and CCPA disclosures, with jurisdiction-specific sections or dynamic adaptation based on user location.
One vendor management program. A unified vendor onboarding and monitoring process that satisfies both GDPR processor obligations (Data Processing Agreements, Standard Contractual Clauses) and CCPA service provider restrictions (written contracts limiting data use to specified services).
One breach response process. Build your incident response runbook around the stricter requirement (GDPR’s 72-hour notification to the supervisory authority) and apply it uniformly. This exceeds CCPA’s requirements and means your incident response team only learns one process.
Where You Must Branch
Consent management. The GDPR requires explicit opt-in consent with granular, documented lawful bases. The CCPA requires a “Do Not Sell or Share My Personal Information” link and automatic GPC signal processing. These are not interchangeable. Implement a consent platform that supports both models and selects the correct one based on jurisdiction.
Sensitive personal information. The GDPR’s Article 9 special categories and the CCPA’s sensitive personal information category have different scopes and different rules. The GDPR prohibits processing special categories by default unless an Article 9 condition is met. The CCPA/CPRA gives consumers the right to limit use and disclosure of sensitive PI. The CPPA’s 2025 regulations expanded sensitive PI to include neural data and personal information of consumers known to be under 16.
Cross-border transfers. The GDPR requires adequacy decisions, Standard Contractual Clauses, or other approved transfer mechanisms for data leaving the EEA. The CCPA has no equivalent cross-border restriction. The safest approach: apply GDPR-strict transfer treatment globally, treating it as a baseline security requirement.
Automated decision-making. The GDPR’s Article 22 applies by default. The CCPA’s ADMT opt-out right (enforced from 2027 for existing systems) requires explicit consumer action. Begin ADMT inventory and opt-out mechanism preparation now if your organization uses any form of automated decision-making with legal or significant effects.
Dual Compliance Checklist
The following checklist consolidates 58 requirements mapped across both GDPR and CCPA/CPRA, as compiled by the GDPR & CCPA Compliance Checklist 2026. Items marked “Shared” satisfy both laws simultaneously.

Data Inventory and Mapping (7 requirements)
- [Shared] Build a complete data inventory (ROPA) documenting categories of personal data, where it lives, how it is used, who has access, and retention periods.
- [Shared] Map all data flows including collection points, internal systems, third-party transfers, and deletion paths. Include hidden flows like analytics, ad tracking, and email sync.
- [Shared] Categorize personal data by sensitivity level, identifying both GDPR special categories and CCPA sensitive personal information.
- [GDPR only] Document the lawful basis for every processing activity (one of six Article 6 bases).
- [Shared] Inventory all third-party vendors receiving personal data, classified as processors (GDPR) or service providers/contractors (CCPA).
- [GDPR only] Conduct Data Protection Impact Assessments for high-risk processing activities.
- [CCPA only] Conduct formal Risk Assessments for high-risk CCPA activities including selling/sharing PI, processing sensitive PI, or using ADMT (new 2026 requirement).
Privacy Notices and Transparency (7 requirements)
- [Shared] Publish a comprehensive privacy policy covering what you collect, why, retention, third-party recipients, and how to exercise rights.
- [CCPA only] Publish a Notice at Collection at every data collection point (sign-up forms, checkout, contact forms).
- [GDPR only] Disclose data retention periods for each category and cross-border transfer safeguards.
- [CCPA only] Add a “Do Not Sell or Share My Personal Information” link on the website footer and privacy policy.
- [CCPA only] Display visible confirmation when a consumer opts out of sale/sharing (2026 requirement).
Consent Management (6 requirements)
- [GDPR only] Implement a compliant cookie consent banner (opt-in, no pre-checked boxes, easy withdrawal).
- [CCPA only] Honor Global Privacy Control (GPC) browser signals automatically as opt-out requests.
- [GDPR only] Maintain consent records and audit logs with timestamps and consent details.
- [Shared] Obtain opt-in consent before collecting data from minors (under 16 for GDPR; under 16/13 for CCPA).
- [GDPR only] Conduct Legitimate Interest Assessments where relying on the legitimate interest basis.
- [CCPA only] Add opt-in for sensitive personal information use beyond the primary purpose.
Consumer Rights (8 requirements)
- [Shared] Build a rights request intake and fulfillment workflow with identity verification, tracking, and response procedures.
- [Shared] Honor the right to delete/erasure across all systems including backups, with downstream processor notification.
- [Shared] Honor the right to access/know with data going back 12 months (CCPA) or all relevant data (GDPR).
- [Shared] Honor the right to correct/rectification with downstream processor notification.
- [Shared] Honor the right to data portability in a structured, machine-readable format (CSV, JSON).
- [GDPR only] Honor the right to object to processing including profiling.
- [CCPA only] Ensure non-discrimination for consumers exercising rights; document financial incentive programs.
- [CCPA only] Implement ADMT opt-out mechanisms (full enforcement 2027 for existing systems).
Vendor and Processor Management (6 requirements)
- [GDPR only] Execute Data Processing Agreements with all processors specifying nature, purpose, duration, and security obligations.
- [CCPA only] Execute service provider contracts restricting data use to specified services only.
- [GDPR only] Implement Standard Contractual Clauses for cross-border transfers where adequacy decisions do not apply.
- [Shared] Conduct due diligence on vendor privacy and security practices before onboarding.
- [Shared] Flow down deletion obligations to service providers/processors in contracts and workflows.
- [Shared] Monitor and periodically review vendor compliance with annual reviews and high-risk audits.
Security and Breach Notification (7 requirements)
- [Shared] Implement appropriate technical and organizational security measures including encryption, access controls, MFA, logging, and vulnerability management.
- [GDPR only] Notify the supervisory authority within 72 hours of becoming aware of a breach.
- [CCPA only] Notify consumers of qualifying data breaches without unreasonable delay.
- [Shared] Document breach response procedures and conduct regular tabletop exercises.
Conclusion
The GDPR and CCPA/CPRA share a common goal: giving individuals meaningful control over their personal data. They achieve this through different mechanisms, different scopes, and different penalty structures. The GDPR is broader, stricter, and carries higher maximum penalties. The CCPA/CPRA is more targeted, uses an opt-out model, and has a dedicated enforcement agency that is accelerating its pace.
For organizations that must satisfy both, the answer is one unified privacy operating model built on shared infrastructure with jurisdiction-specific branching where the laws genuinely diverge. That model also extends gracefully to the next regulation that arrives, and several are arriving. As the Recording Law comparison published in March 2026 notes, the CPPA’s 2025 rulemaking on automated decision-making and expansion of sensitive personal information to include neural data show that California’s privacy regime continues to evolve rapidly.
Key Takeaways:
- Roughly 80% of CCPA requirements overlap with a mature GDPR program, making a unified compliance approach the most efficient path.
- The fundamental philosophical divide is opt-in (GDPR) vs opt-out (CCPA); a single consent platform must handle both models.
- GDPR penalties reach EUR 20 million or 4% of global turnover; CCPA penalties reach $7,500 per intentional violation with a private right of action for data breaches.
- Build breach response around the stricter GDPR 72-hour window and apply it uniformly to satisfy both regimes.
- The CPPA’s 2026 regulations add mandatory GPC signal processing, visible opt-out confirmation, and ADMT opt-out rights; begin preparing now.
- ISO 27701 provides a useful operational framework for dual compliance, though it does not substitute for regulatory compliance itself.
Related Reading
More in-depth coverage from this blog on closely related topics:
- GDPR Data Protection by Design in 2026
- GDPR Compliance Checklist 2026
- NIST CSF 2.0 & ISO 27001: Healthcare Vendor
- 2026 Security Audits: Prepare for Compliance
Sources and References
Sources cited while researching and writing this article:
Nadia Kowalski
Has read every privacy policy you've ever skipped. Fluent in GDPR, CCPA, SOC 2, and several other acronyms that make people's eyes glaze over. Processes regulatory updates faster than most organizations can schedule a meeting about them. Her idea of light reading is a 200-page compliance framework, and she remembers all of it.
