Managing privacy compliance for both the EU and California is a complex challenge. The GDPR and CCPA are two of the world’s most influential data protection laws, but their requirements diverge on scope, consumer rights, consent, and enforcement. Understanding their overlaps—and critical differences—is essential to building a global, audit-ready privacy program that stands up to regulator scrutiny and avoids costly penalties.
Key Takeaways:
- Distinguish the core differences in scope, consent, and consumer rights between GDPR and CCPA
- Compare fine structures and enforcement risks side by side
- Apply a practical, framework-driven checklist for dual compliance
- Avoid common audit findings and learn from real enforcement trends
Scope and Applicability
GDPR and CCPA both elevate data privacy standards, but their applicability and definitions differ in ways that have major compliance implications.
GDPR: Broad, Extraterritorial Reach
- Applies to: Any organization, regardless of location, that processes personal data of individuals located in the EU (Usercentrics).
- Personal data: Any information relating to an identified or identifiable natural person (GDPR Art. 4).
- Global effect: Non-EU entities offering goods or services to, or monitoring, EU residents must comply.
CCPA: California-Resident Focused, Threshold-Based
- Applies to: For-profit entities doing business in California that meet at least one of the following thresholds: (1) annual gross revenues over $25 million; (2) buy, sell, or share the personal information of 100,000 or more consumers, households, or devices; or (3) derive 50% or more of annual revenue from selling personal information (Thoropass).
- Personal information: Information that identifies, relates to, describes, or could reasonably be linked with a particular consumer, household, or device.
- Geographic limitation: Protects California residents; does not apply globally.
| Aspect | GDPR | CCPA |
|---|---|---|
| Who is protected? | Any EU resident (“data subject”) | California residents (“consumers”) |
| Who must comply? | Any entity processing EU personal data | For-profit entities meeting any one threshold in CA |
| Scope of data | All personal data (broadly defined) | Consumer/household/device information |
| Geographic reach | Global (if processing EU data) | California-centric |
If your business serves both EU and California residents, you must satisfy both sets of requirements and be able to demonstrate compliance during regulatory audits.
Consumer Rights: Opt-Out vs Opt-In
Empowering individuals to control their data is central to both laws, but the rights provided and how they are exercised differ substantially.
GDPR: Opt-In Consent and Comprehensive Data Subject Rights
- Consent: Requires clear, affirmative opt-in before processing personal data (GDPR Art. 6, Art. 7). Pre-ticked boxes or implied consent are insufficient.
- Key rights:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (“right to be forgotten”, Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Special categories: Additional protections for health, biometric, and other sensitive data (Art. 9).
CCPA: Opt-Out Model and Consumer-Focused Controls
- Consent: Default is opt-out—organizations may collect and process data unless the consumer restricts it. Opt-in consent is only required for the sale of personal information of minors under 16 (Usercentrics).
- Key rights:
- Right to know what personal information is collected, used, shared, or sold
- Right to delete personal information
- Right to opt out of sale or sharing of personal data
- Right to non-discrimination for exercising rights (Entrust)
| Right | GDPR | CCPA |
|---|---|---|
| Access | Yes | Yes |
| Rectification | Yes | No explicit right |
| Erasure/Deletion | Yes (broad) | Yes (with exceptions) |
| Portability | Yes | Yes |
| Opt-out of sale | No (requires opt-in for most processing) | Yes (core feature) |
| Opt-in consent | Required for most processing | Only for sale of minors’ data (<16) |
Summary: GDPR mandates opt-in consent and provides a broader set of rights, including rectification. CCPA centers on opt-out, particularly for data sales, and does not grant an explicit right to rectification. Your privacy program must accommodate both “opt-in” and “opt-out” flows.
For practical strategies on enforcing privacy by design, see Operationalizing GDPR Article 25: Privacy by Design Strategies.
Sale of Data: Definition and Implications
The way each law defines and regulates the sale of personal data is a critical compliance risk—especially for advertising, analytics, and data-driven business models.
GDPR: No Explicit “Sale” Concept—All Processing Regulated
- GDPR does not specifically regulate or define “sale” of personal data; any transfer to a third party is treated as processing and must be justified by a lawful basis (Art. 6, Art. 7).
- Disclosures to third parties require transparency and, where needed, contracts with processors (Art. 28–29).
- Consent is required for most sharing with third parties unless another legal ground applies.
CCPA: Sale/Sharing Is Central, Broadly Defined
- Defines “sale” as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to another business or third party for monetary or other valuable consideration (Thoropass).
- Requires a clear “Do Not Sell or Share My Personal Information” link for consumers to exercise opt-out rights.
- Opt-in consent is required for the sale of personal information of minors under 16, not for all processing.
- Exceptions apply for certain service provider relationships, business transfers, or legal requirements.
Practical impact: Under CCPA, many digital advertising and data-sharing activities qualify as a “sale” even if no money changes hands. Under GDPR, all sharing requires a lawful basis and transparency—regardless of whether “sale” occurs.
Enforcement and Penalties
Both GDPR and CCPA carry significant enforcement powers, but their fine structures and processes differ in ways that affect compliance risk and response strategies.
GDPR: Significant Fines and Regulatory Oversight
- Supervisory authorities: Each EU member state has a Data Protection Authority (DPA) empowered to investigate and sanction violations.
- Fines: Up to €20 million or 4% of total annual global turnover, whichever is higher (Art. 83; Thoropass, Usercentrics).
- Other powers: DPAs may issue corrective orders, suspend processing, or ban data transfers.
- Enforcement trend: Regulators have issued multi-million-euro fines; Amazon was fined €746 million in 2021 (Usercentrics).
CCPA: Per-Violation Fines and Cure Period
- Enforcement bodies: California Attorney General and California Privacy Protection Agency (CPPA).
- Fines: Up to $2,500 per unintentional violation and $7,500 per intentional violation (Thoropass).
- Private action: Individuals may sue for certain types of data breaches, with statutory damages between $100 and $750 per incident.
- Cure period: 30 days to remedy most violations before fines are assessed (GDPR does not offer this).
| Aspect | GDPR | CCPA |
|---|---|---|
| Max fine per violation | €20M or 4% of global turnover (higher applies) | $2,500 (unintentional), $7,500 (intentional) |
| Private right of action | No | Yes (for certain data breaches) |
| Regulatory body | EU Data Protection Authorities | CA Attorney General, CPPA |
| Cure period | No | 30 days |
Both laws are enforced aggressively and require clear documentation, incident response plans, and readiness for audits in multiple jurisdictions.
For audit preparation tips, see Security Audit Preparation: A Comprehensive Guide for Organizations.
Dual Compliance Checklist (GDPR + CCPA)
To achieve dual compliance, your privacy program must satisfy both the most stringent and the unique requirements of each law. Below is an actionable, framework-driven checklist for a typical SaaS or data-driven business. Timelines assume moderate complexity and baseline maturity.
| Control | GDPR Ref. | CCPA Ref. | Implementation Steps | Effort Level |
|---|---|---|---|---|
| Data inventory & mapping | Art. 30 | 1798.110 | Map all personal data flows, including third parties. Maintain detailed processing records for audit. | 2-4 weeks |
| Privacy notice update | Art. 13–14 | 1798.130 | Publish privacy policies covering all required disclosures for both EU and CA residents. | 1-2 weeks |
| Consent management (opt-in/opt-out) | Art. 7 | 1798.120 | Implement consent banners, “Do Not Sell/Share” links, and maintain consent logs. | 2-3 weeks |
| User rights fulfillment | Art. 15–21 | 1798.100–125 | Automate or formally document processes for access, erasure, portability, rectification, and opt-out requests. | 3-5 weeks |
| Vendor management | Art. 28 | 1798.140(w) | Update third-party contracts to ensure processors/service providers meet both standards. | 2-4 weeks |
| Incident response & breach notification | Art. 33–34 | 1798.150 | Document a breach response plan and notification process for both jurisdictions. | 2 weeks |
| Employee training | Art. 39 | 1798.130(a)(6) | Train staff on dual obligations, rights handling, and opt-in/opt-out processes. | 1-2 weeks |
Recommended audit readiness timeline: 8–12 weeks, if no major gaps exist.
For more on vendor risk management, see Comprehensive Guide to Vendor Risk Management.
Common Pitfalls and Pro Tips
- Assuming “GDPR compliance = CCPA compliance” (or vice versa): CCPA’s opt-out and broad definition of “sale” require additional technical and policy controls, even if you already comply with GDPR.
- Poor data inventory: Incomplete mapping makes it impossible to honor access, deletion, or opt-out requests—this is a frequent audit finding.
- Neglecting CCPA “Do Not Sell/Share” obligations: Failing to provide a dedicated opt-out mechanism is a common CCPA violation, triggering fines of $2,500–$7,500 per violation.
- Overlooking employee training: Mishandling consumer/data subject requests due to insufficient staff training is a leading cause of enforcement actions.
- Inadequate vendor contracts: Both laws require updated processor/service provider clauses; legacy contracts may expose you to joint liability.
- Not keeping privacy policies current: Both frameworks require clear, up-to-date disclosures—outdated policies are a frequent basis for regulatory action.
For a step-by-step GDPR action plan, see GDPR Compliance Checklist: Essential Steps for 2026.
Conclusion and Next Steps
GDPR and CCPA target similar privacy outcomes but impose different, sometimes conflicting, obligations. Building a robust compliance program means adopting the stricter standard where requirements overlap, supporting both opt-in (GDPR) and opt-out (CCPA) workflows, and maintaining documented records, policies, and contracts. The stakes for non-compliance are rising on both sides of the Atlantic—proactive, framework-driven compliance and annual audit readiness are now business-critical.
Review your privacy posture against the checklist above, prioritize closing identified gaps, and leverage internal or external expertise as needed. For deeper guidance on privacy engineering and audit readiness, see Security Audit Preparation: A Comprehensive Guide for Organizations and Operationalizing GDPR Article 25: Privacy by Design Strategies.