Privacy laws

CCPA vs GDPR: compliance and differences

May 06, 2025 | Time to read 10 min read
CCPA vs GDPR: compliance and differences
By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

Businesses and website owners must familiarize themselves with data protection laws to ensure transparency, user trust, and data security. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two of the most significant laws aimed at safeguarding user privacy.

However, they have key differences in compliance requirements. For example, the GDPR requires explicit consent that involves affirmative action, while the CCPA doesn’t require requesting consent, only the ability to withdraw it.

In this comparison of CCPA and GDPR, we’ll show you the main similarities and differences between the regulations and how to ensure your business complies with both of them.

Become GDPR and CCPA compliant on Shopify
CheckmarkCustomizable cookie banner
CheckmarkFree plan available
Try TinyCookie

What are CCPA and GDPR?

The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are two laws that were developed to give users more control over their privacy. They regulate how businesses collect and process the personal data of their users, ensuring their practices are transparent and secure.

CCPA is a US state law that went into effect on January 1, 2020. It helps protect the personal data privacy of California residents by mandating companies to be transparent and giving users rights to access, object, delete, or know what data is collected.

The GDPR is older than CCPA and took effect on May 25, 2018. It ensures businesses are transparent, gives European Union (EU) users a level of control over their data, and holds companies accountable for how they process personal information.

Similarities between GDPR and CCPA

Although there are key differences between CCPA vs GDPR, there are also some core similarities. Here are the main aspects that are similar for both laws:

CCPA

GDPR

Transparency

Requires data collection practice disclosure

Requires data collection practice disclosure

Consent management

Opt-out method

Explicit opt-in and opt-out methods

Data security

Doesn’t state specific security measures but can give out large fines in case of a data breach

Requires businesses to ensure confidentiality, pseudonymization, and encryption of data

Differences between GDPR and CCPA

When comparing CCPA vs GDPR, there are key differences to note, especially if you have to comply with both regulations. Let’s take a look at the main distinctions between the two laws.

GDPR vs CCPA infographic

Who needs to comply with CCPA and GDPR?

The GDPR and the CCPA apply to businesses that process the personal data of EU and California citizens respectively, no matter where the business operates. Let’s take a look at the specific applicability conditions.

CCPA

The CCPA applies to for-profit companies that are located in California or operate outside of it but still process the personal information of Californians. The only exceptions are non-profit organizations and governmental companies. Plus, the CCPA only applies to companies that meet at least one of these statements:

  • If it makes more than $25 million in gross annual revenue
  • If it buys, sells, or shares the personal information of over 100k Californians
  • If 50% or more of its annual revenue comes from California residents’ personal information selling

GDPR

The GDPR applies to companies of any size that process the personal data of EU residents. Unlike under the CCPA, GDPR even applies to non-profit organizations and charities.

Here are the businesses to which the GDPR applies:

  • Businesses that operate in any of the European Union (EU) member countries and process the personal data of EU residents.
  • Businesses that are located outside the EU but offer goods and services or process the personal data of EU citizens.

That being said, according to the European Commission, if data processing isn’t an integral part of your business and you don’t pose risks to personal consumer data, some requirements may not apply. For example, getting a Data Protection Officer (DPO).

What is considered personal data under each law?

The GDPR provides a broader definition of personal data that can identify a consumer. Meanwhile, the CCPA excludes publicly available data that has already been made available by the consumer.

CCPA

Under the CCPA, personal information refers to data that can identify or be related or linked to the consumer or their household. This can be name, email address, purchase history, online activity history, fingerprints, geolocation data, and more.

The CCPA extension, called the CPRA (California Privacy Rights Act), also distinguishes sensitive personal information. It defines specific types of personal information that include government identifiers. This can be financial accounts, credit cards, passwords, email or text message contents, and so on.

GDPR

Under the GDPR, personal data refers to any information that can be used to identify an individual, including directly or indirectly. For example, name, location data, phone number, number plate, identification number, or physical, mental, cultural, and other types of special identity characteristics.

The data that is excluded from the scope of the GDPR includes:

  • Data of a deceased individual
  • Data of a legal person
  • Data processed outside of trade, business, or professional purposes

When can businesses use personal data?

The CCPA allows businesses to process data by default if an option to opt out is available. 

Meanwhile, the GDPR Article 6 provides different lawful bases:

  • The data subject has provided explicit consent
  • For the performance of a contract when the user is an involved party
  • For legal obligation compliance
  • To protect someone’s life or vital interests
  • To perform a task carried out in the public interest
  • For legitimate interests pursued by the organization or a third party

Opt-in vs opt-out consent

A key difference between the GDPR and CCPA is opt-in vs opt-out consent. Both laws require providing users with an opt-out option for data collection. However, the CCPA doesn’t require requesting active consent from users.

CCPA

The CCPA uses the opt-out consent model. It means that businesses don’t need to request explicit consent for data processing but there must be an opt-out option. If the business is selling information to third parties, it must include a “Do not sell or share my personal information” link.

Here’s an example of what a CCPA-compliant banner looks like on a website:

CCPA banner example

The link should direct consumers to an opt-out method or form. There’s a 12-month look-back period, which means that a business cannot automatically collect user data after an opt-out request for an entire year.

GDPR

The GDPR uses the opt-in consent model, meaning gaining explicit user consent for data collection and processing is a must. Consent should also be informed and granular – users should be aware of what they’re consenting to.

According to the GDPR, an option to opt out of data processing or collection must be easily accessible at all times.

Let’s take a look at a GDPR consent banner example:

GDPR banner example

The banner contains a “Manage preferences” button that lets users choose which types of cookies they want to consent to. There are also clear and simple buttons to “Accept” and “Reject” consent.

Adopt a GDPR & CCPA banner on Shopify
CheckmarkFree plan available
CheckmarkKeep records automatically
Try TinyCookie

Users rights under each law

Both the GDPR and CCPA have similar user rights, except that the GDPR includes the right to data portability and not be subject to an automated decision.

CCPA

There are 6 user rights noted by the CCPA, including:

  • Right to know. A business must inform the user about the data collection and processing on the website.
  • Right to correct. Users can ask to change inaccuracies of their personal information.
  • Right to limit. Users can request to limit the use or sale of their personal data.
  • Right to delete. While there are some exceptions listed in the Civil Code section 1798.105(d), users can request businesses to delete their personal data.
  • Right to opt out. Businesses must provide an option for users to opt out of data sharing or selling, including a “Do not sell or share” link.
  • Right to non-discrimination. Punishment, such as service denial, for users exercising their rights is prohibited.

Under the CCPA, businesses get a 45-day period to respond to user requests which can be extended for the same length if the user is informed. However, if the business doesn’t respond, the user can file a complaint to the California Attorney General here.

GDPR

The GDPR user rights include:

  • Right to know. Data subjects have the right to be informed about data collection, including its purpose, legal basis, controller, and data categories.
  • Right of access. Users may request to access their personal data and businesses must comply.
  • Right to correct. Users have the right to request corrections to their personal information.
  • Right to delete. In certain situations listed on the official EU website, data subjects may request companies to delete their personal data.
  • Right to limit. When the user disagrees with their personal data accuracy or suspects unlawful practices, they may request restriction of data collection.
  • Right to data portability. Consumers may request to receive their data in a structured and machine-readable format if they wish to reuse it or send it to another data controller.
  • Right to object. In some cases, like when the company processes data based on legitimate interest, users may use their right to object data collection.
  • Right not to be subject to a decision based solely on automated processing. Users may not be subject to a decision without human intervention that affects them personally.

According to the GDPR Article 12 (3), companies get one month to respond to user requests. However, it can be extended by two more months if the business provides the reason for the extension and informs the user within one month of the request receipt.

Age of consent

The age of consent is 13 under the CCPA and varies between 13 and 16 under the GDPR based on the member states.

CCPA

Under the CCPA, businesses don’t need consent for collecting user data unless they’re under the age of 16. If a child is under 13, then data cannot be collected without the consent of a parent or guardian.

GDPR

The GDPR Article 8 states that processing the personal data of children under 16 can only be done if authorized by a parent or guardian. However, the member states of GDPR may set their own age limit, which can be as low as 13 years old.

International data transfer

The GDPR is stricter than the CCPA when it comes to international data transfers. Let’s take a look at the main differences.

CCPA

The CCPA doesn’t regulate personal information transferring across international borders. However, businesses must disclose personal data sharing with third parties and allow users to opt out.

GDPR

Meanwhile, the GDPR requires the non-EU countries that data is being transferred to protect the data of individuals. The level of data protection in other countries must be as strong as in the European Economic Area (EEA). The European Commission takes into consideration such aspects as respect for human rights, fundamental freedoms, user rights, and data protection authority existence.

Data security requirements

Although the CCPA doesn’t have specific security requirements, it’s obligatory to ensure data encryption, confidentiality, and post-incident restoration under the GDPR.

CCPA

Neither the CCPA nor the CPRA have specific data security requirements for organizations. However, they must ensure data security to prevent breaches as consumers could take legal action in such cases.

The security measures that could be implemented include performing data inventory, auditing agreements with third parties, improving cybersecurity defense, and creating data protocols.

GDPR

There are a few organizational security measures that the GDPR requires businesses to adopt, depending on what is appropriate taking into account the nature, scope, and purpose of processing. Here are the measures to be taken:

  • Pseudonymization and encryption of personal data
  • Ensuring confidentiality, integrity, and availability of systems
  • Restoring access to personal information in a timely manner when an incident occurs
  • Regular testing and evaluation of applied measure effectiveness

If a company regularly processes specific personal data of users, data processing is an important business activity, or is done at a large scale, the company must appoint a DPO. It can be a member of the company or an external individual under contract.

Non-compliance risks

The GDPR fines can go up to around $22 million, or 4% of the organization’s global annual revenue, while the CCPA fines can reach $7,500 per single violation.

CCPA

CCPA fines and penalties depend on the severity of the violation. Here are the main fine sizes:

  • For non-intentional violations, like for a lack of awareness, the fine can go up to $2,500 per single violation.
  • For intentional violations, like a data breach, the fine can be up to $7,500 per single violation.

In some cases, CCPA authorities may give a company a 30-day cure period to fix their non-compliance.

For certain violations, like a data breach that happened due to poor security measures, consumers may file a class action. They can get $750 per violation in statutory damages.

GDPR

GDPR penalties range from simple non-compliance warnings to administrative fines depending on the violation severity. Here are the GDPR violation sizes:

  • Less serious violations: up to €10 million (~$11 million), or 2% of the organization’s global annual revenue from the previous financial year (depending on which one is higher).
  • Serious violations: up to €20 million (~$22 million), or 4% of the organization’s global annual revenue from the previous financial year (depending on which one is higher).

In cases of unlawful data handling practices, organizations may get a temporary or even permanent ban on data processing.

Enforcer

The CCPA and GDPR have different enforcers in place. Let’s review them.

CCPA

The CCPA can be enforced by the California Attorney General. Since the CPRA came into effect, the California Privacy Protection Agency was created to enforce both California privacy laws.

GDPR

The GDPR has a national data protection authority for each member state. If data processing happens across multiple member states, the DPAs cooperate for a consensus. All of the assigned DPAs can be found on the European Data Protection Board website.

GDPR vs CCPA: compliance checklist

There are many GDPR and CCPA compliance requirements that are similar, such as outlining your practices in a privacy policy, managing user requests, or providing an accessible opt-out method. Let’s review the main compliance checklist tasks in more detail.

CCPA

CCPA compliance checklist involves being transparent and giving users an option to opt out of data collection and processing. Here are the main compliance requirements of CCPA:

GDPR

A GDPR compliance checklist involves providing users with clear communication about your practices and giving them more control over personal data. The main GDPR compliance tasks are as follows:

  • Determine a lawful basis for processing
  • Update your privacy policy
  • Obtain explicit, informed, unambiguous, and granular user consent
  • Maintain a record of processing practices for proof of compliance
  • Appoint a Data Protection Officer (DPO) to ensure continuous compliance
  • Establish a process for honoring user rights requests
  • Adopt security measures, like encryption and pseudonymization
  • Prepare a data breach response plan
  • Conduct a GDPR risk assessment

GDPR vs CCPA – key takeaways

The main difference between GDPR vs CCPA is that the GDPR requires obtaining explicit user consent for the collection and processing of user data. Meanwhile, the CCPA allows users to opt out of data processing at any time but doesn’t require prior consumer consent to start collecting or processing personal data.

The easiest way to ensure compliance with both regulations is to adopt a consent management platform (CMP). For example, you can use TinyCookie to add a GDPR and CCPA-compliant banner on your website and adopt granular consent.

× Enlarged Image

Frequently asked questions

While there’s no GDPR equivalent in the US at the federal level, some state laws, such as the CCPA in California, have similar requirements for businesses. Like GDPR, the CCPA requires businesses to adopt transparent business practices and provide users with an option to stop data sharing or selling.

No, GDPR isn’t applicable in California. Californian user privacy is protected under the CCPA, which requires businesses to inform users about their data handling practices and give them the option to opt out. GDPR can only be applicable to a business in California if it collects or processes data of EU residents.

Yes, only California residents are protected and have rights under the CCPA. Businesses must comply with the CCPA if they handle the personal data of California residents even if they’re operating outside of California.

About the author
Kristina Jaruseviciute
Kristina Jaruseviciute
Kristina is a Senior Writer at TinyCookie, where she specializes in providing educational content for readers interested in web cookies and compliance. She covers an extensive scope of subjects, from cookie types, definitions, and tutorials to compliance tips for website owners.