Can a business be subject to both GDPR and CCPA?

Yes. Any business that serves customers in both the EU and California must comply with both laws simultaneously. Many global businesses create a single privacy policy that meets the stricter requirements of both regulations. In practice, GDPR compliance covers most CCPA requirements, but you still need to address CCPA-specific elements like the right to opt out of data sales.

What is the biggest difference between GDPR and CCPA?

The most fundamental difference is the consent model. GDPR requires opt-in consent before collecting personal data in most cases, meaning you cannot process data until the user agrees. CCPA uses an opt-out model, allowing businesses to collect and use personal information by default but giving consumers the right to opt out of having their data sold or shared.

Which law has higher penalties, GDPR or CCPA?

GDPR has significantly higher maximum penalties. Violations can result in fines up to 20 million euros or 4% of global annual revenue, whichever is greater. The CCPA allows civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation, plus consumers can seek statutory damages of $100 to $750 per incident in data breach lawsuits.

Does CCPA apply to small businesses?

CCPA only applies to for-profit businesses that meet at least one of three thresholds: annual gross revenue over $25 million, buying, selling, or sharing personal information of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenue from selling or sharing personal information. Small businesses below all three thresholds are not covered by CCPA.

GDPR vs CCPA: What's the Difference?

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA, as amended by the CPRA) are the two most influential privacy laws for online businesses, but they differ significantly in scope, approach, and enforcement. The GDPR applies to any organization that processes personal data of individuals in the European Union, regardless of where the business is located, and it uses an opt-in consent model that requires explicit permission before most data processing begins. The CCPA applies to for-profit businesses that meet specific revenue or data-volume thresholds and serve California residents, and it uses an opt-out model that allows data collection by default but gives consumers the right to stop the sale or sharing of their information. Both laws grant individuals rights over their personal data, including the right to access, delete, and understand how their data is used, but the specific rights, definitions, and enforcement mechanisms differ in important ways. If your business serves customers in both the EU and California, you need to understand and comply with both.

Who Each Law Applies To

The GDPR has broad jurisdictional reach. It applies to any organization, anywhere in the world, that offers goods or services to individuals in the EU or monitors the behavior of individuals in the EU. There is no revenue threshold or company size exemption. A one-person startup with a website accessible in Germany is subject to the GDPR if it collects personal data from German visitors. The GDPR also applies to data processors (companies that handle data on behalf of others), not just data controllers (companies that determine the purposes of data processing).

The CCPA is narrower in scope. It applies only to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue exceeding $25 million, buying, receiving, selling, or sharing the personal information of 100,000 or more California consumers, households, or devices per year, or deriving 50% or more of annual revenue from selling or sharing consumers' personal information. Nonprofits and government agencies are exempt. The CPRA amendments, effective since January 2023, also created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body.

Consent Models: Opt-In vs Opt-Out

The most fundamental philosophical difference between the GDPR and CCPA is their approach to consent. The GDPR requires a lawful basis for every instance of personal data processing, and consent is one of six possible bases (alongside legitimate interest, contract performance, legal obligation, vital interests, and public task). When consent is the basis, it must be freely given, specific, informed, and unambiguous, which means pre-checked boxes and implied consent are invalid. For sensitive data categories like health, biometric, or racial data, the GDPR requires explicit opt-in consent.

The CCPA takes an opt-out approach. Businesses can collect and use personal information without asking for prior consent, but they must inform consumers about their data practices at or before the point of collection and provide a clear mechanism to opt out of the sale or sharing of personal information. The only opt-in requirement under the CCPA applies to consumers under 16: businesses must obtain opt-in consent before selling personal information of consumers aged 13 to 15, and parental consent for consumers under 13.

Consumer Rights Compared

Both laws grant consumers a set of individual rights, but they are not identical. The GDPR provides the right to access (obtain a copy of your data), the right to rectification (correct inaccurate data), the right to erasure (delete your data), the right to restrict processing, the right to data portability (receive your data in a machine-readable format), the right to object to processing, and rights related to automated decision-making and profiling. Data controllers must respond to rights requests within one month.

The CCPA provides the right to know (what personal information is collected and how it is used), the right to delete, the right to opt out of the sale or sharing of personal information, the right to correct inaccurate information (added by CPRA), the right to limit the use of sensitive personal information, and the right to non-discrimination (businesses cannot penalize consumers who exercise their rights). Businesses must respond to verifiable consumer requests within 45 days.

Definition of Personal Data

The GDPR defines personal data broadly as any information relating to an identified or identifiable natural person. This includes names, email addresses, IP addresses, cookie identifiers, location data, biometric data, and even opinions or assessments about a person. The GDPR also defines special categories of sensitive data (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation) that receive heightened protection.

The CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household. This similarly includes names, addresses, IP addresses, browsing history, purchase history, geolocation data, and biometric information. Notably, the CCPA extends the definition to the household level, not just individuals. The CPRA added a category of sensitive personal information (similar to the GDPR's special categories) that includes Social Security numbers, financial account information, precise geolocation, racial or ethnic origin, and the contents of private communications.

Penalties and Enforcement

The GDPR is enforced by data protection authorities (DPAs) in each EU member state, with the lead supervisory authority determined by where the organization's main establishment is located. Maximum fines are severe: up to 20 million euros or 4% of the company's total worldwide annual revenue for the preceding financial year, whichever is greater. Lower-tier violations can result in fines up to 10 million euros or 2% of annual revenue. DPAs can also issue warnings, reprimands, and orders to cease processing. Individuals have the right to lodge complaints with their local DPA and to seek judicial remedies.

The CCPA is enforced by both the California Attorney General and the California Privacy Protection Agency (CPPA). Civil penalties can reach $2,500 per unintentional violation and $7,500 per intentional violation. The CCPA also includes a private right of action for data breaches, allowing consumers to seek statutory damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. Businesses have a 30-day cure period for violations identified by the Attorney General, though this was narrowed under CPRA. While individual CCPA fines are lower than GDPR fines, they can accumulate quickly in class-action lawsuits involving thousands of affected consumers.

Ready to Create Your Privacy Policy?

Generate a professional, legally compliant privacy policy in minutes. No account required.

Generate Your Policy Now