If your US business collects data from European Union residents or California consumers, you face two of the most stringent privacy laws in the world: the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
While both laws aim to protect consumer privacy, they differ significantly in scope, requirements, and penalties. Understanding these differences is critical for global compliance and avoiding multi-million dollar fines.
GDPR applies to EU residents' data globally with penalties up to €20M or 4% of annual global turnover. CCPA/CPRA applies to California residents with penalties up to $7,500 per intentional violation plus private lawsuits for data breaches.
Overview at a Glance
| Aspect | GDPR (EU) | CCPA / CPRA (California) |
|---|---|---|
| Effective Date | May 25, 2018 | Jan 1, 2020 (CPRA: Jan 1, 2023) |
| Geographic Scope | EU/EEA residents (worldwide reach) | California residents only |
| Maximum Fine | €20M or 4% global turnover | $7,500 per intentional violation |
| Consent Required | Opt-in (explicit) | Opt-out (for sale of data) |
| Private Right of Action | Yes (via DPAs) | Limited (data breaches only) |
| Data Protection Officer | Required in many cases | Not required |
Who Must Comply?
GDPR Applicability
GDPR has extraterritorial reach — it applies to any organization, regardless of location, that:
- Offers goods or services to EU residents (even free services)
- Monitors the behavior of EU residents (analytics, tracking)
- Processes personal data of EU residents in any capacity
CCPA Applicability
CCPA applies to for-profit businesses doing business in California that meet ONE of:
- Annual gross revenues over $25 million
- Buy/sell personal info of 100,000+ California consumers
- Derive 50%+ annual revenue from selling consumer personal info
By the Numbers
Consumer Rights Comparison
GDPR Rights (8 Core Rights)
- Right to be Informed — Transparent privacy notices
- Right of Access — Free copy of personal data
- Right to Rectification — Correct inaccurate data
- Right to Erasure — "Right to be forgotten"
- Right to Restrict Processing — Limit data use
- Right to Data Portability — Machine-readable export
- Right to Object — Stop processing
- Rights related to Automated Decisions — No solely automated decisions
CCPA/CPRA Rights (7 Core Rights)
- Right to Know — What data is collected and used
- Right to Delete — Request data deletion
- Right to Correct — Fix inaccurate data (CPRA addition)
- Right to Opt-Out of Sale — "Do Not Sell My Info"
- Right to Limit Sensitive PI Use — CPRA addition
- Right to Non-Discrimination — No penalty for exercising rights
- Right to Data Portability — Receive data copy
Consent Model: Opt-In vs Opt-Out
GDPR: Strict Opt-In
Under GDPR, consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes are invalid. You must demonstrate consent was obtained and allow easy withdrawal.
CCPA: Opt-Out Model
CCPA generally allows data collection and use, but consumers can opt-out of sale of their personal information through a "Do Not Sell My Personal Information" link. CPRA adds opt-out for sharing data for cross-context advertising.
US businesses often use GDPR-style cookie banners but forget the CCPA "Do Not Sell" link. You need both for global compliance.
Penalties Compared
GDPR Two-Tier System
- Tier 1 (Lower): Up to €10M or 2% of global annual turnover (whichever is higher)
- Tier 2 (Higher): Up to €20M or 4% of global annual turnover (whichever is higher)
CCPA/CPRA Penalties
- $2,500 per unintentional violation
- $7,500 per intentional violation
- $7,500 per violation involving minors under 16
- Private right of action: $100-$750 per consumer per data breach incident
Breach Notification
GDPR (Strict)
- 72 hours to notify Supervisory Authority
- Individuals notified "without undue delay" if high risk
- Detailed documentation required for all breaches
CCPA (Flexible)
- No specific timeframe (varies by state breach laws)
- California's separate breach law: "expedient time, no unreasonable delay"
- Private lawsuits available for breach victims
DPO Requirements
GDPR Requires DPO if:
- You're a public authority
- Core activities involve large-scale monitoring
- Core activities involve large-scale processing of special categories
CCPA: No DPO Required
CCPA doesn't mandate a Data Protection Officer, but a designated Privacy Officer is recommended for managing consumer requests.
Need Help with GDPR & CCPA Compliance?
Our privacy experts can audit your current practices, develop dual compliance programs, and implement the right controls for both EU and California requirements.
Get Privacy Compliance AuditDual Compliance Checklist
To comply with both laws simultaneously:
- Privacy Notice: Layered notice with separate sections for EU/CA residents
- Cookie Banner: GDPR opt-in for EU + CCPA "Do Not Sell" link
- Consent Management Platform: Track and document all consents
- Data Mapping: Know what data you have, where it lives, who has access
- Subject Rights Portal: Easy way for consumers to exercise rights
- Vendor Contracts: Standard Contractual Clauses (GDPR) + Service Provider agreements (CCPA)
- Breach Response Plan: 72-hour GDPR response + state law compliance
- Training: Staff trained on both regulations
Build to the higher standard (GDPR) and you'll generally cover CCPA requirements. Add CCPA-specific elements like the "Do Not Sell" link and you're set for both.
The Future: More US State Laws
Following California's lead, many US states are passing comprehensive privacy laws:
- Virginia (VCDPA) — Effective January 2023
- Colorado (CPA) — Effective July 2023
- Connecticut (CTDPA) — Effective July 2023
- Utah (UCPA) — Effective December 2023
- Texas, Oregon, Montana, Iowa, Tennessee — Various 2024-2025 effective dates
A federal US privacy law (APRA) is also under discussion, which would create unified national standards.
Conclusion
GDPR and CCPA represent fundamentally different approaches to privacy — GDPR's rights-based opt-in model versus CCPA's consumer-empowerment opt-out approach. But the trend is clear: privacy regulation is expanding globally, and US businesses must prepare for an increasingly complex compliance landscape.
The smart approach is to build a privacy program that meets the highest standards applicable to your business, then layer in jurisdiction-specific requirements. This not only ensures compliance but builds consumer trust — a competitive advantage in the data-driven economy.