Teams building for both markets usually try to find the stricter law and comply with that. It is a reasonable instinct and it is mostly right — but "mostly" is doing a lot of work in that sentence, because the two laws are strict about different things.
The one difference everything else follows from
GDPR is opt-in. CCPA is opt-out.
Under GDPR you need a lawful basis before you process personal data at all. No basis, no processing. The default is that you may not.
Under CCPA and CPRA you may generally collect and use personal information, provided you disclose it — and the consumer has the right to tell you to stop selling or sharing it. The default is that you may, until told otherwise.
That single line explains most of what follows.
Scope: who is covered
GDPR applies to any organisation processing the personal data of people in the EU or EEA, regardless of where the organisation is. There is no revenue threshold and no size threshold. If you offer goods or services to people in the EU, you are in scope.
CCPA/CPRA applies to for-profit businesses doing business in California that meet at least one threshold: over $25m annual gross revenue; buying, selling, or sharing the personal information of 100,000+ consumers or households; or deriving 50%+ of annual revenue from selling or sharing personal information.
So a 15-person European startup is squarely inside GDPR and very likely outside CCPA.
Rights: similar names, different mechanics
Both give people the right to access, delete, and correct their data. The differences are in the edges:
- Deadline. GDPR: one month, extendable by two. CCPA: 45 days, extendable to 45 more.
- Opt-out of sale. CCPA has it; GDPR does not need it, because the sale would have needed a basis in the first place.
- Objection to processing. GDPR has it; CCPA has no direct analogue.
- Data portability. Both have it, but GDPR's is broader.
- Automated decision-making. GDPR Article 22 restricts solely automated decisions with significant effects and grants a right to human review. CPRA introduces rights around automated decision-making technology, but the regimes are not equivalent.
"Sale" is broader than you think
This is the one that catches ecommerce and SaaS companies who were confident they were out of scope.
Under CPRA, disclosing identifiers to an advertising network for cross-context behavioural advertising counts as a sale or share — even when no money changes hands. If you run a retargeting pixel, you are very likely sharing personal information under CPRA, and you owe consumers a way to opt out of it.
Most companies running a standard marketing stack are doing this without having decided to.
What this means for what you build
Four things, concretely:
A basis field, not a consent flag. GDPR needs a lawful basis recorded per processing activity, and consent is only one of six. Systems that model this as a single boolean cannot represent reality — and cannot survive an audit.
A real opt-out path, plumbed downstream. CCPA's "Do Not Sell or Share My Personal Information" is not a UI element. It is a signal that must propagate to every ad platform and downstream processor, and you must be able to prove it did.
Deletion that actually deletes. Both laws require it, both have exemptions, and both expect you to know which of your systems hold the data — which brings you back to the record of processing.
Honest disclosure. CCPA is fundamentally a transparency regime. The categories of data collected, the purposes, and the recipients must be disclosed — accurately, and matching what you actually do.
The practical answer
Build to GDPR, then add CCPA's opt-out mechanics on top. GDPR's requirement for a lawful basis, a record of processing, and demonstrable accountability is the higher structural bar — but it does not, by itself, give you the "Do Not Sell or Share" signal handling that CPRA demands.
Neither law is satisfied by a policy document. Both are satisfied by a system that can show what you did and why — which is what a compliance scan and findings process exists to produce.