Skip to content

GDPR vs CCPA: the differences that actually change what you build

8 min read

GDPR requires a lawful basis for every act of processing personal data of people in the EU and EEA, making it opt-in by design. CCPA and CPRA apply to qualifying businesses handling California residents' data and centre on disclosure and the right to opt out of sale or sharing. GDPR restricts collection; CCPA restricts what you do afterwards.

Teams building for both markets usually try to find the stricter law and comply with that. It is a reasonable instinct and it is mostly right — but "mostly" is doing a lot of work in that sentence, because the two laws are strict about different things.

The one difference everything else follows from

GDPR is opt-in. CCPA is opt-out.

Under GDPR you need a lawful basis before you process personal data at all. No basis, no processing. The default is that you may not.

Under CCPA and CPRA you may generally collect and use personal information, provided you disclose it — and the consumer has the right to tell you to stop selling or sharing it. The default is that you may, until told otherwise.

That single line explains most of what follows.

Scope: who is covered

GDPR applies to any organisation processing the personal data of people in the EU or EEA, regardless of where the organisation is. There is no revenue threshold and no size threshold. If you offer goods or services to people in the EU, you are in scope.

CCPA/CPRA applies to for-profit businesses doing business in California that meet at least one threshold: over $25m annual gross revenue; buying, selling, or sharing the personal information of 100,000+ consumers or households; or deriving 50%+ of annual revenue from selling or sharing personal information.

So a 15-person European startup is squarely inside GDPR and very likely outside CCPA.

Rights: similar names, different mechanics

Both give people the right to access, delete, and correct their data. The differences are in the edges:

  • Deadline. GDPR: one month, extendable by two. CCPA: 45 days, extendable to 45 more.
  • Opt-out of sale. CCPA has it; GDPR does not need it, because the sale would have needed a basis in the first place.
  • Objection to processing. GDPR has it; CCPA has no direct analogue.
  • Data portability. Both have it, but GDPR's is broader.
  • Automated decision-making. GDPR Article 22 restricts solely automated decisions with significant effects and grants a right to human review. CPRA introduces rights around automated decision-making technology, but the regimes are not equivalent.

"Sale" is broader than you think

This is the one that catches ecommerce and SaaS companies who were confident they were out of scope.

Under CPRA, disclosing identifiers to an advertising network for cross-context behavioural advertising counts as a sale or share — even when no money changes hands. If you run a retargeting pixel, you are very likely sharing personal information under CPRA, and you owe consumers a way to opt out of it.

Most companies running a standard marketing stack are doing this without having decided to.

What this means for what you build

Four things, concretely:

A basis field, not a consent flag. GDPR needs a lawful basis recorded per processing activity, and consent is only one of six. Systems that model this as a single boolean cannot represent reality — and cannot survive an audit.

A real opt-out path, plumbed downstream. CCPA's "Do Not Sell or Share My Personal Information" is not a UI element. It is a signal that must propagate to every ad platform and downstream processor, and you must be able to prove it did.

Deletion that actually deletes. Both laws require it, both have exemptions, and both expect you to know which of your systems hold the data — which brings you back to the record of processing.

Honest disclosure. CCPA is fundamentally a transparency regime. The categories of data collected, the purposes, and the recipients must be disclosed — accurately, and matching what you actually do.

The practical answer

Build to GDPR, then add CCPA's opt-out mechanics on top. GDPR's requirement for a lawful basis, a record of processing, and demonstrable accountability is the higher structural bar — but it does not, by itself, give you the "Do Not Sell or Share" signal handling that CPRA demands.

Neither law is satisfied by a policy document. Both are satisfied by a system that can show what you did and why — which is what a compliance scan and findings process exists to produce.

Frequently asked questions

Yes, if it offers goods or services to people in the EU or EEA, or monitors their behaviour. The location of the company is irrelevant — the test is the location of the data subject and the nature of the processing.

No. GDPR is the higher structural bar, but it does not include CCPA's specific mechanics — notably the 'Do Not Sell or Share My Personal Information' opt-out and its disclosure requirements. Most GDPR-compliant companies still have CCPA work to do.

GDPR fines reach up to €20 million or 4% of global annual turnover, whichever is higher. CCPA/CPRA penalties are assessed per violation, with a higher tier for violations involving minors, and there is a limited private right of action for certain data breaches.

Under CPRA, disclosing identifiers to an advertising network for cross-context behavioural advertising is treated as a sale or share, even with no money changing hands. Most companies running standard retargeting pixels are in scope and owe consumers an opt-out.

Compliance Scan

See how RegRely turns this into a repeatable, evidenced workflow.

Explore Compliance Scan