CCPA vs GDPR Differences Explained (2026 Guide)
Disclaimer: This is not legal advice. Consult a lawyer for specific cases regarding your business liability.
If you operate a website or mobile app today, you've likely heard the alphabet soup of privacy laws: GDPR, CCPA, CPRA, LGPD. The two heavyweights that affect almost every online business are Europe's GDPR and California's CCPA.
If you're looking for the fastest way to comply with both, you can generate your Privacy Policy in 60 seconds — free, no signup, GDPR & CCPA compliant using our free privacy policy generator. But if you want to understand the core CCPA vs GDPR differences explained in plain English, keep reading.
1. What Are the GDPR and CCPA?
The General Data Protection Regulation (GDPR) is a comprehensive privacy law enacted by the European Union (EU) that took effect in 2018. It protects the personal data of individuals located within the EU.
The California Consumer Privacy Act (CCPA) is a state-level privacy law that went into effect in 2020 (and was expanded by the CPRA in 2023). It gives California residents specific rights regarding their personal information.
Both laws exist to give consumers control over their data, but they take fundamentally different approaches. The GDPR is a sweeping, principles-based regulation: it requires a lawful basis for every processing activity, mandates transparency, and bakes in "privacy by design and by default." The CCPA (as amended by the CPRA) is more of a disclosure-and-rights statute — less concerned with whether you may process data and more concerned with telling consumers what you collect and letting them opt out, delete, correct, and limit certain uses.
Under the CCPA framework, the California Attorney General describes five core consumer rights: the right to know what personal information is collected and how it is used, to delete it (with exceptions), to opt out of its sale or sharing, to correct inaccurate information, and to limit the use of sensitive personal information.
2. Opt-In vs. Opt-Out: The Core Difference
If you only remember one difference between these two laws, remember this:
GDPR is "Opt-In" (Privacy by Default).
Before a business can collect your data or place non-essential tracking cookies on your device in Europe, they generally must ask for your consent. Under the GDPR, consent has to be freely given and the controller must "be able to demonstrate that the data subject has consented"; the request must be "clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language" (Article 7 GDPR). In practice a user actively checks a box or clicks "Accept" (Opt-In) before non-essential data collection begins — and can withdraw that consent at any time. This is why our cookie policy generator is crucial for EU traffic.
CCPA is "Opt-Out" (Collection by Default).
In California, a business can generally collect your data by default without asking permission beforehand. However, it must clearly disclose what it collects and provide an easy way to exercise "the right to opt-out of the sale or sharing of their personal information" (California Attorney General) — usually via a "Do Not Sell or Share My Personal Information" link.
3. Who Do These Laws Apply To?
Do these laws apply to your small blog or SaaS startup? The thresholds are very different.
GDPR Applicability
The GDPR reaches well beyond Europe's borders. Its territorial scope provision applies the law to a controller or processor not established in the EU "where the processing activities are related to ... the offering of goods or services ... to such data subjects in the Union" or "the monitoring of their behaviour" within the Union (Article 3 GDPR). There is no revenue or headcount threshold. In plain terms, even a free hobby blog based in Texas can fall under the GDPR if it offers services to, or runs behavioural analytics on, visitors in the EU.
CCPA Applicability
The CCPA is more forgiving for small businesses. According to the California Attorney General, it applies to "for-profit businesses that do business in California and meet any of the following":
- Have a gross annual revenue of over $25 million;
- Buy, sell, or share the personal information of 100,000 or more California residents or households; or
- Derive 50% or more of their annual revenue from selling California residents' personal information.
A business only has to cross one of these lines to be covered (California Attorney General). The $25 million figure is the statutory baseline and is periodically adjusted for inflation, so check the current threshold if your revenue is near the line.
4. The Definition of "Personal Data"
While both laws protect personal information, they phrase it differently.
GDPR: Protects Personal Data. This includes any information relating to an identified or identifiable natural person (names, emails, IP addresses, location data, religious beliefs). It only applies to individuals.
CCPA: Protects Personal Information. This is defined as information that identifies, relates to, or could reasonably be linked to a particular consumer or household. This means data tied to a specific smart TV or family IP address can be covered. The CPRA amendments also created a special category of "sensitive personal information" (such as precise geolocation, race, religion, health data, and the contents of private messages) that consumers can ask you to limit.
5. Fines and Penalties (The Scary Part)
Non-compliance is incredibly expensive under both frameworks.
GDPR: For the most serious infringements, supervisory authorities can impose administrative fines "up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher" (Article 83(5) GDPR). A lower tier — capped at €10 million or 2% of worldwide turnover — applies to more procedural failures such as inadequate records or breach-notification lapses (Article 83(4) GDPR).
CCPA: A business that violates the CCPA is subject to an administrative fine of up to $2,500 for each violation or up to $7,500 for each intentional violation (or violations involving the personal information of consumers under 16), assessed by the California Privacy Protection Agency (CPPA) through an administrative enforcement action (Cal. Civ. Code § 1798.155). Since the CPRA amendments took effect in 2023, this enforcement authority sits with the CPPA rather than the California Attorney General. Separately, the CCPA grants a limited "private right of action": if certain unencrypted, unredacted personal information is exposed in a breach because a business failed to maintain reasonable security, consumers can recover statutory damages of "not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident" (Cal. Civ. Code § 1798.150).
Step-by-Step Guide: How to Comply with Both in 2026
These general practices help you cover the common ground between both laws:
Step 1: Disclose what you collect. Publish a transparent, accessible Privacy Policy and link it in your footer. The GDPR requires that information be provided in a "concise, transparent, intelligible and easily accessible form, using clear and plain language" (Article 12 GDPR), and the CCPA's "right to know" expects the same plain-language disclosure of categories collected, sources, purposes, and who you share with.
Step 2: Add a cookie consent banner. Because the GDPR treats consent as something you must be able to demonstrate (Article 7 GDPR), the safe approach for EU visitors is to block non-essential analytics and advertising scripts until the user takes a clear affirmative action to accept them — and to make declining just as easy as accepting.
Step 3: Provide a "Do Not Sell or Share My Personal Information" link. If you "sell" or "share" data as the CCPA defines those terms (which can include some ad-tech cookies), California residents must be able to opt out — so place this link where it is easy to find.
Step 4: Build a request-handling process. Both laws give people the right to access and delete their data, so set up a reliable channel (an email address or web form) to receive and verify these requests. The timelines differ: under the GDPR a controller must act on a request "without undue delay and in any event within one month of receipt of the request" (Article 12 GDPR), while the CCPA generally requires a response to a verifiable consumer request "within 45 days" (Cal. Civ. Code § 1798.130). Build your workflow around the shorter clock.
Generate Your Combined Policy Instantly
Why write this from scratch? LegalPolicyGen combines the GDPR's requirements with the CCPA's disclosure requirements into a single, cohesive document — automatically injecting the "Do Not Sell My Personal Information" clauses for your US visitors while retaining the data-processing legal basis expected in the EU.