GDPR vs CCPA: what tech companies actually need to know

Last updated: April 2026

Both protect personal data. Both have real penalties. But they work differently.

GDPR is a lawful-basis-driven framework where you need a legal justification for every processing activity; CCPA/CPRA is a notice-and-opt-out framework where you process data with proper disclosure and consumers can opt out of sale/sharing. Most tech companies with EU and US users need to comply with both.

Key takeaways

• GDPR requires a lawful basis for processing (consent is one of six options, not the default). CCPA operates on notice-and-opt-out.

• GDPR requires opt-in cookie consent before non-essential cookies fire. CCPA requires a "Do Not Sell or Share" link for businesses that sell or share personal information (including certain targeted advertising).

• GDPR fines: up to €20M or 4% of global turnover. CCPA: up to $7,500 per intentional violation, plus private right of action for data breaches.

• Most companies that comply with GDPR find CCPA relatively easy to add on top.

Quick comparison table

When each law applies

GDPR applies if: You offer goods or services to people in the EU/EEA, or you monitor the behavior of people in the EU/EEA. It doesn't matter where your company is based.

CCPA/CPRA applies if: You do business in California AND meet one of three thresholds: annual gross revenue over $25M, buy/sell/share personal information of 100K+ consumers or households, or derive 50%+ of revenue from selling/sharing personal information.

Key differences explained

Legal basis for processing: GDPR requires a defined lawful basis for each processing purpose (consent, contract, legitimate interest, legal obligation, vital interests, or public task). Consent is required in some contexts but is one of six options, not the default. CCPA operates on a notice-and-opt-out model: you process data with proper notice, and consumers have the right to opt out of sale/sharing and request deletion.

Consent and cookies: Under GDPR and the ePrivacy Directive, non-essential cookies require opt-in consent before they fire. Under CCPA, the primary requirement is a "Do Not Sell or Share My Personal Information" link and opt-out mechanism for businesses that sell or share personal information, which can include certain targeted advertising via cookies. Cookie consent requirements vary by US state.

Scope of "personal data": GDPR covers any data that identifies or can identify a person. CCPA covers data that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked" to a consumer or household. CCPA explicitly includes household-level data.

Right to delete: Both include it. GDPR allows exceptions (legal obligations, public interest). CCPA also allows exceptions (complete transactions, security, legal compliance).

Penalties: GDPR: up to €20M or 4% of global annual turnover. CCPA: up to $2,500 per unintentional violation, up to $7,500 per intentional violation (amounts may be adjusted), plus private right of action for data breaches.

DPO requirement: GDPR requires a DPO in certain circumstances (see Do I Need a DPO?). CCPA does not require a DPO but companies must designate a contact for privacy inquiries.

Other US state privacy laws

CCPA is not the only US state privacy law. Virginia, Colorado, Connecticut, Texas, Montana, Oregon, and several other states now have their own privacy laws. The frameworks are broadly similar to CCPA with some variations. Key differences include opt-in vs opt-out defaults, private right of action availability, and specific sector carve-outs. We cover all of them. See our Privacy Compliance Glossary for individual law definitions.

How to comply with both

Most tech companies that comply with GDPR find CCPA relatively easy to add on top. The main additional requirements for CCPA:

• "Do Not Sell or Share My Personal Information" link on your website (required for covered businesses that sell or share personal information)

• Opt-out mechanism for sale/sharing of personal data

• Updated privacy notice with CCPA-specific disclosures

• Process for handling CCPA-specific consumer requests

• Financial incentive disclosures if you offer loyalty programs

We handle both from a single retainer. Most companies that comply with GDPR can add CCPA compliance in 1-2 weeks of additional work.

FAQ

Do I need to comply with both? If you have EU users and California users (or users in other US states with privacy laws), yes. Most tech companies with a global user base need to comply with both.

Which is stricter? It depends on the context. GDPR is generally considered stricter due to the lawful basis requirement, broader DPO obligations, and higher potential fines. But CCPA's private right of action for data breaches creates significant litigation risk that GDPR doesn't have.

What about other US state privacy laws? Virginia, Colorado, Connecticut, Texas, and several other states now have their own privacy laws. We cover all of them. The frameworks are broadly similar to CCPA with some variations.

Can one privacy policy cover both GDPR and CCPA? Yes, with proper structuring. Most companies use a single privacy policy with jurisdiction-specific sections. We help you build this.

Do I need a DPO for CCPA? No. CCPA does not require a DPO. But if you also process EU data, you may need a DPO under GDPR. Many companies appoint a DPO to cover both jurisdictions from a single engagement.

This page is general information, not legal advice. Exact obligations depend on your specific situation and jurisdictions.

Related pages

• US to EU Privacy Compliance

• Global Privacy Compliance for Tech Companies

• Do I Need a DPO?

• Privacy Compliance Glossary

• DPO Services

• Contact