Book a call
Book a call

GDPR vs CCPA: what tech companies actually need to know

Both protect personal data. Both have real penalties. But they work differently. GDPR is a lawful-basis-driven framework where you need a legal justification for every processing activity; CCPA/CPRA is a notice-and-opt-out framework where you process data with proper disclosure and consumers can opt out of sale/sharing. Most tech companies with EU and US users need to comply with both.

By Julian Gage Last reviewed: 27 March 2026

Last updated: mid-2026

Both protect personal data. Both have real penalties. But they work differently.

GDPR is a lawful-basis-driven framework where you need a legal justification for every processing activity; CCPA/CPRA is a notice-and-opt-out framework where you process data with proper disclosure and consumers can opt out of sale/sharing. Most tech companies with EU and US users need to comply with both.

Key takeaways

  • GDPR requires a lawful basis for processing (consent is one of six options, not the default). CCPA operates on notice-and-opt-out.
  • GDPR requires opt-in cookie consent before non-essential cookies fire. CCPA requires a “Do Not Sell or Share” link for businesses that sell or share personal information (including certain targeted advertising).
  • GDPR fines: up to €20M or 4% of global turnover. CCPA: up to $7,500 per intentional violation, plus private right of action for data breaches.
  • Most companies that comply with GDPR find CCPA relatively easy to add on top.

Quick comparison table

GDPRCCPA/CPRA
Applies toCompanies processing EU/EEA individuals’ dataBusinesses in California meeting revenue/data thresholds
Legal frameworkLawful basis required for each processing purposeNotice-and-opt-out model
Cookie consentOpt-in required before non-essential cookies”Do Not Sell or Share” link for businesses that sell/share PI
DPO requirementRequired in specific circumstancesNot required (must designate privacy contact)
Maximum penalties€20M or 4% of global turnover$7,500 per intentional violation + private right of action
Scope of “personal data”Any data identifying or capable of identifying a personData linkable to a consumer or household
Right to deleteYes, with exceptions (30 days to comply)Yes, with exceptions (45 days to comply)
Cross-border transfersRequires transfer mechanisms (SCCs, adequacy, DPF)No specific transfer restrictions

When each law applies

GDPR applies if: You offer goods or services to people in the EU/EEA, or you monitor the behavior of people in the EU/EEA. It doesn’t matter where your company is based.

CCPA/CPRA applies if: You do business in California AND meet one of three thresholds: annual gross revenue over $26.6 million (inflation-adjusted), buy/sell/share personal information of 100K+ consumers or households, or derive 50%+ of revenue from selling/sharing personal information.

Key differences explained

Legal basis for processing: GDPR requires a defined lawful basis for each processing purpose (consent, contract, legitimate interest, legal obligation, vital interests, or public task). Consent is required in some contexts but is one of six options, not the default. CCPA operates on a notice-and-opt-out model: you process data with proper notice, and consumers have the right to opt out of sale/sharing and request deletion.

Consent and cookies: Under GDPR and the ePrivacy Directive, non-essential cookies require opt-in consent before they fire. Under CCPA, the primary requirement is a “Do Not Sell or Share My Personal Information” link and opt-out mechanism for businesses that sell or share personal information, which can include certain targeted advertising via cookies. Cookie consent requirements vary by US state.

Scope of “personal data”: GDPR covers any data that identifies or can identify a person. CCPA covers data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked” to a consumer or household. CCPA explicitly includes household-level data.

Right to delete: Both include it. GDPR allows exceptions (legal obligations, public interest). CCPA also allows exceptions (complete transactions, security, legal compliance).

Penalties: GDPR: up to €20M or 4% of global annual turnover. CCPA: up to $2,500 per unintentional violation, up to $7,500 per intentional violation (amounts may be adjusted), plus private right of action for data breaches.

DPO requirement: GDPR requires a DPO in certain circumstances (see Do I Need a DPO?). CCPA does not require a DPO but companies must designate a contact for privacy inquiries.

Other US state privacy laws

US State Privacy Laws as of 2026

Twenty US states now have comprehensive privacy laws in effect. Three new laws took effect on January 1, 2026: Indiana, Kentucky, and Rhode Island. All three largely mirror the Virginia template with rights of access, correction, deletion, portability, and opt-out of sale, targeted advertising, and profiling.

July 1, 2026 brings amendments to Connecticut, Arkansas, and Utah. August 1, 2026 expands California data broker registration requirements.

California remains the most active enforcement state. The California Consumer Privacy Act Automated Decision-Making Technology regulations, cybersecurity audit requirements, and risk assessment obligations all became applicable in January 2026. The California Delete Act delete platform launched, and the California Attorney General imposed the largest CCPA settlement to date at 1.55 million dollars against an online health publisher in July 2025.

Universal Opt-Out mechanism recognition is now required in California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire, Oregon, and Texas.

The frameworks are broadly similar to CCPA with some variations. Key differences include opt-in vs opt-out defaults, private right of action availability, and specific sector carve-outs. We cover all of them. See our Privacy Compliance Glossary for individual law definitions.

How to comply with both

Most tech companies that comply with GDPR find CCPA relatively easy to add on top. The main additional requirements for CCPA:

  • “Do Not Sell or Share My Personal Information” link on your website (required for covered businesses that sell or share personal information)
  • Opt-out mechanism for sale/sharing of personal data
  • Updated privacy notice with CCPA-specific disclosures
  • Process for handling CCPA-specific consumer requests
  • Financial incentive disclosures if you offer loyalty programs

We handle both from a single retainer. Most companies that comply with GDPR can add CCPA compliance in 1-2 weeks of additional work.

Criterion Engage Compliance Competitor
Applies to Companies processing EU/EEA individuals' data Businesses in California meeting revenue/data thresholds
Legal framework Lawful basis required for each processing purpose Notice-and-opt-out model
Cookie consent Opt-in required before non-essential cookies "Do Not Sell or Share" link for businesses that sell/share PI
DPO requirement Required in specific circumstances Not required (must designate privacy contact)
Maximum penalties €20M or 4% of global turnover $7,500 per intentional violation + private right of action
Scope of "personal data" Any data identifying or capable of identifying a person Data linkable to a consumer or household
Right to delete Yes, with exceptions (30 days to comply) Yes, with exceptions (45 days to comply)
Cross-border transfers Requires transfer mechanisms (SCCs, adequacy, DPF) No specific transfer restrictions

Applies to

Engage Compliance

Companies processing EU/EEA individuals' data

Competitor

Businesses in California meeting revenue/data thresholds

Legal framework

Engage Compliance

Lawful basis required for each processing purpose

Competitor

Notice-and-opt-out model

Cookie consent

Engage Compliance

Opt-in required before non-essential cookies

Competitor

"Do Not Sell or Share" link for businesses that sell/share PI

DPO requirement

Engage Compliance

Required in specific circumstances

Competitor

Not required (must designate privacy contact)

Maximum penalties

Engage Compliance

€20M or 4% of global turnover

Competitor

$7,500 per intentional violation + private right of action

Scope of "personal data"

Engage Compliance

Any data identifying or capable of identifying a person

Competitor

Data linkable to a consumer or household

Right to delete

Engage Compliance

Yes, with exceptions (30 days to comply)

Competitor

Yes, with exceptions (45 days to comply)

Cross-border transfers

Engage Compliance

Requires transfer mechanisms (SCCs, adequacy, DPF)

Competitor

No specific transfer restrictions

Book a free intro call Free risk assessment

FAQ

Frequently asked questions

Do I need to comply with both?

If you have EU users and California users (or users in other US states with privacy laws), yes. Most tech companies with a global user base need to comply with both.

Which is stricter?

It depends on the context. GDPR is generally considered stricter due to the lawful basis requirement, broader DPO obligations, and higher potential fines. But CCPA's private right of action for data breaches creates significant litigation risk that GDPR doesn't have.

What about other US state privacy laws?

Virginia, Colorado, Connecticut, Texas, and several other states now have their own privacy laws. We cover all of them. The frameworks are broadly similar to CCPA with some variations.

Can one privacy policy cover both GDPR and CCPA?

Yes, with proper structuring. Most companies use a single privacy policy with jurisdiction-specific sections. We help you build this.

Do I need a DPO for CCPA?

No. CCPA does not require a DPO. But if you also process EU data, you may need a DPO under GDPR. Many companies appoint a DPO to cover both jurisdictions from a single engagement.

Related

ServiceOutsourced DPO servicesPricingOutsourced DPO cost guideGuideGDPR and HIPAA US to EUServiceCalifornia CCPA compliance