Comparison · Updated 2026
GDPR vs CCPA/CPRA
GDPR is the EU’s opt-in data-protection law — you need a lawful basis before processing personal data — while California’s CCPA/CPRA is an opt-out consumer-privacy law that lets people refuse the sale or sharing of their data. They are complementary, not interchangeable: a company serving both the EU and California usually has to comply with both at the same time. This page compares their scope, rights, obligations, and penalties side by side so you know exactly which rules apply to your business.
At a glance
| Dimension | GDPR (EU) | CCPA/CPRA (California) |
|---|---|---|
| Full name | General Data Protection Regulation (EU) 2016/679 | California Consumer Privacy Act, as amended by the CPRA |
| In force since | 25 May 2018 | CCPA 1 Jan 2020; CPRA amendments 1 Jan 2023 |
| Default model | Opt-in — needs a lawful basis before processing | Opt-out — consumer can refuse sale/sharing |
| Who it protects | Data subjects in the EU/EEA | California consumers, employees and B2B contacts |
| Who must comply | Any org processing EU/EEA personal data | For-profits meeting revenue/volume/share thresholds |
| Core rights | Access, rectification, erasure, portability + 4 more | Know, delete, correct, opt-out of sale/share, limit sensitive data |
| Key obligation | Records of Processing (RoPA) + DPIA where high-risk | Privacy notice + "Do Not Sell or Share" link + honour GPC |
| Maximum penalty | €20M or 4% of global annual turnover | $2,500 (unintentional) / $7,500 (intentional) per violation |
| Regulator | National data-protection authorities (DPAs) | California Privacy Protection Agency (CPPA) + AG |
How they overlap
Both laws regulate the same underlying thing — personal data — but from opposite default positions. GDPR asks “do you have a lawful basis to process this?” before anything happens; CCPA/CPRA asks “have you given the consumer a clear way to opt out and exercise their rights?” after the fact. In practice, you build one data inventory and then layer both control sets on top:
- Map the data once. A single Record of Processing / data inventory serves both regimes — it now also covers California employee and B2B data since the CPRA exemptions expired.
- Establish a lawful basis (GDPR). Identify the lawful basis for each processing activity for EU/EEA data subjects.
- Add the opt-out (CCPA/CPRA). Publish a “Do Not Sell or Share My Personal Information” link and honour the Global Privacy Control browser signal.
- Unify rights handling. Build one workflow that answers GDPR access/erasure requests and CCPA know/delete/correct requests from the same queue.
- Keep evidence current. Maintain notices, RoPA, and opt-out logs so either regulator’s request can be answered fast.
Which applies to you?
- You process EU/EEA personal data: GDPR applies, wherever you are based.
- You meet a California threshold (over $25M revenue, 100,000+ CA consumers/households, or 50%+ revenue from selling/sharing data): CCPA/CPRA applies.
- You serve customers in both regions (the common case for any global SaaS): both GDPR and CCPA/CPRA.
Not sure where you land? Use the free GeraCompliance classifier to qualify your obligations in minutes.
GDPR vs CCPA — frequently asked questions
- What is the difference between GDPR and CCPA?
- GDPR (Regulation (EU) 2016/679) is the EU’s comprehensive data-protection law: it requires a lawful basis before processing personal data and grants eight data-subject rights. CCPA — as amended by the CPRA (California Privacy Rights Act) — is California’s consumer-privacy law: it does not require a lawful basis up front but gives consumers the right to know, delete, correct, and opt out of the sale or sharing of their personal information. GDPR is opt-in by design; CCPA/CPRA is opt-out by design.
- Do I need to comply with both GDPR and CCPA?
- Often yes. If you process the personal data of people in the EU or EEA, GDPR applies regardless of where your company is based. If you do business in California and meet a CCPA threshold (over $25M annual revenue, or buying/selling/sharing the personal information of 100,000+ California consumers or households, or deriving 50%+ of revenue from selling/sharing personal information), CCPA/CPRA applies. A company serving customers in both regions typically must comply with both at once.
- Does GDPR consent satisfy CCPA?
- Not automatically. GDPR is built around obtaining a lawful basis (often consent) before processing, while CCPA/CPRA is built around giving consumers a clear way to opt out — for example a "Do Not Sell or Share My Personal Information" link and honouring the Global Privacy Control signal. A GDPR-compliant consent banner does not, on its own, deliver the CCPA opt-out mechanisms, so you need both controls.
- Which has bigger penalties, GDPR or CCPA?
- GDPR has the higher ceiling: up to €20 million or 4% of global annual turnover, whichever is higher. CCPA/CPRA penalties are per-violation — up to $2,500 per unintentional violation and $7,500 per intentional violation or violation involving a minor — enforced by the California Privacy Protection Agency, plus a limited private right of action for certain data breaches. GDPR’s turnover-based cap makes its maximum exposure far larger for big companies.
- Does CCPA cover employee or business contact data like GDPR?
- Now yes. Earlier CCPA exemptions for employee (HR) data and business-to-business contact data expired on 1 January 2023 under the CPRA, so California employee and B2B personal information is now in scope. GDPR has always covered employee and B2B personal data, so a single data-mapping exercise can serve both regimes.
Comply with both privacy regimes in one place
GeraCompliance maps GDPR and CCPA/CPRA against a single data inventory — document once, answer rights requests from one queue, stay audit-ready.
Privacy-law deadline alerts
GDPR, CCPA/CPRA and new US state privacy laws change fast. Get a short, no-spam update when a date, threshold or fine that affects you moves.