GDPR vs CCPA — Key Differences and What Your Business Needs
The Core Philosophical Difference
GDPR and CCPA both protect personal data, but they are built on fundamentally different philosophies. Understanding this difference helps you comply with both without losing your mind:
GDPR (EU): Opt-in model. All processing of personal data is prohibited unless you have a lawful basis (consent, contract, legitimate interest, etc.). The default state is 'no processing allowed.'
CCPA/CPRA (California): Opt-out model. Businesses can collect and use personal information by default, but consumers have the right to opt out of the sale or sharing of their data. The default state is 'processing allowed until the consumer says stop.'
This single difference cascades into almost every aspect of compliance. Under GDPR, you need consent before setting a marketing cookie. Under CCPA, you can set the cookie but must provide a 'Do Not Sell/Share My Personal Information' link.
Who Must Comply: Territorial Scope Compared
GDPR applies if:
- Your business is established in the EU, regardless of where data is processed, OR
- You offer goods or services to people in the EU (even if your business is outside the EU), OR
- You monitor the behavior of people in the EU (e.g., tracking EU visitors on your website)
There is no revenue or size threshold — a one-person blog with EU visitors can be in scope.
CCPA/CPRA applies if your business:
- Operates for profit, AND
- Collects personal information of California residents, AND
- Meets at least one of these: annual gross revenue over $25 million; buys, sells, or shares personal information of 100,000+ consumers/households; derives 50%+ of annual revenue from selling/sharing personal information
Key difference: CCPA has revenue and volume thresholds; GDPR does not. A small European freelancer must comply with GDPR. The same freelancer likely falls below CCPA thresholds unless they handle data at significant scale.
Consent Models: Opt-In vs. Opt-Out in Practice
This is where day-to-day implementation differs most:
GDPR — Prior consent required:
- Before setting analytics or marketing cookies, you must obtain explicit opt-in consent
- Before sending marketing emails, you need specific consent (or a legitimate interest justification in some B2B contexts)
- Before sharing data with a third party, you need either consent or another lawful basis
- Consent must be granular — 'accept all' as the only option is insufficient
CCPA — Right to opt out after the fact:
- You can collect data without prior consent (for most categories)
- You must provide a clear 'Do Not Sell or Share My Personal Information' link on your website
- Consumers who opt out must be respected — you cannot sell/share their data going forward
- For sensitive personal information (health, precise geolocation, financial data), CPRA introduced opt-in consent requirements — moving closer to GDPR
Practical implication: If you comply with GDPR's opt-in model, you are largely compliant with CCPA's opt-out requirements as well. The reverse is not true — CCPA compliance does not make you GDPR-compliant.
Data Subject Rights: Side-by-Side Comparison
Both regulations grant individuals rights over their data, but the specifics differ:
- Right to access: Both GDPR and CCPA allow individuals to request a copy of their personal data. GDPR requires response within 30 days; CCPA allows 45 days.
- Right to deletion: Both include this right. GDPR calls it the 'right to erasure' and includes broader grounds. CCPA's right to delete has more business exceptions (e.g., completing a transaction, detecting security incidents).
- Right to portability: GDPR includes a specific right to receive data in a machine-readable format. CCPA requires disclosure but does not mandate portability in the same way.
- Right to rectification: GDPR includes an explicit right to correct inaccurate data. CPRA (California's 2023 amendment) added this right, which was missing from the original CCPA.
- Right to object to processing: GDPR allows individuals to object to processing based on legitimate interest. CCPA does not have an equivalent — it focuses on the right to opt out of sale/sharing.
- Right not to be discriminated against: CCPA explicitly prohibits discriminating against consumers who exercise their rights (e.g., charging higher prices). GDPR achieves similar protection through general principles but is less explicit.
Penalties and Enforcement Compared
GDPR penalties:
- Up to EUR 20 million or 4% of global annual turnover, whichever is higher
- Enforced by national Data Protection Authorities (DPAs) in each EU member state
- No private right of action under GDPR itself (though some member states allow it)
- Over EUR 4.5 billion in cumulative fines issued since 2018
CCPA/CPRA penalties:
- Civil penalties: up to $2,500 per unintentional violation, $7,500 per intentional violation
- Enforced by the California Attorney General and the California Privacy Protection Agency (CPPA)
- Private right of action for data breaches: consumers can sue for $100-$750 per consumer per incident (this is unique to CCPA and creates class action risk)
- The per-violation structure means penalties scale rapidly with the number of affected consumers
Practical risk: For small businesses, GDPR fines are more likely (lower thresholds, more active enforcement). CCPA class action lawsuits are less likely but potentially more expensive for businesses handling large consumer datasets.
Complying with Both: A Practical Approach
If your website serves both EU and California visitors, you need to comply with both regulations. The good news: building on GDPR compliance makes CCPA compliance relatively straightforward.
- Implement GDPR-style consent first: An opt-in cookie consent banner with proper script blocking satisfies GDPR and exceeds CCPA's opt-out requirements.
- Add CCPA-specific elements: Include a 'Do Not Sell or Share My Personal Information' link in your website footer (required by CCPA). Your cookie consent preferences panel can serve this function if properly configured.
- Update your privacy policy: Include both GDPR-required disclosures and CCPA-required disclosures (categories of information collected in the past 12 months, categories of sources, business purpose for collection).
- Handle requests from both jurisdictions: Unify your data request process to handle both GDPR and CCPA requests through a single workflow.
Clym supports multi-regulation compliance from a single implementation — it detects the visitor's location and serves the appropriate consent mechanism (GDPR opt-in for EU visitors, CCPA opt-out for California visitors).
Handle GDPR and CCPA compliance with Clym
Fastest path
Need one tool for consent, privacy policy, and DSAR handling?
Clym is the strongest fit when you want to get compliant without stitching together three separate tools.
- Best for small teams that need GDPR basics covered quickly
- One implementation instead of separate banner + policy + request workflow
- Useful when you want a practical setup, not an enterprise project
Frequently Asked Questions
Do small businesses really need to comply with GDPR?
Yes. GDPR applies to any business that processes personal data of EU residents, regardless of business size. Fines have been issued to companies with as few as 1-10 employees.
What's the fastest way to make my website GDPR compliant?
The fastest approach is using an all-in-one compliance tool like Clym that handles cookie consent, privacy policy, and data requests in a single integration.
How much do GDPR fines cost for small businesses?
Fines can reach up to 4% of annual turnover or 20 million euros, whichever is higher. In practice, small business fines typically range from 5,000 to 100,000 euros.