GDPR vs CCPA: Side-by-Side Comparison for 2026

GDPR (EU) and CCPA/CPRA (California) are the two most significant data privacy laws affecting US companies. GDPR applies if you handle EU residents' data. CCPA applies if you do business in California above certain thresholds. Many companies must comply with both.

Dimension

GDPR

CCPA/CPRA

Jurisdiction	EU and UK (global extraterritorial reach)	California, USA
Threshold	Processes EU personal data — no revenue threshold	$25M revenue, or 100K consumers, or 50% revenue from data sales
Consent required	Yes — explicit consent for most processing	Opt-out model (consumers can opt out of sale)
Consumer rights	Access, erasure, portability, restriction, objection	Know, delete, opt-out of sale/sharing, correct, limit sensitive data use
Data breach notification	72 hours to supervisory authority	Expedient notice to California AG and consumers
Privacy policy	Required — must cover all processing purposes	Required — must include right to know and opt-out
Max penalty	4% of global annual revenue or €20M	$7,500 per intentional violation; $100–$750 per consumer for breaches
Enforcement	National DPAs (strict in Germany, Ireland, France)	California AG + California Privacy Protection Agency
DPO required	Yes for large-scale processing	No formal DPO requirement
Data transfers	SCCs or adequacy decision needed	No specific international transfer mechanism

Key Differences

GDPR uses an opt-in consent model — you need a legal basis to process data. CCPA uses an opt-out model — you can process unless the consumer objects. GDPR applies to companies of any size that process EU data. CCPA only applies above certain business thresholds.

Who Must Comply with Both

Any US company with EU website visitors above deminimis thresholds
SaaS companies with European subscribers
E-commerce companies with California and EU customers
Healthcare companies with both EU and California patients

Common Questions

Do I need both GDPR and CCPA compliance?

Yes, if you have EU visitors and meet any CCPA threshold: (1) annual gross revenue over $26.625M, (2) buy/sell/share personal data of 100,000+ California consumers annually, or (3) derive 50%+ of revenue from selling personal data (Cal. Civ. Code §1798.140(d)). Many companies build a combined privacy framework — GDPR's stricter consent and rights requirements typically satisfy CCPA requirements simultaneously, making dual compliance more efficient than managing two separate programs.

Which is stricter — GDPR or CCPA?

GDPR is generally stricter: it requires a legal basis for processing (not just an opt-out right), has a shorter breach notification window (72 hours), and imposes larger maximum penalties relative to revenue.

Does a Privacy Policy satisfy both?

A single Privacy Policy can address both, but it must include specific disclosures required by each law. CCPA requires a 'Do Not Sell' opt-out link. GDPR requires specific processing purposes and legal bases.

Assess Your Compliance → Framework Guides

More Framework Comparisons