GDPR vs CCPA: Side-by-Side Comparison for 2026
Last updated: 2026-04-05 — ComplianceStack Editorial Team
GDPR (EU) and CCPA/CPRA (California) are the two most significant data privacy laws affecting US companies. GDPR applies if you handle EU residents' data. CCPA applies if you do business in California above certain thresholds. Many companies must comply with both.
GDPR vs CCPA/CPRA: Side-by-Side
| Dimension | GDPR | CCPA/CPRA |
|---|---|---|
| Jurisdiction | EU and UK (global extraterritorial reach) | California, USA |
| Threshold | Processes EU personal data — no revenue threshold | $25M revenue, or 100K consumers, or 50% revenue from data sales |
| Consent required | Yes — explicit consent for most processing | Opt-out model (consumers can opt out of sale) |
| Consumer rights | Access, erasure, portability, restriction, objection | Know, delete, opt-out of sale/sharing, correct, limit sensitive data use |
| Data breach notification | 72 hours to supervisory authority | Expedient notice to California AG and consumers |
| Privacy policy | Required — must cover all processing purposes | Required — must include right to know and opt-out |
| Max penalty | 4% of global annual revenue or €20M | $7,500 per intentional violation; $100–$750 per consumer for breaches |
| Enforcement | National DPAs (strict in Germany, Ireland, France) | California AG + California Privacy Protection Agency |
| DPO required | Yes for large-scale processing | No formal DPO requirement |
| Data transfers | SCCs or adequacy decision needed | No specific international transfer mechanism |
Who Needs Both?
- Any US company with EU website visitors above deminimis thresholds
- SaaS companies with European subscribers
- E-commerce companies with California and EU customers
- Healthcare companies with both EU and California patients
Key Differences Summarized
GDPR uses an opt-in consent model — you need a legal basis to process data. CCPA uses an opt-out model — you can process unless the consumer objects. GDPR applies to companies of any size that process EU data. CCPA only applies above certain business thresholds.
Frequently Asked Questions
Do I need both GDPR and CCPA compliance?
If you have both EU visitors and do business in California above the CCPA thresholds, yes. Many compliance programs build a combined privacy framework that satisfies both simultaneously.
Which is stricter — GDPR or CCPA?
GDPR is generally stricter: it requires a legal basis for processing (not just an opt-out right), has a shorter breach notification window (72 hours), and imposes larger maximum penalties relative to revenue.
Does a Privacy Policy satisfy both?
A single Privacy Policy can address both, but it must include specific disclosures required by each law. CCPA requires a 'Do Not Sell' opt-out link. GDPR requires specific processing purposes and legal bases.
Try ComplianceStack Free
Free risk calculator, compliance quiz, and deadline tracker. No credit card required.
Start Free Assessment →