GDPR Compliance in California: GDPR + CCPA/CPRA Dual Compliance

California is the only US state with a privacy law — the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) — that closely mirrors the GDPR's structure and principles. California businesses serving EU residents must comply with GDPR, and if they also process California consumer data above CPRA thresholds, they face the most stringent dual-privacy-law compliance requirement of any US state. The California Privacy Protection Agency (CPPA) enforces CPRA independently of any federal authority.

State Enforcement Agency: California Privacy Protection Agency (CPPA) & California Attorney General
CPPA enforces CPRA (California's comprehensive privacy law); CA AG enforces CCPA provisions and can bring civil actions; both operate independently of GDPR enforcement

State Penalties: CPRA civil penalties: $2,500 per unintentional violation, $7,500 per intentional violation or violations involving minors. CA AG can also pursue civil penalties. Private right of action for security breaches: $100–$750 per consumer per incident.
Federal Penalties: GDPR: up to €20M or 4% of global annual turnover for most serious violations (whichever is higher); up to €10M or 2% for lesser violations

How Federal + California Law Overlap

GDPR applies to California businesses that offer goods or services to EU residents or monitor their behavior. CPRA applies to California businesses meeting threshold requirements (100K+ consumers annually, or 25K+ if selling data). The two laws overlap significantly in structure but differ in key details — GDPR has a broader territorial scope; CPRA has California-specific consumer rights and opt-out requirements.

Additional California Requirements Beyond Federal Law

CPRA (effective January 2023) creates California-specific rights: right to opt out of sale/sharing, right to limit sensitive personal information use, right to correct, right to know
California Privacy Protection Agency began enforcement in July 2023 — first US state with a dedicated privacy enforcement agency
CPRA sensitive personal information categories (SSN, financial data, health data, biometrics, racial origin) largely overlap with GDPR special categories
California data breach notification law (Cal. Civ. Code §1798.82) requires notification within 45 days (stricter than GDPR's 72-hour supervisory authority notification)
CPRA right to opt out of 'sharing' for cross-context behavioral advertising — GDPR handles this through consent/legitimate interests
CPRA requires data minimization and purpose limitation — the same principles as GDPR Articles 5(1)(b) and (c)

Key Compliance Requirements for California

If EU data is processed: appoint EU representative if no EU establishment (GDPR Art. 27); maintain ROPA (Records of Processing Activities)
If California thresholds met: publish CPRA-compliant Privacy Policy; implement opt-out mechanisms including Global Privacy Control (GPC) response
Data Processing Agreements (DPAs) required for GDPR processors; CPRA service provider contracts required for CA service providers
Data subject rights response system: GDPR requires response within 30 days; CPRA allows 45 days with extension
Data breach notification: GDPR requires 72-hour supervisory authority notification; California requires 45-day consumer notification
CPRA sensitive data and GDPR special categories both require heightened protections — a combined sensitive data policy satisfies both

Common Violations in California

Failure to honor Global Privacy Control (GPC) opt-out signals — a CA AG enforcement priority
Sharing data with ad-tech vendors without GDPR-compliant consent or CPRA opt-out mechanism
Missing or inadequate privacy policies that fail to disclose both GDPR and CPRA required elements
Inadequate data processing agreements with vendors — GDPR requires specific contractual terms
Failure to appoint an EU representative for US-only companies processing EU resident data

Recent GDPR Enforcement in California

2023 — Sephora (San Francisco, CA)

First CCPA enforcement action by CA AG — failed to disclose sale of consumer personal data, failed to honor opt-out requests via Global Privacy Control (GPC)

Penalty: $1,200,000 CA AG settlement plus injunctive relief

Source: CA AG

2024 — DoorDash (San Francisco, CA)

CA AG CPRA enforcement: DoorDash shared personal information with marketing co-op without proper disclosure or consent mechanisms

Penalty: $375,000 CA AG settlement

Source: CA AG

2023 — EU companies with California operations

EU DPAs (CNIL, UK ICO, Irish DPC) coordinating with California on cross-border enforcement for companies processing both EU and CA resident data

Penalty: Parallel enforcement investigations; coordinated penalty proceedings

Source: CPPA / EU DPAs

Check Your GDPR Readiness in California

Take our free compliance quiz to see how your organization stacks up against GDPR requirements in California.

Take the Free Quiz → Risk Calculator →

Frequently Asked Questions

Do California businesses need to comply with both GDPR and CPRA?

Potentially yes. GDPR applies if your California business offers goods or services to EU residents or monitors EU resident behavior. CPRA applies if you process personal information of 100,000+ California consumers annually (or 25,000+ if you sell data). Many California tech and e-commerce companies exceed both thresholds and must comply with both simultaneously.

How does CCPA/CPRA compare to GDPR?

CPRA and GDPR share the same core principles (data minimization, purpose limitation, data subject rights) but differ in approach. GDPR requires opt-in consent for many processing activities; CPRA uses an opt-out model. GDPR covers any EU resident data globally; CPRA covers California resident data. GDPR fines are higher (up to 4% of global revenue); CPRA imposes up to $7,500 per intentional violation.

What is the California Privacy Protection Agency?

The California Privacy Protection Agency (CPPA) is the first US state agency dedicated exclusively to data privacy enforcement. Created by CPRA (2020), it began enforcement in July 2023. CPPA has rulemaking authority, investigative powers, and can impose civil penalties up to $7,500 per intentional violation. It operates independently of the California AG.

What is the Global Privacy Control (GPC) and do I need to honor it in California?

The Global Privacy Control (GPC) is a browser signal that tells websites the user opts out of the sale or sharing of their personal information. California law requires businesses subject to CPRA to recognize and honor GPC signals. Sephora's $1.2M settlement (2022) was partly based on failure to honor GPC. Any California business subject to CPRA must implement GPC recognition.

What is the data breach notification timeline difference between GDPR and California law?

GDPR requires notification to the supervisory authority within 72 hours of discovering a breach (when required). California's breach notification law requires notification to affected consumers 'in the most expedient time possible' but has a maximum 45-day window. For California businesses also subject to GDPR, both timelines apply — the 72-hour supervisory authority notification is typically the faster of the two.