Skip to content
AuditFront

GDPR vs CCPA/CPRA: How the World's Two Major Privacy Laws Compare — Scope, Rights, Penalties, and Compliance

GDPRCCPA/CPRA

The EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) are the two most influential privacy laws in the world. Together, they have reshaped how companies collect, process, store, and share personal data — and they have spawned a wave of similar legislation in other jurisdictions. For any company operating internationally or serving customers in both Europe and the United States, understanding the differences between these two laws is not optional; it is a business necessity. GDPR took effect on May 25, 2018 and applies to any organization that processes personal data of individuals in the European Economic Area (EEA), regardless of where the organization is located. It is a consent-first regime: you generally need a lawful basis (often explicit consent) before processing personal data. Violations can result in fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. The CCPA took effect on January 1, 2020, and was significantly strengthened by the CPRA, which became operative on January 1, 2023 and introduced a dedicated enforcement agency (the California Privacy Protection Agency, or CPPA). CCPA/CPRA applies to for-profit businesses that meet specific revenue or data-processing thresholds and that collect personal information from California residents. Unlike GDPR, it follows an opt-out model: businesses can collect and use personal data by default, but must give consumers the right to opt out of the sale or sharing of their information. Despite their different philosophical approaches, both laws grant individuals significant rights over their personal data, and many companies — particularly those with global operations — must comply with both simultaneously.

Scope & Applicability

GDPR applies to all organizations — regardless of size, location, or revenue — that process personal data of individuals located in the EEA. This includes EU-based companies, but also any company worldwide that offers goods or services to EEA residents or monitors their behavior. There is no revenue threshold or minimum data volume; a one-person startup processing EU customer data is subject to GDPR. The regulation covers all sectors: commercial, nonprofit, government, and everything in between. CCPA/CPRA applies only to for-profit businesses that meet at least one of three thresholds: (1) annual gross revenue exceeding $25 million, (2) annually buying, selling, or sharing the personal information of 100,000 or more California residents, households, or devices, or (3) deriving 50% or more of annual revenue from selling or sharing California residents' personal information. Nonprofits and government entities are exempt. This threshold-based approach means many small and medium businesses are not subject to CCPA/CPRA, even if they have California customers. GDPR is significantly broader in applicability. A European freelancer with a mailing list of 50 EU contacts must comply with GDPR. A US company with $20 million in revenue and 80,000 California customer records is exempt from CCPA/CPRA. Companies operating globally should assume GDPR compliance is required if they have any EU-facing operations, and assess CCPA/CPRA applicability based on the specific thresholds.

Definition of Personal Data

GDPR defines 'personal data' broadly as any information relating to an identified or identifiable natural person (the 'data subject'). This includes names, email addresses, IP addresses, location data, cookies, genetic data, biometric data, health information, and any other data that can directly or indirectly identify an individual. GDPR also defines special categories of data — racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation — which receive heightened protection under Article 9. CCPA/CPRA defines 'personal information' as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This is similarly broad and includes names, addresses, IP addresses, browsing history, purchasing history, biometric information, geolocation data, and inferences drawn from any of this information. CPRA introduced the concept of 'sensitive personal information' — which includes Social Security numbers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, health data, sex life data, and biometric data — giving consumers additional rights to limit its use. Both definitions are expansive, but GDPR's 'identifiable natural person' standard and CCPA/CPRA's 'household' extension create different coverage edges. Notably, CCPA/CPRA explicitly covers household-level data, while GDPR focuses strictly on individuals.

Consent & Opt-Out Models

This is the most fundamental philosophical difference between the two laws. GDPR operates on an opt-in basis. Before processing personal data, organizations must establish a lawful basis under Article 6 — typically one of: consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. When consent is the basis, it must be freely given, specific, informed, and unambiguous. For special categories of data, explicit consent is generally required. Pre-ticked boxes, bundled consent, or silence do not constitute valid consent under GDPR. Consent must be as easy to withdraw as it is to give. CCPA/CPRA operates on an opt-out basis. Businesses can collect and use personal information without prior consent, as long as they provide notice at or before the point of collection (via a privacy policy and a 'notice at collection'). Consumers then have the right to opt out of the sale or sharing of their personal information, exercised through a 'Do Not Sell or Share My Personal Information' link. However, CPRA introduced opt-in requirements for sensitive personal information: consumers can direct businesses to limit the use of their sensitive personal information to what is necessary for the service. For minors, both laws require affirmative consent: GDPR requires parental consent for children under 16 (member states can lower this to 13), and CCPA/CPRA requires opt-in consent for consumers under 16 (parental consent for those under 13).

Individual Rights

GDPR grants data subjects eight core rights: the right to be informed (Articles 13-14), right of access (Article 15), right to rectification (Article 16), right to erasure or 'right to be forgotten' (Article 17), right to restriction of processing (Article 18), right to data portability (Article 20), right to object (Article 21), and rights related to automated decision-making and profiling (Article 22). Organizations must respond to rights requests within one month, extendable by two months for complex requests. CCPA/CPRA grants consumers similar but not identical rights: the right to know what personal information is collected, the right to delete personal information, the right to opt out of sale/sharing, the right to non-discrimination for exercising rights, and (added by CPRA) the right to correct inaccurate information, the right to limit use of sensitive personal information, and the right to data portability. Businesses must respond to requests within 45 days, extendable by an additional 45 days. Key differences: GDPR's right to object to processing (including for direct marketing) and rights around automated decision-making have no direct CCPA/CPRA equivalent. CCPA/CPRA's right to opt out of 'sharing' (cross-context behavioral advertising) addresses a specific commercial practice that GDPR handles through its broader consent requirements. Both laws prohibit retaliation or discrimination against individuals who exercise their rights.

Enforcement & Penalties

GDPR enforcement is handled by Data Protection Authorities (DPAs) in each EU/EEA member state, coordinated through the European Data Protection Board (EDPB). Maximum fines are severe: up to EUR 20 million or 4% of global annual turnover (whichever is higher) for the most serious violations such as unlawful processing or violating core data subject rights. Lower-tier violations carry fines of up to EUR 10 million or 2% of turnover. DPAs have actively imposed significant fines — Meta was fined EUR 1.2 billion in 2023 for unlawful data transfers, Amazon received a EUR 746 million fine in 2021, and hundreds of smaller fines have been issued across industries. GDPR has no private right of action for statutory damages, but individuals can seek compensation for material or non-material damage. CCPA/CPRA enforcement was initially handled by the California Attorney General but is now primarily under the California Privacy Protection Agency (CPPA), which became fully operational in 2024. The CPPA can impose administrative fines of up to $2,500 per unintentional violation and $7,500 per intentional violation — applied per affected consumer, which can aggregate to substantial amounts. CCPA also includes a private right of action specifically for data breaches involving certain categories of unencrypted personal information, with statutory damages of $100-$750 per consumer per incident. Class action lawsuits under this provision have resulted in significant settlements. While GDPR fines are larger in absolute terms, CCPA/CPRA's per-violation calculation and private right of action create substantial financial risk, particularly for companies handling large volumes of California consumer data.

Compliance Requirements for Businesses

GDPR compliance requires organizations to implement comprehensive data protection practices: conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, appointing a Data Protection Officer (DPO) when required (for public authorities, large-scale systematic monitoring, or large-scale processing of special categories), maintaining Records of Processing Activities (RoPAs), implementing data protection by design and by default, establishing lawful data transfer mechanisms for cross-border transfers (Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules), and reporting data breaches to supervisory authorities within 72 hours. CCPA/CPRA compliance requires businesses to provide specific privacy notices (including a 'notice at collection' and a comprehensive privacy policy), implement mechanisms for consumers to exercise their rights (including 'Do Not Sell or Share' links and request submission methods), conduct cybersecurity audits for businesses whose processing presents significant risk (a CPRA requirement still being detailed in regulations), perform risk assessments for processing that presents significant risk to consumers' privacy, establish contractual requirements with service providers and contractors, and train employees who handle consumer inquiries about CCPA rights. Companies subject to both laws should build a unified privacy program that satisfies the stricter requirement in each area — typically GDPR sets the higher bar. AuditFront supports GDPR compliance assessments that help you understand where your privacy practices stand and identify gaps before they become regulatory risks.

The verdict

GDPR and CCPA/CPRA share the same fundamental goal — protecting individuals' privacy rights — but differ meaningfully in philosophy, scope, and mechanism. GDPR is broader (no revenue thresholds), stricter (opt-in consent), and carries larger maximum fines (up to 4% of global turnover). CCPA/CPRA is narrower in applicability (revenue and data-volume thresholds) but introduces a powerful private right of action for data breaches and per-violation penalty calculations that can create substantial aggregate liability. For companies that operate in both the EU and California — which includes most global technology companies, SaaS businesses, and e-commerce platforms — the practical approach is to build a privacy program that meets GDPR requirements and then layer in CCPA/CPRA-specific obligations. Since GDPR is generally the stricter standard, a GDPR-compliant program will satisfy most CCPA/CPRA requirements, with additions needed for California-specific elements like the 'Do Not Sell or Share' mechanism, sensitive personal information disclosures, and financial incentive notices. The privacy regulatory landscape continues to evolve rapidly. Multiple US states have enacted their own privacy laws (Virginia, Colorado, Connecticut, Texas, Oregon, and others), many modeled on CCPA/CPRA or GDPR principles. Building a flexible, principles-based privacy program — rather than checking boxes against a single law — is the most sustainable long-term strategy. AuditFront's GDPR assessment helps you evaluate your privacy posture against the most demanding standard, giving you a strong foundation for compliance across jurisdictions.

Frequently Asked Questions

Do I need to comply with both GDPR and CCPA/CPRA?
If your business processes personal data of EU/EEA residents and meets CCPA/CPRA thresholds (over $25M revenue, 100K+ California consumers' data, or 50%+ revenue from selling/sharing California data), then yes, you need to comply with both. This is common for global SaaS companies, e-commerce businesses, and technology platforms. Build your privacy program to GDPR standards first, then add CCPA/CPRA-specific requirements like the 'Do Not Sell or Share' link and California-specific privacy notices.
Which law is stricter, GDPR or CCPA/CPRA?
GDPR is generally considered stricter. It applies to all organizations regardless of size, requires affirmative consent for most data processing, mandates Data Protection Officers for certain organizations, requires 72-hour breach notification, and carries fines of up to 4% of global turnover. However, CCPA/CPRA's private right of action for data breaches creates litigation risk that GDPR does not, and per-violation fines of $7,500 can aggregate rapidly when thousands of consumers are affected.
Does CCPA/CPRA apply outside California?
CCPA/CPRA applies to businesses that collect personal information from California residents, regardless of where the business is physically located. A company headquartered in New York, Texas, or even outside the US must comply with CCPA/CPRA if it meets the applicability thresholds and collects data from California residents. However, the law only protects California residents — it does not extend to residents of other states. Other states have enacted their own privacy laws with varying requirements.
What did the CPRA change about the original CCPA?
The California Privacy Rights Act (CPRA), effective January 1, 2023, significantly strengthened the CCPA. Key changes include: creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, introduction of the 'sensitive personal information' category with additional consumer rights, a new right to correct inaccurate personal information, a right to limit use of sensitive personal information, expanded opt-out rights covering 'sharing' (cross-context behavioral advertising) in addition to 'selling,' new requirements for cybersecurity audits and risk assessments, and elimination of the 30-day cure period that previously gave businesses a grace period to fix violations before penalties.

Try AuditFront free

All 5 frameworks included. No credit card required. No sales calls.

Start free assessment