Two Laws, Two Continents, One Goal
The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) represent the two most influential personal data protection laws in the world. While both aim to give individuals more control over their data, they differ significantly in scope, requirements, and enforcement. Understanding these differences is essential for any organization operating internationally.
At a Glance: Key Differences
| Feature | GDPR (EU) | CCPA/CPRA (California) |
|---|---|---|
| Effective Date | May 2018 | January 2020 (CPRA: January 2023) |
| Jurisdiction | EU/EEA residents (global reach) | California residents |
| Legal basis required? | Yes (6 lawful bases) | No (opt-out model) |
| Consent model | Opt-in (in most cases) | Opt-out |
| Right to erasure | Yes | Yes (with exceptions) |
| Data portability | Yes | Yes |
| Private right of action | Limited | Yes (for data breaches) |
| Max penalty | €20M or 4% global turnover | $7,500 per intentional violation |
Who Must Comply?
GDPR
GDPR applies to any organization — regardless of location — that processes personal data of EU or EEA residents. This means a US company serving European customers is fully subject to GDPR. The regulation applies to both controllers (who determine the purpose of processing) and processors (who process data on behalf of controllers).
CCPA/CPRA
The CCPA (as amended by the California Privacy Rights Act) applies to for-profit businesses that do business in California and meet at least one threshold: annual gross revenue exceeding a specified amount, deriving significant revenue from selling personal information, or processing large volumes of consumer data. Nonprofits and government entities are generally exempt.
Key Rights Granted to Individuals
Both laws grant meaningful rights to individuals, with some variation:
- Right to know/access: Both laws allow individuals to request what personal data is held about them.
- Right to deletion: Both allow individuals to request deletion, with some exceptions (legal obligations, security purposes, etc.).
- Right to portability: Both require data to be provided in a usable format.
- Right to opt out of sale (CCPA): California residents can opt out of the "sale" of their data — a right that has no direct GDPR equivalent (though GDPR's consent requirements serve a similar purpose).
- Right not to be discriminated against (CCPA): Businesses cannot deny service or charge more to users who exercise their privacy rights.
Practical Compliance Overlap
Despite their differences, GDPR and CCPA share a significant compliance foundation. Organizations that invest in:
- Comprehensive data mapping and inventories
- Clear privacy notices and consent mechanisms
- Processes for handling data subject/consumer requests
- Vendor/processor contracts with privacy clauses
- Data breach response plans
...will be well-positioned to satisfy both regulations simultaneously. Many compliance professionals adopt a "highest common denominator" approach — building to GDPR standards, which typically satisfies CCPA requirements as well.
Bottom Line
GDPR is broader in scope and generally more demanding in its requirements, especially around legal basis and consent. CCPA/CPRA is more targeted but introduces unique obligations around the sale of data and consumer-facing disclosures. If your organization handles data from both EU residents and California consumers, you'll need to satisfy both — but the good news is that a strong privacy program can address both frameworks efficiently.