26 May 2026
gdprccpacomparisonGDPR vs CCPA: What's Actually Different (A Builder's Comparison)
GDPR asks permission first; CCPA asks forgiveness with an opt-out. Here is how the two models differ on consent, rights, fines, and engineering work — and how to comply with both at once.
If you serve both European and American users, you’re complying with two philosophically opposite laws. GDPR is a permission system: processing is forbidden until you have a legal basis. CCPA is a transparency system: processing is allowed until the consumer objects. Almost every practical difference flows from that inversion.
The one-table version
| Dimension | GDPR (EU) | CCPA/CPRA (California) |
|---|---|---|
| Model | Opt-in — legal basis required first | Opt-out — allowed until consumer objects |
| Applies to | Anyone processing EU residents’ data | Businesses over thresholds ($25M revenue / 100k consumers) |
| Cookie banner | Required for non-essential cookies | Not required — but GPC signal must be honored |
| Sensitive data | Opt-in consent (Art. 9) | “Limit use” link |
| DPO | Required above thresholds | Never required |
| Breach deadline | 72 hours to regulator | ”Without unreasonable delay” to individuals |
| Max penalty | €20M or 4% of global revenue | $2,500–$7,500 per violation, uncapped in aggregate |
| Individuals can sue | Rarely (via member-state law) | Yes, for breaches — $100–$750 per person |
| Response timer | 30 days | 45 days |
Full country detail: EU jurisdictions · California entry.
Where the models actually bite
Consent vs. “Do Not Sell”. Under GDPR you can’t fire a marketing pixel until the user opts in. Under CCPA you can — but the moment that pixel “shares” data for cross-context advertising (it does), you must offer a Do Not Sell or Share link and honor the Global Privacy Control browser signal automatically. Sephora paid $1.2M for ignoring GPC. Different mechanism, same pixel.
Scope. GDPR covers every entity touching EU personal data, from a solo developer’s newsletter up. CCPA has thresholds — many startups are simply not covered until they hit 100k California consumers or $25M revenue. But note the trap: free users count toward the consumer threshold, and web traffic counts as consumers.
Sensitive data. GDPR’s Article 9 requires explicit consent for health, biometrics, orientation, religion, and politics. California instead gives a right to limit sensitive-data use. Virginia — the template for most other US states — went the GDPR direction: opt-in consent for sensitive categories.
Private lawsuits. GDPR enforcement comes from regulators. CCPA added a private right of action for breaches with statutory damages — which means class actions. If you store Californians’ data unencrypted and get breached, the exposure is $100–$750 per consumer, no proof of harm needed. Encryption at rest removes most of this risk. This is the single strongest engineering argument in either law.
The engineering overlap is bigger than the difference
The good news: the systems you build for one law mostly satisfy the other.
- Data export → GDPR access + portability, CCPA right to know (change the timer from 30 to 45 days)
- Account deletion → GDPR erasure, CCPA deletion (add service-provider propagation for CCPA)
- Correction flow → Art. 16 GDPR, §1798.106 CPRA — identical in practice
- Vendor contracts → GDPR DPAs and CCPA service-provider addenda are usually the same document with two annexes
- Suppression lists → GDPR marketing objections, CCPA opt-outs
What CCPA adds that GDPR doesn’t have: GPC signal handling, the categories-of-data disclosure table in your privacy policy (updated annually), and the “Do Not Sell or Share” link. What GDPR adds that CCPA doesn’t: legal-basis analysis, cookie consent, DPAs as a hard requirement, 72-hour breach reporting, and DPO obligations in some countries.
A sane combined architecture
- One privacy policy with a California section (categories table, rights, links) and an EU section (legal bases, transfers, DPO/representative contacts).
- One consent platform, geo-configured: opt-in banner for EU/UK, GPC-aware opt-out mode for US visitors.
- One rights pipeline with per-region timers (30/45 days) and identity verification.
- One vendor file: every processor gets a DPA with GDPR clauses + a CCPA addendum.
- Encrypt at rest — it’s the CCPA class-action shield and an Art. 32 GDPR expectation anyway.
Which one should a new startup build for first?
GDPR. It’s stricter on nearly every axis, it applies from your first EU user (no thresholds), and a GDPR-grade stack downgrades gracefully to CCPA with configuration. The reverse migration — retrofitting consent and legal bases onto an opt-out architecture — is the expensive direction. See the SaaS compliance checklist for the build order.