Framework comparison · Free audit on each

GDPR vs CCPA

Most SaaS and e-commerce sites need both. They share ~60% of the data-subject-rights surface but diverge sharply on legal basis (opt-in vs opt-out), enforcement scope, and fine structure. Below is the side-by-side every privacy program lead needs — plus a free clause-by-clause audit for each.

Free GDPR audit →Free CCPA / CPRA audit →

Side-by-side

DimensionGDPRCCPA / CPRA
Full nameGeneral Data Protection Regulation (EU 2016/679)California Consumer Privacy Act, as amended by CPRA
JurisdictionEU + EEA + UK (extraterritorial)California residents (extraterritorial via revenue/data thresholds)
Who must complyAny controller/processor offering goods, services, or monitoring behaviour of EU/EEA/UK residentsBusinesses meeting any of: $25M revenue, 100K consumers/HHs, or 50% revenue from selling PI
EnforcerMember-state Data Protection Authorities (DPAs)California Privacy Protection Agency (CPPA) + CA Attorney General
Max fine / exposure€20M or 4% of global annual turnover$7,500 per intentional violation + $100–$750 per consumer per breach incident
Certification modelNo certification body — accountability principle (self-attest + records)No certification — annual policy update + cybersecurity audit (CPRA reg pending)
CadenceContinuous; DPIA for high-risk processing; Art. 30 records on demandPolicy reviewed every 12 months; honor GPC opt-out signal in real-time
Top required clauses
  • Legal basis per Art. 6 (consent / contract / legit interest)
  • Specific purpose + retention per data category
  • All 8 data subject rights with how to exercise
  • International transfer safeguards (SCCs / adequacy)
  • 72-hour breach notification to DPA
  • Categories of PI + sensitive PI (12-month lookback)
  • Sources + third parties + business purpose per category
  • 'Do Not Sell or Share' + 'Limit Sensitive PI' links in footer
  • Right to know / delete / correct / opt-out / limit / non-discrimination
  • Honor Global Privacy Control (GPC) browser signal
Deep diveFull GDPR guide →Full CCPA / CPRA guide →

Where they overlap — ~60%

If you already implement these for one framework, ~60% of the work for the other is already done.

Right to access your data
Right to deletion
Right to correction
Right to opt-out (CCPA) / withdraw consent (GDPR)
Transparency about categories of data + recipients
Required public-facing privacy policy with named contact
Vendor / processor contractual obligations
Breach notification (timing differs)

Where they diverge

Unique to GDPR

  • Opt-IN legal basis required before processing (not opt-out)
  • DPO required for large-scale or special-category processing
  • Data Protection Impact Assessment (DPIA) for high-risk processing
  • Art. 30 Records of Processing Activities (ROPA) on demand
  • International transfer mechanism (SCC / adequacy / BCR)
  • Right to data portability (machine-readable export)
  • Right to object to automated decision-making (Art. 22)
  • 72-hour breach notification to supervisory authority

Unique to CCPA / CPRA

  • Opt-OUT model for sale/share + sensitive PI
  • 'Do Not Sell or Share My Personal Information' link required
  • Global Privacy Control (GPC) signal must be honored
  • 12-month lookback for categories + sources disclosures
  • Statutory damages $100–$750/consumer for data breach (private right of action)
  • Annual policy update mandate (12-month review cadence)
  • Cross-context behavioral advertising = 'sharing' (CPRA)
  • Sensitive PI right-to-limit separate from sale opt-out

Which one do I need?

Do you have ANY users physically in the EU/EEA/UK?

GDPR

Even one EU user triggers GDPR. Monitoring (analytics/cookies) on EU visitors counts even with no payment.

Do you meet $25M revenue OR have data on 100K CA consumers/households?

CCPA / CPRA

CCPA thresholds are low. Most VC-backed SaaS, mid-market e-commerce, and B2B with CA contracts qualify.

Do you sell to both US and EU customers?

GDPR + CCPA / CPRA

Standard for most SaaS. A unified policy with a California-specific section is the dominant pattern.

Do you serve only B2B in a single non-EU country?

CCPA / CPRA

If any contracts touch California or you collect employee PI in CA, CCPA still applies as of CPRA.

Common pitfalls

Assuming GDPR compliance = CCPA compliance

GDPR requires opt-in; CCPA requires opt-out. A GDPR cookie banner doesn't satisfy CCPA's 'Do Not Sell or Share' link or GPC signal honoring. Sephora paid $1.2M for exactly this gap.

One policy section labeled 'EU users' or 'CA users' is not enough

Both laws require enumerated categories, sources, recipients, and rights. A bullet list with 'see policy' fails. Each section must be substantive and current.

Privacy Shield clauses still in policy (invalid since Schrems II, July 2020)

Use the EU-US Data Privacy Framework (effective July 2023) or Standard Contractual Clauses 2021. Anything citing Privacy Shield invalidates the entire transfer clause.

FAQ

If I'm GDPR-compliant, am I automatically CCPA-compliant?

No. GDPR is opt-in; CCPA is opt-out with specific link + GPC requirements. You'll need a CCPA-specific section covering categories of PI, the 'Do Not Sell or Share' link, and Global Privacy Control honoring. Most SaaS run a unified policy with a dedicated California section.

Which has higher fines?

Per-violation, GDPR is higher: up to €20M or 4% of global turnover. CCPA caps at $7,500 per intentional violation BUT includes a private right of action with statutory damages of $100–$750 per consumer per breach incident — which often dwarfs CCPA's regulatory fines in class-action settlements.

Do I need to honor the Global Privacy Control under GDPR?

Not explicitly required by GDPR, but the EU's e-Privacy Directive + Art. 21 right to object align with the same outcome. Honoring GPC is best practice across both regimes and reduces enforcement risk.

Audit your existing policy — free

Paste your current policy and get a clause-by-clause grade against either framework in 20 seconds. No signup. 3 audits/day.

Audit against GDPRAudit against CCPA / CPRA