When your company collects data from users in California and the European Union, you operate under two of the world’s most comprehensive privacy laws simultaneously: the California Consumer Privacy Act (CCPA/CPRA) and the EU’s General Data Protection Regulation (GDPR). Their requirements overlap in many areas — but the gaps between them create significant compliance complexity if you treat them as identical.

This guide provides a definitive side-by-side comparison so you can build a privacy framework that satisfies both.

GDPR and Privacy Compliance Framework

Key Differences at a Glance

Feature GDPR CCPA/CPRA
Jurisdiction All of EU/EEA California residents
Who it applies to Any org processing EU data For-profit businesses meeting thresholds
Revenue threshold None $25M+ OR 100k+ consumers
Lawful basis required Yes (consent, contract, etc.) No
DPO required Conditional No
Breach notification 72 hours to authority ~30 days (by general interpretation)
Max penalty €20M or 4% global revenue $7,500 per intentional violation
Private right of action Limited Yes (for data breaches)
Employee data covered Yes Yes (CPRA expanded)

Scope: Who Must Comply?

GDPR Scope

The GDPR has extraterritorial reach. Any organization — regardless of location — that:

  • Offers goods or services to individuals in the EU or EEA (even if free)
  • Monitors the behavior of individuals in the EU

…must comply with the GDPR. There is no revenue or size threshold. A single-person consulting firm based in Texas that charges EU clients is subject to the GDPR.

CCPA/CPRA Scope

The CCPA applies to for-profit businesses that collect California residents’ personal information AND meet at least one of:

  • Annual gross revenues exceeding $25 million
  • Annually buys, sells, or shares personal information of 100,000+ California residents
  • Derives 50%+ of annual revenues from selling or sharing California residents’ personal information

Non-profits and government entities are exempt. Small for-profit companies below all three thresholds may be exempt, though this is not always straightforward to determine as companies scale.

Lawful Basis: The Most Fundamental Difference

GDPR requires a documented lawful basis for every processing activity. The six bases are: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Processing personal data without a documented lawful basis is itself a GDPR violation.

CCPA has no equivalent requirement. Businesses can collect and process personal information as long as they: (1) disclose what they collect and how it is used (via a privacy notice), and (2) honor opt-out requests for selling or sharing data.

This distinction means that you cannot simply reuse your GDPR consent management system to satisfy CCPA — they reflect fundamentally different regulatory philosophies.

Consumer/Data Subject Rights Comparison

Both laws give individuals meaningful rights over their personal data. Here is how they align:

Right GDPR CCPA/CPRA
Access / Right to Know
Deletion (“Right to Be Forgotten”)
Correction / Rectification
Data Portability Partial
Opt-Out of Sale ❌ (not a concept) ✅ (core right)
Opt-Out of Profiling ✅ (object to automated decisions) ✅ (CPRA: opt-out of sharing)
Limit Sensitive Data Use Partial (explicit consent rule) ✅ (CPRA explicit right)

Response timeframes:

  • GDPR: Within 1 month (extendable to 3 months for complex requests)
  • CCPA: Within 45 days (extendable by another 45 days with notice)

Breach Notification: 72 Hours vs. 30 Days

GDPR: If a breach is likely to result in a risk to individuals’ rights and freedoms, the data controller must notify the competent supervisory authority within 72 hours of becoming aware of it. If notification to affected individuals is required (high risk), it must be “without undue delay.”

California (CCPA + Civil Code 1798.82): There is no specific calendar-day breach notification requirement in CCPA itself. California’s broader data breach notification law requires notification “in the most expedient time possible and without unreasonable delay.” Regulatory guidance and best practice interpret this as approximately 30 days for most breach types.

If you operate under both frameworks, the GDPR’s 72-hour authority notification window creates the binding constraint.

Building a Unified Privacy Program

Rather than running two separate compliance programs, most companies benefit from a unified privacy framework that uses the GDPR’s higher standard as the baseline — and then adds CCPA-specific requirements on top.

Core elements of a unified framework:

  1. Privacy Notice/Policy: Covers all required disclosures for both GDPR and CCPA, including data categories, use purposes, retention periods, and opt-out mechanisms.
  2. Data Subject/Consumer Request Portal: A single intake system that routes GDPR DSARs and CCPA consumer requests with the appropriate response workflows and timelines.
  3. Consent Management Platform (CMP): Manages GDPR consent and CCPA opt-out signals (including the Global Privacy Control, now a recognized opt-out signal under CPRA).
  4. Data Processing Agreements: Required under GDPR for all processors. Also recommended under CCPA for service providers.
  5. Incident Response Plan: A unified breach response plan with GDPR’s 72-hour internal escalation trigger built in.

Conclusion

Operating under both GDPR and CCPA/CPRA is the reality for any scaling technology or media company. The companies that handle this best are those that treat privacy as an engineering requirement — built into their data architecture from the start — rather than a legal compliance checklist bolted on afterward. Invest early in a consent management platform, a data mapping exercise, and a response procedure for data subject requests, and you will be well positioned for both regimes and every state privacy law that follows CCPA’s lead.

Frequently Asked Questions (FAQ)

What is the CCPA?
The California Consumer Privacy Act — a state privacy law granting California residents rights over their personal data for businesses meeting revenue ($25M+) or data volume (100k+ consumers) thresholds.

What is the GDPR?
The EU’s General Data Protection Regulation — applies to any organization processing EU data subjects’ personal data, regardless of where the organization is based.

What are the key scope differences?
GDPR applies to any org processing EU data, with no size threshold. CCPA applies only to for-profit businesses meeting specific revenue or data volume thresholds.

What consumer rights does CCPA grant?
Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of sale/sharing, Right to Limit Sensitive Data Use, and Right to Non-Discrimination.

What rights does GDPR grant?
Right of Access, Rectification, Erasure, Restrict Processing, Data Portability, Object to Profiling, and rights related to automated decision-making.

How do breach notification requirements differ?
GDPR: notify supervisory authority within 72 hours. CCPA: no specific deadline, but general practice is ~30 days under California’s breach notification law.

What are the penalties under each law?
GDPR: up to €20M or 4% of global revenue. CCPA: $7,500 per intentional violation, plus $100–$750 per consumer per incident via private right of action for data breaches.

Is a Data Protection Officer (DPO) required?
GDPR: required for certain organizations (public bodies, large-scale monitoring, sensitive data processing). CCPA: not required.

Does a US company serving EU customers need GDPR compliance?
Yes — GDPR applies to any organization marketing to EU residents or monitoring their behavior, regardless of where the company is located.

What is the ‘lawful basis’ requirement and does CCPA have one?
GDPR requires a documented lawful basis for every processing activity. CCPA does not — it requires transparency and opt-out rights instead. This is a fundamental philosophical difference.