CCPA vs GDPR: Key Differences for Global Businesses

Do you need to comply with both?

If you have customers in California and the EU or UK, the answer is almost certainly yes. GDPR applies to any business that processes personal data of EU/UK residents, regardless of where the business is based. CCPA applies to for-profit businesses meeting certain thresholds that process data of California residents.

CCPA thresholds

CCPA applies to businesses that: (a) have annual gross revenues above $25 million, (b) buy, sell, or receive personal information of 100,000 or more consumers or households per year, or (c) derive 50% or more of annual revenue from selling personal information. Many SaaS companies hit threshold (b) earlier than they expect.

Key difference 1: Opt-out vs opt-in

GDPR requires opt-in consent for most data processing. CCPA uses an opt-out model for data sales — you can sell data by default, but must provide a "Do Not Sell My Personal Information" link. However, CPRA (the 2023 update to CCPA) added opt-out rights for "sharing" data for cross-context behavioural advertising, even without payment.

Key difference 2: The definition of "sale"

CCPA defines "selling" broadly — it includes sharing data for valuable consideration. Using Google Analytics and getting analytics services in return may constitute a "sale" under CCPA. This has caught many businesses off guard.

Key difference 3: Individual rights

Both regimes grant rights to access, delete, and port data. GDPR additionally grants the right to object to processing and the right to restrict processing — more powerful rights not present in CCPA. CPRA added a right to correct inaccurate data, moving closer to GDPR.

Key difference 4: Enforcement

GDPR is enforced by data protection authorities in each EU member state (and the ICO in the UK) and can result in fines of up to 4% of global annual turnover. CCPA is enforced by the California Attorney General and the California Privacy Protection Agency, with fines of up to $7,500 per intentional violation.

Practical approach for global businesses

In practice, building for GDPR compliance gets you most of the way to CCPA compliance. The main CCPA-specific additions are: adding a "Do Not Sell or Share My Personal Information" link, updating your privacy policy with California-specific disclosures, and implementing a process for CCPA data requests. Use GDPR as your baseline and add CCPA requirements on top.