Do I need to comply with both GDPR and CCPA?

It depends on your business. GDPR applies if you process data of EU residents or offer goods/services to them. CCPA/CPRA applies if you meet California's thresholds (usually $25M+ revenue, 100K+ consumers, or 50%+ revenue from data sales). Many businesses need to comply with both.

What's the difference between CCPA and CPRA?

CPRA (effective January 2023) amended and expanded CCPA. Key additions include: right to correct data, right to limit sensitive personal information use, new category of 'sharing' for cross-context advertising, and a dedicated enforcement agency (CPPA).

Which law has stricter penalties?

GDPR has significantly stricter penalties—up to €20 million or 4% of global annual revenue, whichever is higher. CCPA/CPRA penalties are $2,500-$7,500 per violation, though they can add up quickly with many affected consumers.

How do I handle data requests under multiple frameworks?

Build a unified data subject rights workflow that meets the strictest requirements (usually GDPR). Set response timelines to meet the shortest deadline (GDPR's 30 days vs. CCPA's 45 days). Document everything to demonstrate compliance with both.

Do small businesses need to comply with these laws?

GDPR applies regardless of business size if you process EU data. CCPA/CPRA has thresholds: $25M+ annual revenue, processing 100K+ consumers, or 50%+ revenue from data sales. Small businesses may be exempt from CCPA but not GDPR.

What about other state privacy laws?

Many other states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana) have enacted privacy laws. Most follow the VCDPA model rather than CCPA. Check our US State Privacy Laws guide for comprehensive coverage.

GDPR vs CCPA vs CPRA: Complete Privacy Law Comparison

At a Glance

GDPR

European Union

Effective:May 2018

Model:Opt-In Consent

Max Penalty:4% Revenue

Enforcement:Data Protection Authorities

Gold standard for global privacy

CCPA

California (Original)

Effective:January 2020

Model:Opt-Out

Max Penalty:$7,500/violation

Enforcement:CA Attorney General

Superseded by CPRA in 2023

CPRA

California (Current)

Effective:January 2023

Model:Opt-Out (Enhanced)

Max Penalty:$7,500/violation

Enforcement:CPPA + AG

Current California law

Detailed Comparison

Feature	GDPR	CCPA	CPRA
Effective Date	May 25, 2018	January 1, 2020	January 1, 2023
Geographic Scope	EU residents' data, worldwide applicability	California residents	California residents
Business Thresholds	None (applies to all)	$25M revenue, 50K+ consumers, or 50%+ data revenue	$25M revenue, 100K+ consumers, or 50%+ data revenue
Consent Model	Opt-In Required	Opt-Out (for sales)	Opt-Out (for sales & sharing)
Right to Know/Access
Right to Delete
Right to Correct
Right to Portability
Opt-Out of Sale	N/A (consent-based)
Opt-Out of Sharing	N/A (consent-based)
Sensitive Data Protections	Special categories (explicit consent)		Limit use right
Automated Decision Rights	Right to human review	Disclosure only	Opt-out right
Response Timeline	30 days (extendable to 90)	45 days (extendable to 90)	45 days (extendable to 90)
Private Right of Action	Limited (via member states)	Data breaches only	Data breaches only
Maximum Penalties	€20M or 4% global revenue	$2,500-$7,500/violation	$2,500-$7,500/violation
DPO/Privacy Officer	Required in some cases
Legal Basis Required	(6 bases)
Breach Notification	72 hours to DPA	"Expedient" (no specific time)	"Expedient" (no specific time)

Consumer Rights Comparison

Rights in All Three Laws

Right to Know: What data is collected and how it's used
Right to Access: Obtain a copy of personal data
Right to Delete: Request erasure of personal data
Non-Discrimination: Equal service regardless of privacy choices

GDPR-Exclusive Rights

Right to Object: Stop processing for direct marketing
Right to Restrict: Limit how data is processed
Right to Human Review: Challenge automated decisions
Withdraw Consent: Revoke consent at any time

Compliance Requirements

Privacy Notice Requirements

GDPR

• Identity of controller
• Legal basis for processing
• Data retention periods
• Rights and how to exercise
• International transfer info
• DPO contact details

CCPA

• Categories of data collected
• Purpose of collection
• Categories sold/disclosed
• "Do Not Sell" link
• Consumer rights description
• How to submit requests

CPRA (Added)

• Retention periods
• Sensitive data categories
• "Limit Use" for sensitive data
• Right to correction
• Automated decision-making
• "Do Not Share" link

Data Processing Agreements

All three frameworks require contracts with service providers who process personal data on your behalf:

GDPR Article 28 Requirements

• Process only on documented instructions
• Confidentiality obligations
• Security measures
• Sub-processor restrictions
• Assist with data subject rights
• Deletion/return at contract end

CCPA/CPRA Service Provider Terms

• Prohibit selling/sharing received data
• Prohibit use outside business purpose
• Certify understanding of restrictions
• Notify of subcontractors
• Allow compliance audits
• Contractually bind subcontractors

Multi-Jurisdiction Compliance Strategy

Attorney Insight

"Having built privacy programs serving clients across multiple jurisdictions including GDPR, CCPA/CPRA, and emerging state laws, I've found that starting with GDPR as your baseline often makes multi-jurisdictional compliance more efficient. GDPR's stricter requirements typically satisfy California and other state laws, though you'll need jurisdiction-specific disclosures and opt-out mechanisms."

— Miakel Williams, Savvy Esquires

If You Only Comply With One...

GDPR:Best baseline for global operations; covers most requirements but misses CCPA-specific disclosures
CCPA/CPRA:Insufficient for EU operations; lacks consent requirements and legal basis framework

Recommended Approach

Build GDPR-compliant data mapping and consent infrastructure
Add CCPA/CPRA-specific disclosures and "Do Not Sell/Share" links
Implement unified data subject request workflow
Use shortest response timeline (GDPR's 30 days)
Layer additional state laws as needed

Frequently Asked Questions

Not Sure Which Laws Apply to You?

Take our free Privacy Law Assessment Quiz to discover exactly which regulations apply to your business based on your revenue, customers, and data practices.

Take the Privacy Assessment Quiz

Need Help With Privacy Compliance?

Navigating GDPR, CCPA, CPRA, and other privacy laws can be complex. Book a consultation to discuss your specific compliance needs and develop a practical roadmap.

No-Obligation Discovery Call

15 minutes to understand your needs

Same-Day Availability

Choose a time that works for you

Immediate Value

Get actionable insights on your first call

Cornell Tech LL.M.

Licensed in NY, NJ, CA

Fortune 500 Alumni (Tapestry)

HITRUST, ISO 27001 & SOC 2

We respond to all inquiries within 24 hours

GDPR vs CCPA vs CPRA: Complete Privacy Law Comparison

At a Glance

GDPR

CCPA

CPRA

Detailed Comparison

Consumer Rights Comparison

Rights in All Three Laws

GDPR-Exclusive Rights

Compliance Requirements

Privacy Notice Requirements

GDPR

CCPA

CPRA (Added)

Data Processing Agreements

GDPR Article 28 Requirements

CCPA/CPRA Service Provider Terms

Multi-Jurisdiction Compliance Strategy

Attorney Insight

If You Only Comply With One...

Recommended Approach

Frequently Asked Questions

Not Sure Which Laws Apply to You?

Related Resources

US State Privacy Laws Guide

Global Privacy Laws Guide

Privacy & Compliance Services

Need Help With Privacy Compliance?

Privacy & Cookies