# [CCPA vs GDPR: Infographic & 10 Differences You Need To Know](https://www.cookiebot.com/en/ccpa-vs-gdpr/) **CCPA vs GDPR** · [Start your free trial today](https://admin.cookiebot.com/signup) · [Check your compliance](https://www.cookiebot.com/en/cookie-checker/) The California Consumer Privacy Act (CCPA) may affect how your website is allowed to handle the personal information of Californians. The [California Consumer Privacy Act (CCPA)](https://www.cookiebot.com/en/what-is-ccpa/) and the [General Data Protection Regulation (GDPR)](https://www.cookiebot.com/en/gdpr/) were created to give people greater power over their personal information. Both regulate how companies collect and use individuals’ personal data. While both laws are focused on user privacy rights and putting control over one’s data back into the users’ hands, there are a few crucial differences between the two regulations beyond just their jurisdiction. Here is a comparison of the key differences between CCPA vs GDPR and an overview of how organizations can comply with both. ## What is GDPR? The General Data Protection Regulation is a European Union-wide regulation that controls how companies and other organizations handle personal data. It's designed to give EU residents, regardless of their citizenship, more control over their personal data while simplifying rules for global businesses. It applies to companies that process the data of EU residents, even if the companies are not located in the EU, also known as extraterritoriality. The law went into effect on May 25th, 2018. Some key aspects of the GDPR include: - Organizations must only gather personal data for a particular, explicitly stated reason (purpose), which they must record. - In most cases, organizations must get explicit, informed, voluntary consent from individuals for the stated purpose before collecting or using their data. If the purpose for collecting and processing data changes, organizations must get new consent from users. - Data should be deleted, returned, or anonymized when it's no longer needed. - Individuals have rights regarding their data, including access to it, having it corrected or deleted, and receiving a copy of it. - Companies require a documented legal reason to handle personal data (legal basis) and should openly share with users what that reason is and how they handle collected data. ## What is CCPA? [The California Consumer Privacy Act (CCPA)](https://www.cookiebot.com/en/ccpa/), also known as “the California GDPR” is a [state-wide data privacy law](https://www.cookiebot.com/en/ccpa-regulations/) that regulates how organizations handle the personal information of California residents. The CCPA was passed in 2018 and went into effect on January 1, 2020. It was the first of the modern and comprehensive data privacy laws passed in the United States. Several states have passed laws since, and California has expanded and amended the CCPA with the [California Privacy Rights Act (CPRA)](https://www.cookiebot.com/en/cpra/). Some [key aspects of the CCPA](https://www.cookiebot.com/en/what-is-ccpa/) include: - giving California residents the right to know what personal information, including [data collected through cookies](https://www.cookiebot.com/en/ccpa-cookies/), a business has collected about them and how it is being used and shared - enabling consumers to opt out of the sale of or sharing of their personal information with third parties - requiring companies to obtain consumers’ consent to collect and use personal data if it is categorized as sensitive or belongs to a child - requiring businesses to delete a consumer's personal information upon request --- ## Who needs to comply with GDPR vs CCPA privacy regulations? Both the CCPA and the GDPR have global reach. The CCPA applies to businesses collecting data from California residents, regardless of the business’ location, while the GDPR applies to any entity worldwide offering goods or services to and collecting and using the personal data of EU residents. The GDPR protects any individual in the EU during data processing. The CCPA specifically safeguards California residents who are not just temporarily in the state. Therefore, the CCPA does not apply to tourists. However, the development of case law will likely have to make the definition of “resident” more granular, e.g., is a college student who resides in California for only part of the year a resident? ### Who has to comply with the GDPR? All organizations and their properties, including websites and mobile applications, that process data of people in the European Union, must comply with the GDPR. The law doesn’t have compliance thresholds, as the CCPA does. This includes nonprofit organizations, community groups, e-commerce companies, etc. Compliance is also required if companies use third-party services like Google’s or Facebook’s (e.g., for advertising) to process personal data, though the initial company, the data controller, is ultimately responsible for privacy compliance by third-party processors. ### Who has to comply with the CCPA? The CCPA defines the term “business” broadly. It applies to any for-profit organization, regardless of its location, that collects personal information from California consumers and meets at least one of the following criteria: - has annual gross revenues above $25 million - buys, receives, sells, or shares the personal information of 50,000 or more California residents, households, or devices - gets 50% or more of its annual revenue from selling California residents' personal information --- ## What data is protected under GDPR vs CCPA? Both the CCPA and GDPR aim to protect people’s personal information that could make them identifiable, either via individual data points or in aggregate. So their definitions of personal data are very similar apart from a few small differences. ### Definition of personal data under the GDPR Under the GDPR, [personal data is defined](https://gdpr-info.eu/issues/personal-data/) very broadly as “any information relating to an identified or identifiable natural person.” This includes direct identifiers like names and ID numbers, as well as indirect identifiers that can be used to recognize an individual, location data, or IP address. This also includes factors specific to a person's physical, psychological, or genetic identity, healthcare or financial information, political or religious beliefs, and other factors. ### Definition of personal data under the CCPA The CCPA has a similarly [broad definition](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5) of [personal information](https://www.cookiebot.com/en/ccpa-personal-information-ccpa-compliance-with-cookiebot-cmp/) compared to the GDPR, encompassing data that can directly or indirectly identify or describe a consumer or household. --- ## When can companies use personal data? When comparing the GDPR to the CCPA, the laws have different approaches to regulating how companies use people's personal information. The GDPR outlines six reasons, aka legal bases, at least one of which companies must follow. The CCPA is more flexible and focuses on giving users more rights and transparency, but fewer requirements for companies regarding being allowed access to data. ### Legal bases for data processing under the GDPR Under the GDPR, companies can only process personal data if they have a legitimate reason to do so. The GDPR lists six legal bases from which companies can choose to enable compliant usage of personal data. ### Legal bases for processing under the CCPA The CCPA doesn't clearly define when or how companies can use personal data, and in most cases does not require a prior legal basis to collect it, as long as the ability to opt-out is available. --- ## How do regulatory requirements impact a company’s marketing efforts? The GDPR and CCPA can both have a significant impact on how companies can conduct their digital marketing activities. ### GDPR compliance and marketing The GDPR significantly impacts a marketer’s ability to [track website visitors](https://www.cookiebot.com/en/website-tracking/), collect data about their browsing patterns and preferences, and tailor their marketing activities. ### CCPA compliance and marketing Similar to the GDPR, CCPA makes it more difficult for marketers to personalize marketing activities. This is because much of the data used by marketers for targeting and personalization is now subject to compliance rules. --- ## How to be privacy-compliant? To be compliant with relevant privacy laws, there are different steps you need to take depending on which regulation is relevant to your business. ### How to be GDPR-compliant? To achieve and maintain compliance with the GDPR, companies should take several steps. ### How to be CCPA compliant? CCPA compliance focuses on empowering consumers and ensuring responsible data handling practices. --- ## Experience how a CMP can help Determine if your website is compliant with the CCPA or GDPR. Use our free cookie audit tool to check cookie usage on your website and generate a detailed cookie audit report in minutes. [Start your free trial today](https://admin.cookiebot.com/signup) · [Check your compliance](https://www.cookiebot.com/en/cookie-checker/) ## What are privacy policy requirements? The GDPR and CCPA both have specific requirements when it comes to the privacy policies that companies must have in place on their website. ### GDPR privacy policy requirements Under the GDPR, companies must provide a clear, transparent, and easily accessible [privacy policy](https://www.cookiebot.com/en/privacy-policy-generator-gdpr/) that discloses specific information. ### CCPA privacy policy requirements The CCPA has similar privacy policy requirements, though the specifics differ somewhat from the GDPR. --- ## How are privacy laws enforced? The GDPR and CCPA have different approaches when it comes to enforcement. ### GDPR enforcement The GDPR is enforced by the European Commission and national data protection authorities (DPAs) in each European Union member state. ### CCPA enforcement The CCPA was enforced solely by the California Attorney General's Office. There is no centralized enforcement body at the national level like with the GDPR. --- ## What are the fines and penalties for noncompliance? Both the GDPR and CCPA include specifics about fines that can be levied on companies that do not comply with their requirements. Penalties are tiered based on the severity of infractions. However, the GDPR carries much heavier potential penalties than the CCPA. ### GDPR penalties The GDPR has some of the highest fines of any data privacy law in the world. Companies found to be in serious or repeated violation of the GDPR can be fined up to 4 percent of their global annual revenue or EUR 20 million, whichever is greater. ### CCPA penalties If you do not comply with the CCPA, the California Attorney General's Office (now the CPPA) can pursue civil penalties. --- ## Prepare for the future and implement a data management strategy The GDPR and CCPA both focus on protecting data and giving consumers control, but they have some key differences. By now, both laws are well enough established that companies should have solid privacy compliance strategies and operations. ## Frequently asked questions What is GDPR? The General Data Protection Regulation (GDPR) is an EU law that governs the processing of personal data on individuals inside the European Union. [Learn more about GDPR compliance](https://www.cookiebot.com/en/gdpr-cookies/) What is CCPA? The California Consumer Privacy Act (CCPA) is a state-wide law that governs the collection, use, sharing and selling of personal information of California residents. [Learn more about CCPA compliance](https://www.cookiebot.com/en/ccpa/) ## Resources [What is the CCPA?](https://www.cookiebot.com/en/ccpa/) [The final CCPA regulations for enforcement](https://www.cookiebot.com/en/ccpa-regulations/) [CCPA and cookies](https://www.cookiebot.com/en/ccpa-cookies/) [CCPA compliance with Cookiebot CMP](https://www.cookiebot.com/en/ccpa/) [What is the GDPR?](https://www.cookiebot.com/en/gdpr/) [GDPR official law text](https://eur-lex.europa.eu/eli/reg/2016/679/oj/) [CCPA official law text](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375) [Future of Privacy Forum’s extensive CCPA vs GDPR comparison](https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf) --- ## Product [Cookiebot™ Consent Solution](https://www.cookiebot.com/en/cookie-consent-solution/) · [Usercentrics for Wix](https://www.cookiebot.com/en/cookiebot-for-wix-by-usercentrics-app/) · [WordPress Plugin](https://www.cookiebot.com/en/new-wp-cookie-plugin/) · [Pricing](https://www.cookiebot.com/en/pricing/) ## Regulations [DMA (EU)](https://www.cookiebot.com/en/digital-markets-act-dma/) · [GDPR (EU)](https://www.cookiebot.com/en/gdpr/) · [CCPA (California)](https://www.cookiebot.com/en/what-is-ccpa/) · [VCDPA (Virginia)](https://www.cookiebot.com/en/virginia-vcdpa/) · [LGPD (Brazil)](https://www.cookiebot.com/en/lgpd/) · [TCF v2.3 (IAB)](https://www.cookiebot.com/en/tcf/) · [Google Consent Mode](https://www.cookiebot.com/en/cookiebot-cmp-google-consent-mode/) · [Microsoft UET Consent Mode](https://www.cookiebot.com/en/microsoft-consent-mode-cmp/) ## Partners [Become an affiliate](https://www.cookiebot.com/en/affiliates/) · [Become a partner](https://www.cookiebot.com/en/resellers/) · [Find a partner](https://www.cookiebot.com/en/cookiebot-reseller/) ## Resources [Blog](https://www.cookiebot.com/en/blog/) · [Digital Markets Act Hub](https://www.cookiebot.com/en/digital-markets-act-dma-resources/) · [Google Consent Mode Hub](https://www.cookiebot.com/en/google-consent-mode-resources/) · [Google Consent Mode V2 Certification](https://courses.usercentrics.com/course/google-consent-mode-v2) · [Google Consent Audit Fixes](https://www.cookiebot.com/en/google-consent-audit-fixes/) · [Developer documentation](https://www.cookiebot.com/en/developer/) · [Cookiebot vs CookieYes](https://www.cookiebot.com/en/cookiebot-best-cookieyes-alternative/) · [Cookiebot vs OneTrust](https://www.cookiebot.com/en/onetrust-alternative/) · [Cookie Banner Cost Calculator](https://www.cookiebot.com/en/cookie-banner-pricing-calculator/) ## Company [About us](https://www.cookiebot.com/en/about/) · [Careers](https://usercentrics.com/career/) · [Support](https://support.cookiebot.com/hc/en-us/) --- [Privacy Policy](https://www.cookiebot.com/en/privacy-policy/) · [Terms of Service](https://www.cookiebot.com/en/terms-of-service/) · [Cookie Declaration](https://www.cookiebot.com/en/cookie-declaration/) · [Data Processing Agreement](https://www.cookiebot.com/en/data-processing-agreement/) ©2026 Cookiebot™ by [Usercentrics](https://usercentrics.com/)