GDPR vs. CCPA: Key Differences and Similarities

How is California’s Consumer Privacy Act different from Europe’s GDPR? Keep reading for a breakdown of key differences and similarities.
Media - Anthony Gagliardi

by Tony Gagliardi

April 22, 2022

Europe’s General Data Protection Regulation (GDPR) law is the strictest privacy law in the world. 

Soon after it was introduced in May of 2018, California created their own privacy law—the California Consumer Privacy Act (CCPA). Enforcing the data privacy rights of consumers in California, CCPA has often been called the “GDPR” of California. 

But is CCPA actually comparable to GDPR?

In this article, we’ll take a deep dive into both privacy laws by exploring their requirements, fines, and definitions. Finally, we’ll look at where they overlap, and how they differ to see if CCPA is in fact the “GDPR of the Golden State.”

What is GDPR?

The General Data Protection Regulation, or GDPR, was created to protect the privacy rights of individuals in the European Union. This includes website visitors, consumers, non-profit donors, or anyone else who engages with a platform that collects data. GDPR was created in response to a growing number of users engaging with cloud-based services, and a growing number of data breaches, leaks, and cyber attacks. 

To protect the rights of users in all 27 countries (also called Member States) of the EU, GDPR enforces strict regulations around how websites, companies, and organizations process and retain the personal data of users. GDPR gives users control over how companies collect, use, and share their personal data.

Key Definitions

According to GDPR, data controllers include any individuals in an organization that decide how and why to process data. This could be an owner or employee in an organization or business. 

Data processing refers to any automated or manual action that applies to data. Data subjects can include consumers or site visitors. 

Finally—and most importantly—GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’). This includes information such as names, physical addresses, or email address, but also “ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions.”

What is CCPA?

The California Consumer Privacy Act, or CCPA, was created to protect the data privacy rights of consumers in the state of California. CCPA regulations apply to for-profit businesses, and concerns transparency. 

Most notably, CCPA gives consumers the:

  • Right to request or delete data that has already been collected. 

  • Ability to opt in or out of having their data sold to third parties. 

  • Right to correct inaccurate information.

  • Right to limit use of personal information. 

Key Definitions

According to CCPA, businesses and for-profit entities to whom the law applies include any business operating in California with at least one of the following features:

  • Has an annual gross revenue exceeding $25 million. 

  • Processes the data of more than 50,000 consumers (or devices, or households) in California.

  • Makes at least 50% of its revenue from selling personal information. 

CCPA defines consumers as customers, employees, or businesses (such as in a business-to-business transaction) that purchase from a business operating in California.

Finally, CCPA defines personal information as any data that may be connected to an individual or household. This can include social security numbers, account log-in information, credit card information, geolocation information, ethnic or religious information, and genetic data.

Expansion of CPRA 

The California Privacy Rights Act, or CPRA, was approved in 2020 and makes significant changes to CCPA. 

One main difference deals with the enforcement of the law. CCPA is enforced by the California Attorney General, whereas the CPRA is enforced by the California Privacy Protection Agency and the California Attorney General. 

Additionally, the CPRA expands one of the thresholds for applicability by increasing the number of California consumer records processed from 50,000 to 100,000. 

CPRA expands the definition of sharing data to “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” 

It also adds contractors to the law. The CPRA stipulates that contractors must only use the personal information of consumers to perform the services agreed on in a contract. It requires them to use safeguards, and to tell consumers when they are using subcontractors. Keep in mind that CPRA regulations apply to subcontractors as well. 


The GDPR and CCPA/CPRA do have some areas of overlap. 

Both regulations:

  • Were created to protect privacy rights.

  • Concern personal information that can be used to identify an individual, such as basic personal information, addresses, and ethnic/religious information.

  • May affect entities outside of the specific area (EU or CA).

However, the regulations do include key differences. The GDPR is far more stringent and results in much higher fines. In the next section, we’ll take a look at the core differences between GDPR and CCPA/CPRA. 


While GDPR and CCPA/CPRA are both designed to protect privacy, they have different requirements. 

CCPA/CPRA requires businesses to inform individuals (or applicable entities) when their data was used for business purposes within 12 months of data collection. Users must also be informed when third parties collect that data and sell it to other third parties.  

GDPR, on the other hand, requires that individuals are always notified when their data is collected. They must also be told why their data is being used, and be reminded that they have the right to take back their consent. 

GDPR also carries much higher fines than the CCPA/CPRA. A company or organization that violates GDPR regulations can be fined up to €20 million or 4% of global revenue (whichever is higher).  

CCPA/CPRA charges $2,500 per violation and $7,500 per intentional violation

Simply put, GDPR provides more proactive protection for consumers, while CCPA/CPRA focuses more on retroactively informing consumers that their data has been collected (opt-in vs. opt-out models). 


For additional resources, here’s the GDPR checklist for data controllers and a breakdown of CCPA regulations

In general, if your organization is GDPR compliant, then you are well on your way towards CCPA/CPRA compliance. Sustained compliance with both laws requires continuous monitoring of controls and a unified view of your team’s security posture. To learn more about how to automate this process for you, schedule a demo with our team.

Trusted Newsletter
Resources for you
New Launches From Drataverse

New Launches From Drataverse: Chart Your Course

Highlights From Drataverse: Chart Your Course

Highlights From Drataverse: Chart Your Course

Image - SOC 2 penetration test list

Penetration Tests and SOC 2: Preference, Tradition, or Requirement?

Media - Anthony Gagliardi
Tony Gagliardi
Tony Gagliardi's area of expertise focuses on on building sound cybersecurity risk management programs that meet security compliance requirements. Tony is a Certified Information Systems Security Professional (CISSP) specializing in GRC, SOC 2, ISO 27001, GDPR, CCPA/CPRA, HIPAA, various NIST frameworks and enterprise risk management.
Related Resources
Illustraction depicting a GDPR compliance checklist

GDPR Compliance Checklist: How to Become Compliant

BLOG-GDPR -A-Beginners-Guide

GDPR: A Beginner's Guide


Data Protection Impact Assessment for GDPR: How To Do It Right

Debunking the Top 5 GDPR Myths and Misconceptions

Debunking the Top 5 GDPR Myths and Misconceptions