Loading…
GDPR and CCPA/CPRA are the world's two most-referenced privacy frameworks. They look similar at a glance, but they diverge sharply on extraterritorial reach, lawful basis for processing, opt-in vs opt-out architecture, breach notification timelines, and penalty severity. This guide gives you the precise side-by-side any privacy team will reach for.
| Dimension | 🇪🇺 GDPR | 🇺🇸 CCPA |
|---|---|---|
| Legal instrument | Regulation (EU) 2016/679 | Cal. Civ. Code § 1798.100 et seq. (CCPA, as amended by CPRA, 2020) |
| Effective date | 25 May 2018 | CCPA: 1 Jan 2020; CPRA strengthening: 1 Jan 2023 |
| Territorial scope | Anyone processing personal data of individuals in the EU (Art. 3 — extraterritorial) | For-profit businesses doing business in California meeting thresholds (§1798.140(d)) |
| Applicability threshold Any one trigger | Any controller/processor — no revenue/volume floor | $25M revenue OR 100K+ CA consumers/households OR 50%+ revenue from selling/sharing PI |
| Consent model | Opt-in for most processing (Art. 6) | Opt-out of sale or sharing; opt-in for minors under 16 |
| Lawful basis required | Yes — one of six (Art. 6) or special-category condition (Art. 9) | No formal lawful basis; "business purpose" + notice at collection |
| Sensitive data | Special-category data (Art. 9) requires explicit consent + safeguards | Sensitive PI (CPRA §1798.140(ae)) — right to limit, not absolute restriction |
| Breach notification | 72 hours to Supervisory Authority (Art. 33); affected data subjects without undue delay if high risk | No specific timeline; "in the most expedient time possible" under Cal. Civ. Code §1798.82 |
| Maximum fine | €20M or 4% of global annual turnover, whichever is higher (Art. 83(5)) | $2,500 per unintentional / $7,500 per intentional or minor-related violation (per-record) |
| Regulator | 27 EU Member State DPAs + EDPB (one-stop-shop) | California Privacy Protection Agency (CPPA) + California Attorney General |
| DPO requirement | Mandatory in defined cases (Art. 37) | Not mandatory; risk-assessment requirement for SDFs |
| Local representative | Article 27 EU Representative required for non-EU controllers/processors | Not required; physical presence not mandatory |
| DSAR response window | 1 month + 2-month extension for complex requests (Art. 12(3)) | 45 days, extendable by 45 more (§1798.130) |
| Cross-border transfer | Restricted — SCC/BCR/adequacy required (Chapter V) | No explicit restriction; contractual safeguards under sectoral law |
| Private right of action | Yes — Art. 79 (limited) + Art. 82 damages | Only for data breaches under §1798.150 |
| Children's data | Under 16 default consent age (Member States can lower to 13) | Opt-in sale/sharing for under 16; under 13 requires parent |
| Right to delete | Right to erasure (Art. 17) with exceptions | Right to delete (§1798.105) with exceptions |
| Right to know/access | Art. 15 — confirmation + copy | §1798.110 + §1798.115 — disclosure of categories and specific PI |
| Right to opt-out | Object to processing based on legitimate interests or direct marketing (Art. 21) | Opt-out of sale or sharing of PI (§1798.120); GPC must be honoured |
| Right to portability | Art. 20 — structured, commonly used, machine-readable | Right to receive in a portable format (§1798.100(d)) |
Yes, if you target both EU individuals and California consumers. They have overlapping core requirements (notice, access, deletion) but diverge on consent, breach timelines, and territoriality. A single mapped control set works for both.
Materially, yes. GDPR requires a lawful basis for every processing activity, mandates 72-hour breach notification, restricts cross-border transfers, and has uncapped revenue-based fines. CCPA/CPRA is more opt-out flavoured and has per-violation rather than turnover penalties — but Meta's $1.2B settlement shows aggregate exposure can match GDPR.
No. GDPR Article 3 applies extraterritorially. If you offer goods or services to people in the EU or monitor their behaviour, you're in scope and must appoint an Article 27 EU Representative.
There is no formal equivalent. CCPA does not require a designated local representative. However, sensitive financial or health data may invoke parallel federal regimes (HIPAA, GLBA) with their own contact-point requirements.
GDPR: 72 hours to the lead Supervisory Authority. CCPA: "most expedient time possible" with no fixed clock — though plaintiffs' lawyers in §1798.150 class actions argue anything over a few days is unreasonable.
Yes — and it should. Build one verifiable consumer request pipeline, map outputs to both Article 15 GDPR and §1798.110 CCPA disclosures. Just keep the timeline at the shorter window (1 month for EU residents, 45 days for California residents).
Map controls once, comply twice. RegulatoryBridge gives you a single DSAR pipeline, single DPO, single breach runbook — covering both frameworks.