Accessibility & Inclusion

CCPA vs. GDPR: Differences, Similarities, and Must-Knows

February 7, 2022 7 minute read
The CCPA and GDPR aim to enhance consumer data protection, and they both can result in hefty fines for businesses that are non-compliant. Learn more.

By now, most business leaders are aware of the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). The CCPA and GDPR aim to enhance consumer data protection, and they both can result in hefty fines for businesses that are non-compliant, but these regulations differ in some important ways. 

This post is a GDPR vs. CCPA comparison, in which we’ll look at the highlights of the CCPA and GDPR, how they may impact businesses, and the fines for non-compliance.

Differences and similarities that may impact your business

How do the laws define personal information?

One of the differences between CCPA and GDPR laws is how they describe the use of personal information (the CCPA uses the term “personal information,” and the GDPR uses the term “personal data”). Both terms apply to information that can be used to identify someone, such as an email address or photo ID. The CCPA also covers personal information that identifies a household, whereas the GDPR applies only to individuals’ personal data.

The CCPA allows businesses to use personal data, as long as they disclose how that data is used and offer consumers the opportunity to opt-out. For example, businesses can place a cookie consent policy on their site that lets consumers customize their data privacy preferences.

GDPR language allows businesses to use personal data only when at least one of six conditions apply:

  1. Consumers can consent to the use of their data and withdraw consent at any time. 
  2. The data being collected supports a “contract” between the user and the company, or the collection of data is a preliminary step before executing said contract. 
  3. The processing of data is a legal requirement. 
  4. The processing of data is necessary to protect the life of the user. 
  5. The collection of data is necessary to complete a task that’s in the public interest. 
  6. The data is necessary for the business’s interests, or for the interests of a third party. 

Who is protected by CCPA and GDPR laws?

The GDPR protects citizens and residents of the EU, while the CCPA protects permanent California residents (even those who are temporarily out of state). The language of these guidelines differs in describing who is protected and to whom the guidelines apply.

Consumers vs. data subjects

The CCPA refers to protected parties as consumers, while the GDPR refers to EU citizens as data subjects.

Businesses vs. data controllers

The CCPA applies to businesses, which it defines as for-profit entities that conduct business in California, collect personal information from the state’s residents, and determine how that data will be used. An entity is considered a business if it meets at least one of the following conditions:

  • Annual gross revenues of $25 million or more
  • Collects, sells, or shares personal data of at least 50,000 consumers, devices, or households
  • Earns at least half of annual revenue from selling consumers’ personal data

The GDPR applies to data controllers, which it defines as entities that determine how and why they’ll use personal data from EU residents.

What rights are given to people by CCPA and GDPR laws?

CCPA data subject rights are similar to those included in the GDPR. Under both sets of regulations, people protected under the CCPA and GDPR are entitled to: 

  • Knowledge — Businesses must disclose how they collect and use personal data.
  • Access — People can request and receive access to their personal data.
  • Opt out — Individuals may, under certain conditions, have the right to opt out of an organization’s data collection.
  • Portability — CCPA data portability and GDPR data portability rules afford individuals the right to their data in an accessible format, such as a CSV file. 
  • Erasure — With some exceptions, organizations must delete an individual’s personal data upon that individual’s request.

How do opt-in (GDPR) and opt-out (CCPA) systems apply?

The GDPR requires organizations to offer an opt-in process for data collection, meaning most types of data cannot be collected without individual consent. CCPA consent requirements generally allow organizations to collect consumer data, so long as they explain what data they’re collecting and how it’s being used, and offer a way for consumers to opt-out of data collection.

How does each law define data collecting, selling and processing?

While the CCPA and GDPR describe personal data in similar terms, they use different wording regarding the collection and management of data.


The CCPA describes data management actions as:

  • Collecting — The gathering of information.
  • Processing — Action involving data after collection.
  • Selling — The transfer or disclosure of data (not necessarily in exchange for payment).


The GDPR defines any action involving personal data — collecting, selling, and storing, for example — as “processing.” 

What data security measures are required by each law?

The CCPA and GDPR have different approaches to data security.


The CCPA does not define specific requirements for protecting consumer data; however, it does allow individuals whose data is compromised in a data breach to sue the organization responsible.


The GDPR requires organizations to ensure the adequate security of data by implementing technical and organizational security measures. 

What penalties apply to violations?

CCPA and GDPR compliance requirements define penalties for misuse of data. Penalties for GDPR non-compliance are proportionate to the violation, ranging from 2% to 4% of a company’s global turnover for the previous fiscal year, or 10 to 20 million euros, whichever is greater.

The CCPA mandates fines only in the case of a data breach. Fines are $2,500 for each unintentional violation, or $7,500 for each intentional violation; fines would apply for every individual whose data was compromised in a breach. 

How do CCPA and GDPR laws impact cookie consent?

Cookies are the mechanisms by which websites collect data about users. These may be first-party cookies, such as those that improve the functionality of an e-commerce site, or third-party cookies, such as marketing cookies that track users across multiple domains. 

Regardless of which type of cookies exist on your site, the CCPA and GDPR both contain language that affects how organizations must manage consent.


The CCPA requires organizations to explain which cookies are on their site, what data they collect, and how that data is used. A convenient method must be presented that allows visitors to opt-out of cookies or modify cookie preferences.


The GDPR’s broader language about data collection applies to cookie consent — it must be an affirmative (opt-in) action that is fully informed, recorded, and changeable, and the method for opting in or rejecting cookies must be accessible for all users.

What are the most important differences between the CCPA and the GDPR?

The primary difference between these two sets of regulations is that the CCPA mandates an opt-out policy for data collection, whereas the GDPR requires organizations to offer an opt-in in order to collect data. 

The other key difference is that the CCPA protects California residents, and the GDPR protects EU citizens and residents. 

Do U.S. companies have to follow GDPR?

Any company (that meets CCPA’s definition of a business) with a website that EU citizens and residents might visit must comply with GDPR. 

Does GDPR cover the CCPA?

Being compliant with the GDPR does not necessarily mean a company is compliant with the CCPA; however, GDPR compliance is a good foundation for CCPA compliance.

Where do CCPA and GDPR laws overlap?

Both sets of regulations emphasize consumers’ right to privacy and require organizations to be transparent about the type of data they collect and for what purpose. These regulations also offer individuals the right to request access to their personal data and rescind consent.

Try Monsido by Acquia’s Cookie Consent Manager

Businesses may not be aware which cookies are on their website, and that creates compliance concerns. Monsido’s Cookie Consent Manager scans your site for cookies, determines their purpose, and provides recommendations for fine-tuning your site’s compliance.

Cookie configurations

Monsido’s Cookie Consent Manager takes the guesswork out of cookie management, making it easy to categorize cookies and scripts for compliance purposes.  

Consent logs

Monsido tracks and documents users’ cookie consent and preferences, ensuring audit-ready compliance.

Consent analytics

Consent analytics show you the rate at which visitors consent to cookies, and the types of cookies they authorize.  

Keep Reading

View More Resources