30 Days Free Trial
Skip to main content

Mandatly Knowledge Base

< All Topics

What is the difference between GDPR and CCPA?

Understanding the difference between GDPR and CCPA is crucial for any business managing personal data of individuals in the EU and California. While both laws are leading data privacy regulations, they differ significantly in terms of scope, consumer rights, compliance obligations, and penalties.

In this guide, we compare GDPR vs. CCPA with a clear side-by-side table and detailed explanations to help you stay compliant with evolving privacy laws.

GDPR vs. CCPA: Quick Comparison Table:

Feature GDPR (General Data Protection Regulation) CCPA (California Consumer Privacy Act)
Type Comprehensive data privacy regulation State-level privacy law
Scope Organizations processing EU personal data For-profit businesses handling California personal data
Who Needs to Comply? Applies to companies that:

  • Collect or store data from EU citizens or residents
  • Operate outside of the EU yet offer goods or services to EU citizens
  • Monitor EU user behavior (GDPR territorial scope)
Applies to companies that:

  • Buy, share, or sell data from at least 50K California citizens
  • Earn more than 50% of revenue from the sale of personal data
  • Have annual revenue of ≥$25M (CCPA business obligations)
Definition of Personal Data Covers any info identifying a living person used commercially Public data not excluded Includes any info linked to a person, household, or device Public records are excluded
Consumer Rights
  • Right to access personal data
  • Right to correct personal data in case of inaccuracy
  • Right to delete personal data
  • Right to restrict personal data processing
  • Right to port data to another controller
  • Right to object to personal data processing
  • Right to object to automated data processing for decision-making and profiling
  • Right to know and access personal info
  • Right to delete personal info
  • Right to opt-out of the sale of personal data (CCPA opt-out requirements)
  • Right to non-discrimination for exercising rights
Opt-in Requirement for Data Collection
  • Explicit opt-in required
  • Withdraw consent anytime
  • No opt-in required (unless under 13)
  • Opt-out available
Cookie Regulations
  • Consent required before placing cookies
  • Must inform users clearly
  • Consent not required unless data is sold
  • Must allow opt-out
Age of Consent 16 (can be lowered to 13 by EU states) 16 (with parental consent under 13)
Fines & Penalties Depending on the violation that occurred, the GDPR fines may be up to either

  • >2% of global annual turnover or €10 million, whichever is higher; or
  • >4% of global annual turnover or €20 million, whichever is higher.

Depending on the violation that occurred, the penalty under CCPA may be up to:

  • $2,500 for each violation;
  • $7,500 for each intentional violation
Regulatory Authority Enforced by the EDPB, the EU Commission, and national data protection authorities. Enforced by the California Attorney General.
Business Location Companies outside the EU must comply if they process EU citizens’ data. Businesses don’t need to be physically in California to comply.
Children’s Data Protection Parental consent is required for users under 16 (or 13 if a member state lowers it). Parental consent is required for users under 13.
Compensation & Legal Claims Fines vary based on severity, intent, and company cooperation. Consumers can claim damages between $100 and $750 per violation (or actual damages, whichever is
higher).
Transparency Requirements Organizations must clearly communicate what data they collect, how long they store it, and where
they share it.		 Businesses must disclose what personal data they collect, how they use it, and with whom they share
it.

Conclusion:

Both GDPR and CCPA aim to protect individuals’ privacy, but they differ in scope and requirements. GDPR applies broadly to any organization processing EU residents’ data and mandates explicit consent, while CCPA focuses on California consumers, allowing them to opt out of data sales. Understanding these differences is crucial for compliance.