Instant downloadAuditor-writtenSecure Stripe checkout
GDPR vs CCPA: Best 2026 Compliance Guide — ISO Toolkits

GDPR vs CCPA: Best 2026 Compliance Guide

Understanding GDPR vs CCPA is essential for any organisation that handles personal data across the EU and California, because the two laws share a goal but take very different routes to protect people. The GDPR (EU Regulation 2016/679) is a broad, principles-based framework applicable since 25 May 2018, while the California Consumer Privacy Act (as amended by the CPRA) is a consumer-rights statute focused on transparency and control over the “sale” and “sharing” of data. This guide explains where they overlap, where they diverge, and what a practical compliance approach looks like.

GDPR vs CCPA at a glance

Both laws give individuals meaningful rights and impose accountability on businesses, but they define scope, terminology and obligations differently. The GDPR regulates any organisation processing the personal data of people in the EU, regardless of where the organisation is based. The CCPA applies to for-profit businesses that meet certain thresholds (such as revenue or volume of consumer data) and do business in California.

AspectGDPR (EU Regulation 2016/679)CCPA / CPRA (California)
Who it protectsData subjects in the EUCalifornia residents (consumers)
Who must complyControllers and processors handling EU personal dataQualifying for-profit businesses meeting statutory thresholds
Legal basis to processRequires one of six lawful basesNo lawful-basis requirement; notice and opt-out driven
Default consent modelOften opt-in, depending on the lawful basisOpt-out of sale/sharing; opt-in for minors
Breach notification72 hours to the supervisory authorityNotification duties under California breach law; no fixed EU-style window
Maximum penaltiesUp to 20 million euro or 4% of global annual turnover, whichever is higherCivil penalties per violation, plus a private right of action for certain breaches

Scope and who is covered

The GDPR is deliberately wide. It reaches controllers and processors anywhere in the world if they process the personal data of people in the EU in connection with offering goods or services or monitoring behaviour. There is no revenue or size threshold, so a small business can fall within scope.

The CCPA is narrower at the entry point. It targets larger commercial operators that meet defined thresholds and handle California residents’ data. In practice, many global companies are subject to both, which is why a combined programme is usually more efficient than two separate ones.

Core principles and lawful bases

A defining feature in the GDPR vs CCPA comparison is the GDPR’s requirement for a lawful basis. Under the GDPR, every processing activity must rest on one of six lawful bases, and controllers must respect core principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

The CCPA does not require a lawful basis. Instead, it centres on clear notice at or before collection, honouring consumer requests, and giving people the ability to opt out of the sale or sharing of their personal information. The accountability burden is real, but structured around disclosures and rights rather than upfront justification.

Individual rights compared

Both regimes grant individual rights, and the overlap is significant even where the labels differ.

  • GDPR data subject rights: access, rectification, erasure (the right to be forgotten), restriction of processing, data portability, objection, and rights relating to automated decision-making and profiling.
  • CCPA consumer rights: the right to know what is collected, the right to delete, the right to correct, the right to opt out of sale or sharing, and the right to non-discrimination for exercising rights.

The GDPR’s right to object and its protections around automated decisions are broader than the CCPA equivalents, while the CCPA’s opt-out of “sale” and “sharing” is a distinctive control that has no exact GDPR twin.

Accountability, breaches and enforcement

The GDPR builds in documented accountability. Depending on the activity, organisations may need to carry out Data Protection Impact Assessments (DPIAs), maintain records of processing, define controller and processor responsibilities, and appoint a Data Protection Officer where required. Personal data breaches generally must be notified to the supervisory authority within 72 hours where feasible.

Enforcement stakes are high. GDPR fines can reach up to 20 million euro or 4% of global annual turnover, whichever is higher. The CCPA relies on civil penalties per violation and a limited private right of action for certain data breaches, which can still be costly at scale.

Practical steps to comply with both

The good news in the GDPR vs CCPA debate is that a well-built GDPR programme covers much of the CCPA. To align both, focus on the shared foundations:

  • Map your data: know what you collect, why, where it flows, and how long you keep it.
  • Document lawful bases (for GDPR) and clear collection notices (for both).
  • Build a single, verifiable process to handle access, deletion, correction and opt-out requests.
  • Maintain records of processing and run DPIAs for higher-risk activities.
  • Prepare a breach response plan that can meet the 72-hour GDPR window and California’s requirements.

For the authoritative EU text and guidance, consult the official GDPR information portal.

Frequently asked questions

Is the GDPR stricter than the CCPA?

In most respects the GDPR is more comprehensive: it requires a lawful basis, applies without a size threshold, and carries larger maximum fines. The CCPA is narrower but adds distinctive opt-out rights around sale and sharing.

Can one programme satisfy both GDPR vs CCPA obligations?

Largely, yes. A mature GDPR programme addressing data mapping, rights handling and accountability covers much of the CCPA, though you must add California-specific notices and the opt-out mechanism.

Does the CCPA have a 72-hour breach rule like the GDPR?

No. The 72-hour notification window to the supervisory authority is a GDPR obligation. California has its own breach-notification duties, but not that fixed timeframe.

Do small businesses need to worry about both laws?

A small business can fall under the GDPR with no revenue threshold, while the CCPA typically applies only above certain thresholds. Assess each separately based on where your customers are and how much data you handle.

GDPR vs CCPA compliance toolkit templates
The editable GDPR Toolkit — policies, RoPA, DPIA and rights-request templates.

Related guides

This article is general guidance only and is not legal advice.

Ready to operationalise both regimes? Our editable GDPR (EU Regulation 2016/679) toolkit gives you ready-to-use policies, records of processing, DPIA templates and rights-request procedures you can tailor in minutes. Get the GDPR Toolkit and build a compliance programme that scales from the EU to California.

Shopping Cart