GDPR vs. CCPA: What you need to know about privacy regulations
Data privacy has become one of the most consequential areas of business compliance in recent years, and the pace of regulatory change is only accelerating.
The European Union's General Data Protection Regulation (GDPR) and California's California Consumer Privacy Act (CCPA) remain the two most influential privacy laws affecting businesses worldwide. Both shape how personal data is collected and handled, and most businesses operating across borders have to comply with both.
The need for strong data protection is not abstract. According to the Identity Theft Resource Center's 2024 Annual Data Breach Report, there were 3,158 data compromises in the U.S. alone, resulting in more than 1.35 billion victim notices sent to individuals. That is roughly six notices for every adult in the United States. And the global average cost of a data breach reached $4.44 million in 2025, according to IBM's annual report.
Let's look at what each law covers, how they compare, how they differ, and what has changed in the regulatory landscape since both were first enacted.
What is the GDPR?
The GDPR is Europe's comprehensive data privacy and security law. It went into effect on May 25, 2018, and applies to any organization worldwide that collects or processes the personal data of EU citizens or residents. In other words, your business does not need to be located in Europe to be subject to the GDPR.
The law carries real teeth. As of early 2026, regulators have issued more than 2,685 GDPR fines totaling over €6.1 billion since enforcement began in 2018, according to the CMS GDPR Enforcement Tracker. The largest single fine remains the €1.2 billion penalty levied against Meta in 2023. Recent notable actions include a €310 million fine against LinkedIn in 2024 for unlawful processing of user data and a €530 million fine against TikTok in 2025 for improper international data transfers.
The GDPR establishes seven principles for lawful data processing:
- Lawfulness, fairness and transparency: Processing must be lawful, fair and transparent to the individual.
- Purpose limitation: Data must be collected for specific, explicit, legitimate purposes and not processed further in ways incompatible with those purposes.
- Data minimization: Only collect and process the data that is strictly necessary for your stated purpose.
- Accuracy: Personal data must be accurate and kept up to date.
- Storage limitation: Data should be retained only as long as necessary for its stated purpose.
- Integrity and confidentiality: Processing must be done with appropriate security, including protection against unauthorized access or accidental loss.
- Accountability: You are responsible for demonstrating compliance with all of the above principles.
The GDPR also grants individuals eight specific privacy rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (the "right to be forgotten")
- The right to restriction of processing
- The right to data portability
- The right to object
- Rights related to automated decision-making and profiling
For a detailed breakdown, see our dedicated GDPR guide, or read the full regulation in PDF form. The gdpr.eu resource hub also provides practical checklists for organizations.
RecommendedTotal GDPR fines have surpassed €6.1 billion since 2018. The Irish Data Protection Commission alone is responsible for 9 of the 10 largest individual fines ever issued, largely because major U.S. tech companies have their European headquarters in Ireland. If your business serves EU customers, regulatory risk is real and growing.
What is the CCPA (and CPRA)?
The United States does not have a single comprehensive federal privacy law equivalent to the GDPR. The CCPA, often called "California's GDPR," remains one of the most significant consumer privacy laws in the country. It went into effect on January 1, 2020, and applies to certain businesses that collect personal information about California residents, regardless of where those businesses are located. Because California is among the largest economies in the world, the CCPA has a broad practical impact well beyond state lines.
In November 2020, California voters approved Proposition 24, which created the California Privacy Rights Act (CPRA). The CPRA amended and significantly strengthened the CCPA. Its substantive provisions took effect on January 1, 2023, and businesses are now required to comply with the CCPA as amended by the CPRA. The law is still generally referred to as the "CCPA," but it is materially stronger than the original 2020 version.
Updated CCPA/CPRA applicability thresholds
The CPRA updated the thresholds that determine which businesses must comply. A business is now subject to the CCPA/CPRA if it does business in California and meets any of the following criteria:
- Has annual gross revenues exceeding $25 million
- Annually buys, sells, or shares the personal information of 100,000 or more consumers or households (raised from 50,000 under the original CCPA)
- Derives 50% or more of its annual revenues from selling or sharing consumers' personal information
The CPRA also expanded the rights available to California residents. In addition to the original CCPA rights (access, deletion, opt-out of sale, and non-discrimination), consumers now have the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information.
The definition of personal information was also expanded. It includes the original categories (names, phone numbers, IP addresses, device identifiers, biometric, audio and location data) and now also covers a consumer's citizenship or immigration status (added January 1, 2024) and neural data (added in 2025 as a category of sensitive data).
Starting January 1, 2026, new CPPA-adopted regulations took effect requiring mandatory cybersecurity audits for certain categories of businesses, risk assessments for automated decision-making technology (ADMT), and expanded consumer rights related to algorithmic processes. These 2026 regulations represent the most significant expansion of California privacy obligations since the CPRA itself took effect.
Penalty exposure under the CCPA also increased under the CPRA. The state can now impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation (or any violation involving minors' data). The previous 30-day automatic cure period was eliminated; businesses may or may not be granted one depending on the circumstances. The California Privacy Protection Agency (CPPA), created by the CPRA, can bring enforcement actions independently of the Attorney General's Office. Find out more about the CCPA at the California Attorney General's Office.
How do the GDPR and CCPA compare?
What they have in common
Both laws share a common goal: giving individuals meaningful control over their personal data. Specifically, both laws use similar definitions of key terms like "personal data" and "consumer." Both include heightened protections for individuals aged 16 or younger. Both require that businesses give individuals the ability to access the data that has been collected about them, learn how it is being used or shared, and request its deletion. Both also establish accountability requirements, meaning businesses cannot simply claim compliance but must be able to demonstrate it.
How they differ
Side-by-side comparison
| GDPR | CCPA (as amended by CPRA) | |
|---|---|---|
| Who it applies to | Any business processing data of EU residents, regardless of location | Businesses meeting revenue, data volume, or revenue-share thresholds that collect data of California residents |
| Went into effect | May 25, 2018 | January 1, 2020 (CPRA amendments: January 1, 2023) |
| Maximum fines | Up to €20 million or 4% of global annual turnover, whichever is higher | Up to $7,500 per intentional violation (or involving minors); $2,500 per unintentional violation |
| Consent model | Opt-in: requires clear, affirmative consent before collecting data | Opt-out: consumers must be given the ability to opt out of data sale; opt-in required for minors under 16 |
| Consumer/individual rights | 8 rights including access, erasure, portability, objection and rights against automated decisions | Rights to access, delete, correct, limit sensitive data use, opt out of sale/sharing, and non-discrimination |
| Data portability | Required | Required |
| Sensitive data | Explicit consent required for special categories (race, religion, health, etc.) | Right to limit use of sensitive personal information; expanded categories including neural and immigration data |
| Data breach notification | Required (within 72 hours of discovery) | Civil liability for certain breaches; security obligations enforced by CPPA and Attorney General |
| Enforcement body | Data protection authorities (DPAs) in each EU member state | California Privacy Protection Agency (CPPA) and California Attorney General |
| Private right of action | Limited | Available for certain data breaches |
Scope: who does each law apply to?
The GDPR has a broader geographic trigger: if you process the personal data of EU residents, you must comply, period. There are no revenue or data-volume thresholds. The CCPA applies specifically to for-profit businesses that meet at least one of the three thresholds described above. This means very small businesses may fall outside CCPA scope, while the GDPR would still apply if they serve EU customers.
Consent: opt-in vs. opt-out
This is one of the most operationally significant differences between the two laws. The GDPR uses an opt-in model: you must have a valid legal basis for processing personal data, and where consent is your basis, it must be freely given, specific, informed and unambiguous. Under the CCPA, the default model is opt-out: businesses can collect and use consumer data, but must give consumers a clear mechanism to opt out of the sale or sharing of their data, typically a "Do Not Sell or Share My Personal Information" link on their website. Explicit opt-in consent is only required for consumers under 16. For practical guidance on building consent-based email marketing, see our guide on email data privacy best practices.
Fines and enforcement
GDPR fines can be severe. For the most serious violations, regulators can impose fines of up to €20 million or 4% of global annual turnover, whichever is higher. Total GDPR fines since 2018 have exceeded €6.1 billion. Under the updated CCPA/CPRA, the CPPA can impose fines of up to $7,500 per intentional violation or any violation involving a minor's data. Each affected consumer can constitute a separate violation, so exposure scales quickly.
Data protection requirements
The GDPR is prescriptive about data security. It requires organizations to keep data encrypted, confidential and accessible to authorized parties; notify supervisory authorities of a breach within 72 hours; and perform a Data Protection Impact Assessment (DPIA) before processing personal data in ways likely to result in high risk to individuals.
The CCPA/CPRA is somewhat less prescriptive on technical controls, but the newly effective 2026 regulations add mandatory cybersecurity audit requirements for certain businesses. The CPPA and California Attorney General can bring enforcement actions for failures to adequately protect consumer data, and consumers retain a private right of action for certain categories of data breach.
Beyond CCPA: the expanding U.S. state privacy landscape
One of the most important developments since the CCPA was first enacted is the rapid growth of state-level privacy laws across the U.S. As of 2026, 20 states have comprehensive consumer privacy laws in effect, including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, New Jersey, Maryland, Minnesota, Delaware, and others. Indiana, Kentucky and Rhode Island joined the list effective January 1, 2026.
While most state laws follow a similar framework to the CCPA, some are notably stronger. Maryland and Minnesota, for example, impose requirements that go beyond most other state statutes. Several states have also enacted specific protections for children and teen users, neural data, and biometric identifiers. Businesses that operate nationally now face a patchwork of state privacy obligations that, taken together, are approaching GDPR-level complexity.
RecommendedDespite years of congressional discussion, the United States still does not have a single comprehensive federal privacy law like the GDPR. As a result, businesses operating in multiple states must track and comply with a growing set of individual state requirements. Many compliance experts recommend building your data practices to meet GDPR and California standards as a baseline, which will put you in a strong position across most U.S. state laws as well.
What this means for your marketing
Privacy regulations directly shape what marketers can and cannot do with customer data. From email opt-ins to behavioral targeting to data retention policies, both the GDPR and CCPA impose real constraints, and violations carry real costs. For a deep dive on staying compliant in your email program, see our guides on GDPR and email marketing and email data privacy best practices. For broader context on privacy policies and what they should include, see our privacy policy guide.
Action steps for your organization
Understanding the GDPR and CCPA is the first step; building a compliance program is the next. Here are the priorities most organizations should focus on:
- Map your data: Identify what personal data you collect, where it is stored, how it is used and who has access to it.
- Audit your consent mechanisms: Ensure your opt-in and opt-out processes meet the requirements of each law that applies to your business.
- Update your privacy policy: Your privacy policy should accurately reflect your current data practices. Review it at least annually.
- Prepare for breach notification: Have a documented process for detecting, investigating and notifying regulators and individuals of data breaches within required timeframes.
- Review automated decision-making: If you use AI or algorithms to make decisions about consumers, the 2026 CPPA regulations and the GDPR both impose specific obligations in this area.
- Watch the state law landscape: If you operate in multiple U.S. states, track which comprehensive privacy laws apply to your business, as the list is growing each year.
Personal data privacy and consumer rights will continue to be pushed across the world. The regulatory environment is more complex than ever, but the core principle is simple: treat your customers' data with the same care you would want your own information treated. Organizations that build privacy into their processes now will be far better positioned as enforcement intensifies globally.
DailyStory is built with data compliance in mind, offering consent tracking, automated unsubscribe handling, GDPR-compliant audit logs and more. Schedule a free demo to see how DailyStory can help your team stay compliant without sacrificing campaign performance.