GDPR vs CCPA: running one privacy programme across both
EU lawful-basis regime versus California notice-and-opt-out law.
GDPR vs CCPA / CPRA at a glance
| Feature | GDPR | CCPA / CPRA |
|---|---|---|
| Jurisdiction | EU / EEA personal data processing | California residents' personal information |
| Legal basis model | Processing needs one of six lawful bases under Article 6 (consent, contract, legal obligation, vital interests, public task, legitimate interests) | No lawful-basis requirement; built on notice plus a right to opt out of sale/sharing |
| Consent role | Consent is one of six bases — not required for all processing | Opt-out by default for sale/sharing; opt-in consent mainly for minors and certain sensitive uses |
| Key roles | Controller and processor | Business, service provider, and contractor |
| Core individual rights | Access, rectification, erasure, restriction, portability, objection | Know, Delete, Correct, Opt-Out of sale/sharing, Limit use of sensitive personal information |
| Applicability trigger | Establishment in the EU or targeting/monitoring EU data subjects | Business thresholds (e.g. revenue, volume of CA consumers, or revenue from selling/sharing) |
| Regulator | National data protection authorities (and the EDPB) | California Privacy Protection Agency (CPPA) and the Attorney General |
Running one privacy programme across both
GDPR and CCPA solve similar problems with different mechanics, so the efficient approach is one programme with jurisdiction-aware controls rather than two parallel projects. Build your data inventory once, then attach the right obligations per jurisdiction: GDPR needs a documented lawful basis under Article 6 for each processing activity and EU-style rights handling; CCPA needs a Notice at Collection, a working opt-out of sale/sharing, and the right to limit use of sensitive personal information. Avoid the common error of calling GDPR an opt-in law — most processing relies on bases other than consent. Map equivalent rights (erasure to delete, access to know), keep the divergent ones (objection versus opt-out) explicit, and you can serve EU and California users from a single, defensible operating model.
GDPR implementation guidance →How ISMS Copilot helps with both
- Documents a GDPR Article 6 lawful basis for each processing activity
- Drafts a CCPA Notice at Collection and opt-out / limit-sensitive workflows
- Cross-maps GDPR data-subject rights to CCPA consumer rights for one programme
Frequently Asked Questions
Is GDPR an opt-in law and CCPA opt-out?
Not quite. GDPR allows six lawful bases under Article 6 — consent is only one of them, so most processing is not consent-based. CCPA centres on notice plus a right to opt out of the sale or sharing of personal information.
Do GDPR and CCPA use the same terminology?
No. GDPR uses controller and processor and data subject; CCPA uses business, service provider, contractor, and consumer. The substantive rights overlap but are not identical, so map them deliberately.
Can one privacy programme cover both?
Yes. Build a single data inventory and rights process, then layer jurisdiction-specific obligations: lawful-basis records for GDPR, Notice at Collection and opt-out mechanics for CCPA.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.