Mapping GDPR to CCPA / CPRA
Run one privacy programme that satisfies both EU and California obligations.
Running one programme across GDPR and CCPA/CPRA
The two regimes describe similar protections with different vocabulary and a different default. A GDPR controller is broadly the CCPA business; a GDPR processor maps to the CCPA service provider or contractor under Cal. Civ. Code 1798.100(d). GDPR requires a lawful basis under Article 6 — one of six, of which consent is only one — while CCPA/CPRA centres on notice and an opt-out of the sale or sharing of personal information, with a separate right to limit use of sensitive personal information under 1798.121. Access, deletion and portability rights exist in both but differ in scope and exemptions. ISMS Copilot produces a side-by-side crosswalk covering roles, lawful basis versus notice-at-collection (1798.100, 1798.130), data-subject versus consumer rights, and vendor-contract clauses, so one ROPA, one rights workflow and one notice set can be configured for both. The mapping is an operational aid; it does not assert legal equivalence, and jurisdiction-specific advice remains necessary.
Explore the CCPA / CPRA Copilot →Frequently Asked Questions
Can one privacy notice cover GDPR and CCPA?
A single notice can be structured to carry both, but it must still present the GDPR Article 13/14 information and the CCPA Notice at Collection under 1798.100 and 1798.130. ISMS Copilot drafts a layered notice that addresses each regime\'s mandatory elements.
How do GDPR roles translate to CCPA?
A GDPR controller generally corresponds to a CCPA business and a GDPR processor to a service provider or contractor under 1798.100(d). The contractual safeguards differ, so vendor agreements need clauses for both regimes rather than a direct copy.
Is opt-in consent enough for CCPA?
GDPR-style opt-in consent does not by itself satisfy CCPA, which centres on opt-out of sale/sharing plus a right to limit sensitive personal information under 1798.121. The crosswalk shows where consent and opt-out diverge so neither obligation is missed.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.