Skip to content
Chabil Consulting Services
All insights
Blog

CCPA vs GDPR: Key Differences Every US Company Handling EU Data Must Know

A side-by-side comparison of CCPA and GDPR to help businesses operating in both the US and EU understand their obligations and plan for compliance.

Introduction

US companies that handle personal data about EU residents face two major privacy frameworks simultaneously: the California Consumer Privacy Act (CCPA, as amended by CPRA) and the EU General Data Protection Regulation (GDPR). While they share common principles, they differ substantially in scope, rights, enforcement mechanisms, and compliance obligations — and a programme designed for one won't automatically satisfy the other.

Threshold Comparison

GDPR applies to any organisation — regardless of location — that processes personal data of EU residents in connection with offering goods or services, or monitoring their behaviour. There is no size threshold.

CCPA/CPRA applies to for-profit businesses doing business in California that meet one of three thresholds: annual gross revenue above USD 25 million; annually buying, selling, or sharing personal information of 100,000 or more consumers or households; or deriving 50% or more of annual revenue from selling consumers' personal information.

Implication: a small US startup with EU customers is subject to GDPR regardless of revenue. A large US company may or may not be subject to CCPA depending on whether it meets the revenue or data volume thresholds.

Rights Comparison

Right

GDPR

CCPA / CPRA

Access

Yes — all personal data

Yes — categories and specific data points

Deletion

Yes — with exceptions

Yes — with exceptions

Correction

Yes

Yes (added by CPRA)

Portability

Yes

Yes (for data provided by consumer)

Opt-out of sale

No (consent-based)

Yes — core right

Restrict processing

Yes

Limited

Object to processing

Yes

Limited

Automated decision-making

Yes — explicit right

Yes (CPRA added)

Sensitive data

Higher standard of consent

Opt-out right for certain uses

Consent vs Opt-Out

The most fundamental difference: GDPR is a consent-in model. You need a lawful basis for processing personal data — and for most marketing and non-essential activities, that means explicit consent before processing. CCPA is predominantly an opt-out model: you can process and share data, but must provide a clear mechanism for consumers to opt out of sale or sharing.

This means a CCPA-compliant cookie banner — which typically presents 'opt out of sale' rather than requiring opt-in — will not satisfy GDPR requirements for EU visitors.

Enforcement

GDPR enforcement is by national data protection authorities across EU member states. Fines can reach EUR 20 million or 4% of global annual revenue. CCPA/CPRA is enforced by the California Privacy Protection Agency (CPPA) with fines up to USD 7,500 per intentional violation.

Building a Programme That Satisfies Both

The most efficient approach for US companies with EU exposure is to design your privacy programme to GDPR standards — which are generally more stringent — and then layer CCPA-specific requirements (opt-out mechanisms, specific disclosure requirements) on top. This avoids maintaining two separate programmes.

Chabil Consulting builds data protection programmes for US companies with EU data exposure. Contact us at hello@chabilconsulting.com.

Related topics

CCPA ComplianceData Privacy Assessment

Want to discuss this topic?

Our advisors are available for a no-obligation conversation.

Get in touch More insights