Iubenda logo
Start generating


Table of Contents

CCPA vs GDPR: what’s the difference?

Despite having some similarities (like many of the user rights), the CCPA and the GDPR also differ significantly on quite a few issues, one of those being consent. First, let’s briefly recap what these two laws are:

  • The General Data Protection Regulation (EU) 2016/679 (GDPR) specifies how personal data should be lawfully processed, including how it’s collected, used, protected or interacted with in general.
  • The California Consumer Privacy Act (CCPA) is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States.

But how is the CCPA different from the GDPR? Check out our infographic below:


For a more in depth comparison continue reading below.

Differences between GDPR and CCPA


Applies to Any for-profit business that targets Californian consumers and either
  • processes the personal data of at least 50K Californian consumers (IP addresses are considered personal data, so this would apply to any website with at least 50K visits from Californian consumers); or
  • makes at least 50% of its revenue from sharing Californian consumer data for any profit – monetary or otherwise; or
  • has an annual revenue of 25M or more.
Any entities (non-profit or otherwise – including NGOs, individuals, and public entities) that target EU consumers, or which are based in the EU.
B2B and B2C Protections applied to consumers only. No differentiation between protections applied to B2B and B2C (business to consumer) interactions, it simply applies its protections to “data subjects”, who are defined as any “identifiable natural persons” residing in the EU.
Types of data protected Any data that relates to, or is capable of being associated with a particular consumer or household, with the exception of public government records. Any data that can lead to the identification of an individual.
IP addresses considered as personal data

Users’ rights

Right to be informed
Right of access
Right to portability
Right to rectification ×
Right to to be deleted
Right to object Somewhat covered by the right to opt-out
Consent required before processing Only in the case of minors and in cases of previous opt-out. Yes, unless another legal basis legitimately applies.
Option to opt-out or withdraw consent Businesses must provide DNSMPI link and honor opt-out requests. Users have both the right to withdraw consent and the right to object to processing (potentially applicable even in cases where the processing is justified using a legal basis other than consent).

Fines & consequences

Fines of up to $7500 per individual violation. The CCPA also gives consumers the right to bring suit for damages. Fines of up to EUR 20 M (22 M USD) or 4% of annual global revenue – whichever is greater, potential audits and sanctions. The GDPR also gives data subjects the right to sue if their rights were violated.

Comply with both the CCPA and the GDPR

Start generating

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.


See also