In April 2025, Ireland's Data Protection Commission fined TikTok €530 million for transferring EU user data to China without adequate protections — one of the largest GDPR penalties ever issued. That same fine is now on hold after TikTok won a court stay in November 2025, but the underlying violation stands: cross-border data transfers under GDPR require documented safeguards, and "we thought it was fine" doesn't cut it.
A few months later, California hit Disney with a $2.75 million CCPA settlement — the largest to date — for opt-out failures. Not data breaches. Not covert surveillance. Just broken opt-out toggles and GPC signals that weren't being respected.
Two continents, two enforcement actions, two completely different legal theories. If your business serves both EU residents and California consumers, you're operating under both frameworks simultaneously. Most companies treat GDPR and CCPA as variants of the same thing. They're not — and that misunderstanding is exactly what creates compliance gaps.
CCPA vs GDPR at a glance
Before getting into specifics, here's how the two laws compare across the dimensions that matter most for compliance programs.
| Dimension | GDPR | CCPA / CPRA |
|---|---|---|
| Jurisdiction | EU/EEA residents, worldwide applicability | California consumers, US for-profit businesses |
| Who it covers | Any org processing EU data, regardless of size | For-profits meeting revenue or volume thresholds |
| Consent model | Opt-in — lawful basis required before processing | Opt-out — processing permitted; consumers opt out of sale/sharing |
| Max penalty | €20M or 4% of global annual turnover | $7,500 per intentional violation; $2,500 unintentional |
| Rights response time | 30 days (extendable to 90) | 45 days (extendable to 90) |
| Private right of action | Broad — any violation can trigger claims | Limited to data breaches affecting specific data types |
| Data transfers | Strict cross-border transfer rules (SCCs, adequacy decisions) | No explicit transfer restrictions (opt-out model instead) |
| Automated decisions | Article 22 since 2018 — right to human review | ADMT rules added January 1, 2026 |
The consent model is the core difference
This is the one that catches people off guard. GDPR and CCPA have fundamentally opposite starting positions on data processing.
GDPR is an opt-in framework. You can't process personal data unless you have a documented lawful basis — consent, legitimate interests, contractual necessity, legal obligation, or one of the other bases under Article 6. Consent, when used as the basis, must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don't count. Silence doesn't count. The burden is on you to justify the processing before it happens.
CCPA is an opt-out framework. You can collect and use personal data by default. Consumers have the right to tell you to stop selling or sharing their data — and you have to provide a clear mechanism for that. The "Do Not Sell or Share My Personal Information" link is CCPA's answer to GDPR's consent requirement, but they work in opposite directions. One requires permission first; the other requires honoring objections after the fact.
This difference has real architectural implications for your consent management. A GDPR-compliant cookie banner that blocks analytics until the user clicks "Accept" is correct behavior for EU visitors. That same banner applied globally would prevent you from building the usage analytics you're allowed to collect under CCPA for California visitors. You need geo-targeted consent logic — different consent flows for EU vs US visitors.
Who each law applies to
GDPR scope
GDPR has essentially no minimum size threshold. If you have a website that EU residents can access, process their data, and offer goods or services to them or monitor their behavior — you're subject to GDPR. A two-person startup with European customers can be fined under GDPR. Most enforcement has targeted large companies, but the legal obligation exists regardless of company size.
GDPR also applies to data processors, not just controllers. If you're a SaaS vendor handling customer data on behalf of clients, you're a data processor and GDPR imposes direct obligations on you — data processing agreements, security requirements, breach notification duties.
CCPA scope
CCPA is more selective. It applies to for-profit businesses that do business in California and meet at least one threshold:
- Annual gross revenue exceeding $25 million (global revenue, not just California)
- Buy, sell, or share personal information of 100,000+ California consumers or households per year
- Derive 50%+ of annual revenue from selling or sharing California consumers' personal information
The 100,000 consumer threshold catches more businesses than people expect. Any company with meaningful web traffic in California, an e-commerce operation, or a mid-sized SaaS product can hit 100,000 California data points annually without noticing. And since the employee data exemption expired January 1, 2023, if you have California-based employees, your HR practices are in scope too.
Consumer rights: where they overlap and where they diverge
Both laws give individuals rights over their data. The rights have similar names but different shapes.
Rights that map cleanly
Right to access (GDPR Article 15) and CCPA's right to know are conceptually equivalent — consumers can ask what you've collected and why. The response timelines differ (30 days for GDPR, 45 days for CCPA), but the process is similar enough that a unified data subject request workflow handles both.
Right to erasure (GDPR Article 17) and CCPA's right to delete are similar, with different exceptions. GDPR allows deletion to be refused for freedom of expression, legal obligations, public interest, and similar grounds. CCPA has its own exception list focused on things like completing a transaction, legal obligations, and security purposes.
Right to correction exists under both — GDPR Article 16, CCPA Section 1798.106. Same concept, same compliance approach.
Rights that are law-specific
GDPR has data portability (Article 20) — the right to receive personal data in a machine-readable format and transfer it to another controller. CCPA doesn't have an equivalent portability right, only a right to receive data in a "readily useable format."
GDPR has the right not to be subject to solely automated decisions (Article 22) — the right to human review of significant automated processing. CCPA's ADMT rules, which took effect January 1, 2026, add similar protections but with different mechanics: pre-use notice requirements and opt-out rights rather than a right to human review.
CCPA has the right to opt out of sale or sharing — there's no direct GDPR equivalent because GDPR's consent-first model means you can't sell data you didn't have permission to collect in the first place. If you're relying on legitimate interests for analytics cookies under GDPR, that same processing might still require a CCPA opt-out mechanism if you're sharing data with ad networks.
CCPA's definition of "sell" or "share" is broader than money changing hands. If you share user data with a third-party analytics service, advertising platform, or data broker — even for free — that may qualify as "selling" or "sharing" under CCPA. Companies that only thought about cash transactions have been caught off guard. Check your vendor relationships, not just your billing records.
Enforcement and penalties: not the same risk profile
GDPR enforcement is more aggressive at scale. Total GDPR fines now exceed €7.1 billion. The €530 million TikTok fine, the €1.2 billion Meta fine for transatlantic data transfers, and the €405 million fine against Instagram's handling of children's data are all GDPR actions. The upper tier — up to 4% of global annual turnover — means a large company can face a nine-figure fine for a single violation.
CCPA penalties look smaller in absolute terms: $2,500 per unintentional violation, $7,500 per intentional violation. But these are per-consumer, per-incident figures. If your opt-out button isn't working for 200,000 California users, that's potentially $500 million in theoretical exposure for an intentional violation. The Disney settlement at $2.75 million was a negotiated resolution — it could have been much larger under a strict per-violation analysis.
The other key difference: who enforces it. GDPR enforcement runs through independent Data Protection Authorities in each EU member state — the Irish DPC (TikTok), the French CNIL (Google), Italy's Garante. CCPA enforcement runs through the California Attorney General and, since 2023, the California Privacy Protection Agency (CPPA), which has independent enforcement authority. The CPPA has been active in 2026 — Ford, PlayOn Sports, and several data broker actions in Q1 alone.
Check your privacy policy against both CCPA and GDPR
PolicyAudit scans your privacy policy documents against multiple frameworks simultaneously — including CCPA, CPRA, and GDPR. It flags missing disclosures, vague language, and specific gaps regulators target. Free for up to 3 documents.
Check your policy for free →What's new in 2026
CCPA's January 2026 regulation package
The California Privacy Protection Agency finalized a broad set of regulation amendments in September 2025, with key provisions taking effect January 1, 2026:
- Mandatory opt-out confirmation. When a consumer submits an opt-out request or sends a GPC signal, your website must visibly confirm the request was processed. Silent compliance isn't enough anymore — this is exactly what tripped up Disney.
- Symmetrical consent. Opting out can't be harder than opting in. If opt-in is one click, opt-out must be one click too.
- ADMT pre-use notice and opt-out. If you use automated systems to make significant decisions about consumers — hiring screening, credit decisions, targeted ad personalization based on inferences — you now have to notify consumers before the processing starts and offer them an opt-out.
- Expanded right to know. Consumers can now request personal information going back to January 1, 2022.
GDPR in 2026
GDPR enforcement continues to expand beyond Big Tech. The EDPB's 2026 coordinated enforcement action focuses on transparency obligations under Articles 12-14 — how clearly you explain data collection to users. This is the same area we've been covering in our GDPR compliance posts, and it's the most common area where smaller companies are deficient.
The TikTok case also put renewed focus on cross-border data transfer documentation. If you're using US-based cloud services, analytics platforms, or vendors that might have data center infrastructure outside the EU, your Article 46 transfer mechanisms (Standard Contractual Clauses, adequacy decisions) need to be current and documented. The TikTok violation wasn't about an unusual data practice — it was about failure to document and verify protections for data accessible outside the EU.
How to comply with both frameworks simultaneously
Running separate compliance programs for GDPR and CCPA is wasteful. There's enough overlap that a unified approach handles 80% of both, with specific additions for each.
1. Build a unified data inventory
Both frameworks require you to know what data you hold, why you hold it, and where it goes. One data inventory that records: data category, source, purpose, retention period, third-party recipients, lawful basis (for GDPR), and whether it's sold/shared (for CCPA) covers the foundational requirements of both. The CCPA's specific 11-category taxonomy doesn't map perfectly to GDPR's approach, but the underlying data mapping work is the same.
2. Write privacy notices that satisfy both
GDPR requires transparency notices under Articles 13 and 14 — what you collect, why, on what legal basis, how long you keep it, and what rights data subjects have. CCPA requires disclosures of the 11 data categories, collection purposes, third-party sharing categories, and consumer rights.
A privacy policy that satisfies both needs: explicit category-level disclosures in CCPA's format, legal basis documentation in GDPR's format, and rights disclosures that cover both sets of rights with the correct response timelines for each jurisdiction. It's not impossible to cover both in one document — it just requires care about specificity.
3. Geo-target your consent mechanisms
EU visitors need a GDPR-compliant consent banner — no cookies until they accept, with a clear option to reject non-essential cookies. California visitors need a "Do Not Sell or Share" mechanism, GPC signal detection, and post-January 2026 opt-out confirmation. Other US visitors may be under state laws that mirror CCPA (Colorado, Connecticut, Virginia, Texas, and others).
The practical solution is a consent management platform that handles geo-detection and applies the appropriate consent rules by jurisdiction. Platforms like OneTrust, Cookiebot, and Usercentrics support this natively. What they don't do is check your privacy policy documents for compliance — that's a separate layer.
4. Unify your rights request handling
A data subject request from an EU user under GDPR and a consumer request from a California user under CCPA are processed essentially the same way: verify identity, locate data, respond within the applicable deadline (30 days GDPR / 45 days CCPA), document the response. Build one workflow with configurable deadline tracking for each jurisdiction.
5. Document your data transfers
GDPR cares deeply about where data goes. If you're using US cloud services, analytics tools, or vendors accessible outside the EU, you need Standard Contractual Clauses or another Article 46 mechanism. CCPA doesn't have equivalent transfer restrictions — but it does require disclosing the categories of third parties you share data with and allowing consumers to opt out of those transfers.
California and the EU aren't your only compliance concerns. Thirteen US states now have comprehensive consumer privacy laws: Colorado, Connecticut, Virginia, Texas, Florida, Oregon, Montana, and others. Most mirror CCPA's structure closely enough that CCPA compliance gets you most of the way there. But each has specific quirks — Texas has no opt-out confirmation requirement yet; Florida's law has a different revenue threshold. PolicyAudit checks your privacy policy against multiple US state frameworks simultaneously, so you're not running separate checks for each.
The dual-compliance checklist
If you need a working checklist for handling both GDPR and CCPA, these are the items that matter most:
- Privacy policy covers all 11 CCPA data categories you collect
- Privacy policy documents lawful basis for each processing activity (GDPR)
- Geo-targeted consent banner: opt-in for EU, opt-out for California
- "Do Not Sell or Share My Personal Information" link visible in footer
- GPC browser signals detected and honored (CCPA requirement)
- Opt-out confirmation displayed after GPC or form submission (Jan 2026)
- Rights request process with 30-day deadline for GDPR, 45-day for CCPA
- Standard Contractual Clauses or adequacy basis for EU data transfers
- ADMT pre-use notice and opt-out if using AI for consumer decisions
- Data processing agreements with all vendors who handle EU or CA data
- Breach notification process: 72-hour GDPR window, prompt CCPA notice
- Employee privacy notice for California-based staff
The items marked ! are where most GDPR-compliant companies have gaps under CCPA — particularly around GPC signal processing and the January 2026 opt-out confirmation requirement. Getting your GDPR house in order first is the right order of operations, but don't stop there.
For your privacy policy documents specifically, the fastest way to find gaps across both frameworks is an automated scan. PolicyAudit checks your policy text against both CCPA and GDPR requirements and shows you exactly what's missing — it takes less than a minute and is free for up to 3 documents.
Frequently asked questions
See where your privacy policy stands under both frameworks
PolicyAudit scans your privacy policy against CCPA, GDPR, and 11 other frameworks simultaneously — and shows you exactly which disclosures are missing or incomplete. Free for up to 3 documents, no credit card required.
Check your privacy policy for free →