GDPR vs CCPA: Understanding Your Privacy Rights in 2026
Two laws dominate the global privacy conversation: the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA), now strengthened by the California Privacy Rights Act (CPRA). Both give people more control over their personal data, but they take very different approaches. Understanding the differences helps you exercise your rights, no matter where you live or which companies hold your information.
This guide breaks down GDPR vs CCPA in plain language: what each law covers, the rights you get, how enforcement works, and what businesses must do to stay compliant in 2026.
What Is GDPR?
The General Data Protection Regulation (GDPR) is a European Union law that took effect on 25 May 2018. It governs how organizations collect, store, process, and share the personal data of people located in the EU and European Economic Area (EEA), regardless of where the organization itself is based.
GDPR is widely considered the world's most comprehensive privacy framework. It applies to any company—whether based in Berlin, Boston, or Bangalore—that targets goods, services, or behavior monitoring at EU residents.
Core principles of GDPR
- Lawfulness, fairness, and transparency – data must be processed legally and openly.
- Purpose limitation – data is collected for specific, legitimate reasons only.
- Data minimization – only what's necessary may be collected.
- Accuracy – personal data must be kept up to date.
- Storage limitation – data should not be kept longer than needed.
- Integrity and confidentiality – data must be protected from unauthorized access.
- Accountability – organizations must prove their compliance.
What Is CCPA (and CPRA)?
The California Consumer Privacy Act (CCPA) became effective on 1 January 2020. The California Privacy Rights Act (CPRA), an amendment that took full effect on 1 January 2023, expanded those protections and created the California Privacy Protection Agency (CPPA) to enforce them.
CCPA/CPRA applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:
- Annual gross revenue over $25 million, or
- Buy, sell, or share personal information of 100,000+ California consumers or households, or
- Derive 50% or more of annual revenue from selling or sharing personal information.
While narrower in geographic scope than GDPR, CCPA influenced a wave of similar U.S. state laws in Virginia, Colorado, Connecticut, Utah, Texas, and beyond.
GDPR vs CCPA: Side-by-Side Comparison
| Feature | GDPR (EU) | CCPA / CPRA (California) |
|---|---|---|
| Effective date | 25 May 2018 | 1 Jan 2020 (CPRA: 1 Jan 2023) |
| Who it protects | Anyone physically in the EU/EEA | California residents only |
| Who must comply | Any organization processing EU personal data | For-profit businesses meeting revenue/data thresholds |
| Legal basis required to process data? | Yes – 6 lawful bases (consent, contract, etc.) | No – notice-based model |
| Opt-in vs opt-out | Opt-in consent for most processing | Opt-out of sale/sharing |
| Right to access | Yes | Yes |
| Right to delete | Yes (right to erasure) | Yes (with exceptions) |
| Right to correct | Yes | Yes (added by CPRA) |
| Right to data portability | Yes | Limited |
| Right to object to automated decisions | Yes | Limited (CPRA rules pending) |
| Maximum fine | €20 million or 4% of global turnover | $7,500 per intentional violation |
| Private right of action | Yes (broad) | Limited to certain data breaches |
| Regulator | National Data Protection Authorities (e.g., Ireland's DPC) | California Privacy Protection Agency (CPPA) + Attorney General |
Key Differences Explained
1. Scope: Who is protected?
GDPR protects all natural persons present in the EU when their data is processed—regardless of citizenship. CCPA only protects California residents. If you live in Texas or Toronto, CCPA doesn't directly apply to you, although companies often extend its protections nationally for simplicity.
2. Consent model: Opt-in vs opt-out
This is the most fundamental philosophical split. GDPR generally requires opt-in consent: a company can't process your data unless you actively agree (or another lawful basis applies). CCPA uses an opt-out model: businesses can collect and even sell your data by default, but you have the right to say "Do Not Sell or Share My Personal Information."
3. Definition of personal data
GDPR defines "personal data" as any information relating to an identified or identifiable natural person. CCPA's definition of "personal information" is similar but explicitly extends to households and devices, not just individuals. CPRA also created a new category of "sensitive personal information" (SSN, geolocation, biometrics, race, religion, etc.) with extra protections.
4. Penalties and enforcement
GDPR fines can reach €20 million or 4% of a company's global annual turnover—whichever is higher. Meta, Amazon, and Google have each been fined hundreds of millions of euros. CCPA penalties are calculated per violation: up to $2,500 for unintentional and $7,500 for intentional violations, with triple penalties for violations involving minors.
5. Data Protection Officers and assessments
GDPR requires many organizations to appoint a Data Protection Officer (DPO) and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing. CCPA/CPRA requires risk assessments and cybersecurity audits for businesses whose processing presents "significant risk," but the rules are less prescriptive.
Your Rights Under GDPR
GDPR gives you eight core rights you can exercise against any organization handling your personal data:
- Right to be informed about what data is collected and why.
- Right of access to a copy of your data.
- Right to rectification of inaccurate data.
- Right to erasure ("right to be forgotten").
- Right to restrict processing in certain situations.
- Right to data portability—receive your data in a machine-readable format.
- Right to object to processing, including direct marketing.
- Rights related to automated decision-making and profiling.
If a company ignores your request, you can complain to your national regulator. For example, EU residents and many international users can file with Ireland's Data Protection Commission, which oversees most U.S. tech giants headquartered in Dublin. Read our step-by-step guide to filing a privacy complaint with the DPC Ireland.
Your Rights Under CCPA/CPRA
California consumers have the following rights:
- Right to know what personal information is collected, used, shared, or sold.
- Right to delete personal information held by businesses (with exceptions).
- Right to correct inaccurate information (added by CPRA).
- Right to opt out of the sale or sharing of personal information.
- Right to limit use of sensitive personal information (CPRA).
- Right to non-discrimination for exercising your rights.
- Right to data portability in a usable format.
Businesses must post a clear "Do Not Sell or Share My Personal Information" link and respect Global Privacy Control (GPC) browser signals as a valid opt-out request.
How GDPR and CCPA Treat Children's Data
Both laws give extra protection to minors, but with different age thresholds:
- GDPR: Children under 16 (member states may lower this to 13) need parental consent for online services.
- CCPA/CPRA: Businesses must obtain opt-in consent before selling or sharing data of consumers under 16. For children under 13, parental consent is required.
What This Means for Businesses
If your business serves customers globally, you likely need to comply with both laws. Smart organizations adopt a "highest common denominator" strategy—building privacy programs around GDPR's stricter requirements, then layering CCPA-specific notices and opt-out mechanisms on top.
Practical compliance checklist
- Map all personal data you collect, where it's stored, and who has access.
- Update privacy notices to disclose categories, purposes, and retention periods.
- Implement consent management for EU traffic and opt-out mechanisms (including GPC) for California traffic.
- Build a clear process to handle Data Subject Access Requests (DSARs) within 30 days (GDPR) or 45 days (CCPA).
- Sign Data Processing Agreements (DPAs) with vendors and service providers.
- Train staff on data handling and breach response.
- Encrypt data in transit and at rest, and minimize what you collect.
Businesses that share links containing user identifiers should also consider how those URLs leak data. Using a privacy-respecting link management tool like Lunyb helps strip tracking parameters and reduces exposure of personal information in shared URLs.
Data Breaches: Notification Rules Compared
Both laws require breach notification, but timelines and triggers differ.
| Aspect | GDPR | CCPA |
|---|---|---|
| Notify regulator | Within 72 hours of awareness | No fixed deadline (state breach law applies) |
| Notify individuals | Without undue delay if high risk | "In the most expedient time possible" |
| Private lawsuit allowed? | Yes | Yes, for unencrypted data breaches ($100–$750 per consumer) |
Other jurisdictions follow similar models. For example, see how Singapore handles incidents in our guide to reporting a data breach to PDPC, or how Ireland implements GDPR locally in our Data Protection Act 2018 Ireland guide.
The Bigger Picture: Global Privacy Trends in 2026
GDPR and CCPA aren't operating in a vacuum. Brazil's LGPD, India's DPDP Act, Canada's PIPEDA (and the upcoming CPPA), Australia's Privacy Act reforms, and at least a dozen new U.S. state laws are converging on similar principles: transparency, minimization, user rights, and breach accountability.
At the same time, AI and machine learning are creating new risks. Companies are scraping data to train large language models, and tracking technologies have become more sophisticated. If you want to limit what AI systems learn about you, read our 2026 guide to stopping AI from tracking you online. Everyday threats matter too—our guide to QR code scams covers a fast-growing attack vector that bypasses many privacy protections.
GDPR vs CCPA: Which Is Stronger?
By most measures, GDPR offers stronger protection:
- Opt-in consent is more privacy-protective than opt-out.
- GDPR applies to all processing, not just sales.
- Fines are dramatically higher.
- Rights are broader, including object and restrict.
CCPA's strengths lie in transparency around data sales, the explicit "Do Not Sell" mechanism, and a private right of action for breaches—something GDPR delegates to national law. The CPRA's addition of sensitive personal information and a dedicated regulator (CPPA) closes much of the gap.
FAQ
Does GDPR apply to U.S. companies?
Yes, if a U.S. company offers goods or services to people in the EU/EEA, or monitors their behavior (for example, via analytics or advertising), it must comply with GDPR—regardless of where it's headquartered.
Can a non-California resident use CCPA rights?
Officially, no. CCPA rights apply to California residents. However, many companies extend the same rights to all U.S. users for operational simplicity, and other states (Virginia, Colorado, Connecticut, Texas, etc.) now have similar laws.
What's the difference between CCPA and CPRA?
CPRA is an amendment to CCPA, fully effective from January 2023. It added rights to correct data and limit sensitive information use, expanded breach liability, created the California Privacy Protection Agency, and introduced concepts like "sharing" of data for cross-context behavioral advertising.
Which law has bigger fines?
GDPR. Maximum fines reach €20 million or 4% of global annual turnover, whichever is higher. CCPA caps administrative fines at $7,500 per intentional violation, although that adds up quickly across millions of consumers.
Do I need separate privacy policies for GDPR and CCPA?
You can combine them, but each law requires specific disclosures. Most modern privacy policies have GDPR-specific sections (lawful bases, DPO contact, EU representative) and CCPA-specific sections (categories sold/shared, "Do Not Sell" link, retention periods). Clearly label which rights apply to which users.
How do I exercise my rights?
Look for a "Privacy" or "Your Rights" link in the website footer. Most companies provide an online form, email address, or toll-free number. If a company doesn't respond within the legal timeframe (30 days for GDPR, 45 for CCPA), file a complaint with the appropriate regulator.
Final Thoughts
GDPR and CCPA represent two influential but different visions of privacy. GDPR treats data protection as a fundamental right with comprehensive, opt-in rules. CCPA emphasizes transparency and consumer choice, focusing on the sale and sharing of personal information. Together, they've reshaped how the entire world thinks about online privacy.
Whether you're a consumer protecting your data or a business navigating compliance, the path forward is the same: collect less, be transparent, secure what you keep, and respect every request to access, correct, or delete information. In 2026 and beyond, privacy isn't just a legal requirement—it's a competitive advantage.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Stop AI from Tracking You Online: The 2026 Privacy Guide
AI doesn't just track what you click, it predicts who you are. This 2026 guide shows you exactly how to stop AI tracking with practical browser settings, network blocks, opt-outs, and legal tools that actually work.
Online Privacy Tips for UK Residents 2026: Complete Guide
A practical 2026 guide to online privacy for UK residents, covering UK GDPR rights, device security, VPNs, password managers, scam awareness, and how to shrink your digital footprint. Includes comparison tables and an FAQ.
Children's Online Privacy Guide: Protecting Kids in the Digital Age
A comprehensive children's online privacy guide for parents covering legal protections, age-based strategies, app evaluation, social media settings, and how to talk to kids about digital safety. Learn practical steps to protect your child's data and identity online.
Cookie Consent Banners: Do They Actually Protect You?
Cookie consent banners were designed to protect your privacy, but do they actually work? This in-depth guide examines the legal framework behind consent banners, the dark patterns that undermine them, and the practical steps you can take to protect your real privacy online in 2026.