facebook-pixel
L
Lunyb

GDPR vs CCPA: Understanding Your Privacy Rights in 2026

L
Lunyb Security Team
··9 min read

Data privacy is no longer optional. Two landmark laws—the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)—have reshaped how organizations handle personal information worldwide. While both protect consumer privacy, they differ significantly in scope, rights granted, and enforcement. Understanding GDPR vs CCPA is essential whether you're a business processing data or an individual wanting to know your rights.

This guide breaks down both laws side by side, explains the rights they grant, and offers practical compliance advice for 2026.

What Is the GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive European Union privacy law that took effect on May 25, 2018. It governs how organizations collect, store, process, and share the personal data of EU residents—regardless of where the organization is located. The GDPR is widely considered the strictest privacy law in the world.

Who Does GDPR Apply To?

The GDPR applies to any organization that:

  1. Is established in the EU, regardless of where data processing occurs.
  2. Offers goods or services to EU residents, even if the company is based elsewhere.
  3. Monitors the behavior of EU residents (such as through online tracking).

This extraterritorial reach means a small business in Brazil selling to French customers must comply with GDPR.

Core GDPR Principles

  • Lawfulness, fairness, and transparency in data collection.
  • Purpose limitation: data can only be used for specific, declared reasons.
  • Data minimization: collect only what's necessary.
  • Accuracy: keep data current and correct.
  • Storage limitation: don't keep data longer than needed.
  • Integrity and confidentiality: protect data with appropriate security.
  • Accountability: organizations must demonstrate compliance.

What Is the CCPA?

The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, and was significantly enhanced by the California Privacy Rights Act (CPRA) in 2023. It grants California residents specific rights regarding their personal information and imposes obligations on businesses that collect it. While narrower than GDPR, the CCPA is the most influential privacy law in the United States.

Who Does CCPA Apply To?

CCPA applies to for-profit businesses that collect California residents' personal information and meet at least one of these thresholds:

  1. Annual gross revenue exceeding $25 million.
  2. Buy, sell, or share personal information of 100,000 or more California consumers or households per year.
  3. Derive 50% or more of annual revenue from selling or sharing California consumers' personal information.

Core CCPA Rights

  • Right to know what personal information is collected and how it's used.
  • Right to delete personal information.
  • Right to opt out of the sale or sharing of personal information.
  • Right to correct inaccurate data.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising these rights.

GDPR vs CCPA: Key Differences at a Glance

The two laws share goals but take different paths. Here's how they compare:

FeatureGDPRCCPA / CPRA
JurisdictionEU residents (global reach)California residents
Effective DateMay 25, 2018January 1, 2020 (CPRA: 2023)
Applies ToAny size organization processing EU dataFor-profit businesses meeting revenue/data thresholds
Legal Basis RequiredYes — consent or 5 other lawful basesNo prior consent for most processing
Opt-In vs Opt-OutOpt-in for most processingOpt-out model (sales/sharing)
Data Protection OfficerRequired for many organizationsNot required
Maximum Fine€20 million or 4% of global revenue$7,500 per intentional violation
Right to Be ForgottenYes (broad)Yes (with exceptions)
Data PortabilityYesYes (limited)
Private Right of ActionYesLimited (data breaches only)
Breach Notification72 hours to authorityWithout unreasonable delay

Consumer Rights Compared

Both laws give individuals control over their personal data, but the rights vary in scope and how they're exercised.

Right to Access

Under GDPR (Article 15), individuals can request a copy of all personal data an organization holds about them, along with details on processing purposes, recipients, and retention periods. Under CCPA, California residents can request the categories and specific pieces of personal information collected in the prior 12 months (extended under CPRA).

Right to Deletion

GDPR's "right to be forgotten" is broader, requiring deletion when data is no longer necessary, consent is withdrawn, or processing is unlawful. CCPA's deletion right has more exceptions—businesses can keep data needed to complete transactions, detect fraud, or comply with legal obligations.

Right to Opt Out vs Opt In

This is one of the biggest philosophical differences:

  • GDPR uses an opt-in model: organizations must obtain affirmative consent before processing personal data in most cases.
  • CCPA uses an opt-out model: businesses can collect data by default, but consumers can opt out of its sale or sharing via a "Do Not Sell or Share My Personal Information" link.

Right to Data Portability

Both laws allow individuals to obtain their data in a structured, commonly used format. GDPR additionally requires the ability to transmit it directly to another controller where technically feasible.

What Counts as Personal Information?

Both laws define personal data broadly, but with subtle differences.

GDPR Definition

"Personal data" means any information relating to an identified or identifiable natural person. This includes names, ID numbers, location data, IP addresses, online identifiers, and even pseudonymized data if it can be linked back to a person. GDPR also recognizes "special categories" (sensitive data) such as health, biometric, racial, religious, and sexual orientation data, which require stricter protections.

CCPA Definition

CCPA defines "personal information" as information that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household. It explicitly covers commercial information, biometric data, internet activity, geolocation, and inferences drawn to create a consumer profile. The CPRA introduced a "sensitive personal information" category similar to GDPR's special categories.

Penalties and Enforcement

The financial stakes differ dramatically between the two regimes.

GDPR Penalties

GDPR fines are tiered:

  • Lower tier: Up to €10 million or 2% of global annual turnover (whichever is higher) for administrative violations.
  • Upper tier: Up to €20 million or 4% of global annual turnover for serious violations involving consumer rights or data transfers.

Major fines have hit Meta (€1.2 billion), Amazon (€746 million), and Google (€90 million), proving regulators aren't bluffing.

CCPA Penalties

The California Privacy Protection Agency (CPPA) can levy fines of:

  • $2,500 per unintentional violation.
  • $7,500 per intentional violation or violations involving minors.

While smaller per violation, fines multiply quickly with thousands of affected consumers. CCPA also allows consumers a private right of action for data breaches, with statutory damages of $100–$750 per consumer per incident.

Compliance: What Businesses Need to Do

If your business handles data from EU or California residents, compliance is mandatory. Here are the practical steps.

GDPR Compliance Checklist

  1. Map all data flows and document processing activities.
  2. Identify a lawful basis for each processing purpose.
  3. Update privacy notices to be clear, concise, and transparent.
  4. Implement consent mechanisms (granular, freely given, withdrawable).
  5. Establish processes for handling data subject requests within 30 days.
  6. Appoint a Data Protection Officer if required.
  7. Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
  8. Sign Data Processing Agreements with vendors.
  9. Implement appropriate technical and organizational security measures.
  10. Prepare a 72-hour breach notification plan.

CCPA Compliance Checklist

  1. Update your privacy policy with required CCPA disclosures.
  2. Add a "Do Not Sell or Share My Personal Information" link to your homepage.
  3. Implement methods for consumers to submit access, deletion, and correction requests.
  4. Verify consumer identity before fulfilling requests.
  5. Respond to requests within 45 days.
  6. Train employees handling personal information.
  7. Update vendor contracts with required data protection terms.
  8. Recognize Global Privacy Control (GPC) browser signals.

Practical Privacy Tips for Individuals

Even with strong laws, protecting your privacy requires personal action. Here are practical steps:

  • Exercise your rights: Submit access and deletion requests to companies that hold your data.
  • Use privacy-respecting tools: Choose browsers, search engines, and services that minimize tracking. For sharing links without exposing tracking parameters or your data, privacy-focused services like Lunyb let you shorten URLs without invasive analytics.
  • Enable Global Privacy Control: Browsers like Firefox and Brave can send automatic opt-out signals.
  • Review privacy settings on social media, mobile apps, and connected devices regularly.
  • Use strong, unique passwords and enable two-factor authentication everywhere possible.
  • Be selective about which services receive your data—every account is a potential breach.

The Future: Toward a Federal US Privacy Law?

The patchwork of state-level US privacy laws continues to grow. As of 2026, more than a dozen states—including Virginia, Colorado, Connecticut, Texas, and Utah—have enacted comprehensive privacy laws inspired by both CCPA and GDPR. A federal US privacy law has been debated for years but remains stalled in Congress.

Meanwhile, GDPR continues to influence privacy laws globally, from Brazil's LGPD to South Korea's PIPA, India's DPDP Act, and beyond. For businesses, building a privacy program around GDPR's stricter standards is increasingly seen as the safest path to global compliance.

Related Reading

Frequently Asked Questions

Does GDPR apply to US companies?

Yes. GDPR applies to any organization—regardless of location—that offers goods or services to EU residents or monitors their behavior. A US-based e-commerce store selling to customers in Germany or running ads targeted at French users must comply with GDPR.

Which is stricter, GDPR or CCPA?

GDPR is generally stricter. It requires opt-in consent for most data processing, applies to all organizations regardless of size, mandates Data Protection Officers in many cases, and imposes much higher fines (up to 4% of global revenue). CCPA is more focused on transparency and opt-out rights, with narrower applicability and lower penalties.

Can I be fined under both laws for the same incident?

Yes. If a single data breach affects both EU and California residents, regulators in each jurisdiction can pursue enforcement independently. This is why multinational businesses typically build compliance programs that satisfy the strictest applicable law.

What is the difference between a data controller and a data processor?

Under GDPR, a controller determines the purposes and means of processing personal data (e.g., a retailer collecting customer info), while a processor handles data on the controller's behalf (e.g., a cloud hosting provider). Controllers bear primary responsibility for compliance, but processors also have direct obligations. CCPA uses similar concepts with the terms "business" and "service provider."

How do I submit a data request to a company?

Most companies provide a privacy portal, web form, or dedicated email address (often privacy@company.com) for submitting requests. Look in their privacy policy under "Your Rights" or "Contact Us." Be prepared to verify your identity. Under GDPR, the company must respond within 30 days; under CCPA, within 45 days, with possible extensions.

Conclusion

GDPR and CCPA represent two different but converging approaches to data privacy. GDPR sets the global gold standard with its opt-in consent model and severe penalties, while CCPA leads US privacy reform with a transparency- and opt-out-focused framework. For consumers, both laws provide meaningful rights that are worth understanding and exercising. For businesses, ignoring either law is a costly mistake.

The trend is clear: privacy laws are expanding, not retreating. Building a privacy-first culture—and choosing tools that respect user data—is the best way to stay ahead in 2026 and beyond.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

Browser Fingerprinting: How Websites Track You Without Cookies

Browser fingerprinting lets websites track you across the web without cookies — using your screen size, fonts, GPU, and dozens of other signals. Learn how it works, who uses it, and how to defend yourself.

9 min

Data Brokers: Who Is Selling Your Personal Information in 2026

Data brokers quietly collect and sell your personal information to advertisers, employers, and anyone willing to pay. Learn who the major players are, what they know about you, and the step-by-step process to remove your data and reclaim your privacy.

9 min

Private Browsing vs VPN: What Actually Protects You Online

Private browsing and VPNs are often confused as equivalent privacy tools, but they protect very different things. This guide breaks down what each one actually does, where they fall short, and how to combine them for real online privacy.

9 min

How to Stop AI from Tracking You Online: A Complete 2026 Privacy Guide

AI tracking has evolved far beyond cookies, using behavioral fingerprinting and machine learning to profile you across devices. This guide explains exactly how it works and gives you a practical 10-step plan to stop AI from tracking you online in 2026.

9 min