GDPR vs CCPA: Understanding Your Privacy Rights in 2026
Two laws dominate the global conversation about data privacy: the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA), as amended by the CPRA. Both grant people meaningful control over their personal information, but they take very different routes to get there. If you're a consumer trying to understand what rights you actually have, or a business owner trying to figure out which rules apply, this guide breaks down the key differences in plain language.
What Is the GDPR?
The General Data Protection Regulation is the European Union's comprehensive privacy law, enforced since May 25, 2018. It governs how organizations collect, store, process, and share the personal data of individuals located in the EU and the European Economic Area, regardless of where the organization itself is based.
GDPR is built on a principle of "privacy by default." In practice, that means companies must have a clear legal basis before they can process your data, and they must minimize how much they collect. The regulation defines personal data broadly: names, email addresses, IP addresses, cookie identifiers, location data, biometric information, and even pseudonymized data can all fall under its scope.
Core Principles of GDPR
- Lawfulness, fairness, and transparency: Processing must have a legal basis and be clearly explained.
- Purpose limitation: Data collected for one reason can't be repurposed without consent.
- Data minimization: Only collect what's strictly necessary.
- Accuracy: Data must be kept up to date.
- Storage limitation: Don't keep data longer than needed.
- Integrity and confidentiality: Apply appropriate security.
- Accountability: Organizations must prove compliance.
What Is the CCPA?
The California Consumer Privacy Act took effect on January 1, 2020, and was substantially strengthened by the California Privacy Rights Act (CPRA), fully effective in 2023. Together they form the most influential privacy law in the United States, applying to for-profit businesses that meet certain thresholds and collect personal information from California residents.
Unlike GDPR, the CCPA is focused on transparency and the right to opt out, rather than requiring opt-in consent for most data processing. It treats personal information as something businesses can collect by default, while giving consumers tools to see, delete, and stop the sale or sharing of that information.
Who CCPA Applies To
A business must comply with the CCPA if it does business in California and meets at least one of the following thresholds:
- Has annual gross revenue over $25 million.
- Buys, sells, or shares personal information of 100,000 or more California consumers or households.
- Derives 50% or more of its annual revenue from selling or sharing personal information.
GDPR vs CCPA: Side-by-Side Comparison
At a high level, GDPR is broader, stricter, and applies to nearly every organization that touches EU data. CCPA is narrower in scope but introduces strong consumer-facing rights that have shaped privacy laws across other US states.
| Feature | GDPR | CCPA / CPRA |
|---|---|---|
| Geographic scope | EU/EEA residents, worldwide reach | California residents only |
| Who it applies to | Any organization processing EU personal data | For-profit businesses meeting revenue or data thresholds |
| Consent model | Opt-in required for most processing | Opt-out model (opt-in for under-16s) |
| Definition of personal data | Any data relating to an identifiable person | Information that identifies or could reasonably be linked to a consumer or household |
| Right to delete | Yes, with exceptions | Yes, with exceptions |
| Right to access | Yes, free of charge | Yes, twice per year |
| Right to correct | Yes | Yes (added by CPRA) |
| Right to data portability | Yes | Limited |
| Maximum fines | €20 million or 4% of global revenue | $7,500 per intentional violation; $2,500 per unintentional |
| Private right of action | Yes, broadly | Limited to data breaches |
| Data Protection Officer | Required in many cases | Not required |
How Consent Works Differs Dramatically
The biggest philosophical gap between the two laws is consent. GDPR requires that consent be freely given, specific, informed, and unambiguous, given through a clear affirmative action. Pre-ticked boxes don't count. Silence doesn't count. This is why you see cookie banners across European websites asking you to accept or reject tracking.
CCPA, by contrast, lets businesses collect personal information by default, but consumers must be given a clear way to opt out, typically through a "Do Not Sell or Share My Personal Information" link. The CPRA expanded this to include sharing for cross-context behavioral advertising, not just literal sales.
What This Means for You as a User
If you're in the EU, websites generally need your permission before tracking you. If you're in California, you usually need to take action yourself to stop tracking. Many privacy-focused tools, including link management platforms like Lunyb, are designed to respect both standards by limiting data collection at the source rather than relying on user opt-outs after the fact.
Your Rights Under GDPR
The GDPR grants eight specific data subject rights. Knowing these is the fastest way to assert control over your information when dealing with European businesses.
- Right to be informed: Clear disclosure of what data is collected and why.
- Right of access: You can request a copy of all data held about you.
- Right to rectification: Correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): Demand deletion in many circumstances.
- Right to restrict processing: Limit how your data is used.
- Right to data portability: Receive your data in a machine-readable format.
- Right to object: Refuse processing for direct marketing or profiling.
- Rights related to automated decision-making: Object to decisions made solely by algorithms.
Your Rights Under CCPA/CPRA
California consumers have a similar but slimmer set of rights focused on transparency and control over commercial use of their data.
- Right to know: What categories of personal information a business collects, sells, or shares.
- Right to delete: Request deletion of personal information collected from you.
- Right to correct: Fix inaccurate personal information (added by CPRA).
- Right to opt out of sale or sharing: Stop the sale or cross-context behavioral advertising use of your data.
- Right to limit use of sensitive personal information: Restrict use of data like Social Security numbers, precise geolocation, racial/ethnic origin, or health data.
- Right to non-discrimination: Businesses can't charge you more or provide worse service for exercising your rights.
Penalties and Enforcement
GDPR is famous for its eye-watering fines: up to €20 million or 4% of global annual turnover, whichever is higher. Enforcement is handled by national data protection authorities in each EU country, and the European Data Protection Board coordinates cross-border cases. Major fines have hit Meta, Amazon, Google, and TikTok in the hundreds of millions to billions of euros.
CCPA penalties are calculated per violation rather than as a percentage of revenue: up to $2,500 for each unintentional violation and $7,500 for each intentional one or violation involving minors. These can still add up quickly, because each affected consumer counts as a separate violation. The California Privacy Protection Agency (CPPA), created by the CPRA, now leads enforcement alongside the California Attorney General.
Which Law Applies to You?
The two laws can both apply to the same business simultaneously. A US company selling to customers in both California and Germany must comply with each set of rules for the corresponding residents.
For Consumers
- If you live in the EU, EEA, or UK (where the UK GDPR mirrors the EU version): you're covered by GDPR.
- If you're a California resident: you're covered by the CCPA/CPRA.
- Other US states now have their own laws too (Virginia, Colorado, Connecticut, Utah, Texas, and more), often modeled on the CCPA but with their own nuances.
For Businesses
If you process data from EU residents, GDPR applies regardless of your location. If you do business in California and meet the thresholds, CCPA applies. Most growing businesses end up needing to comply with both, plus a patchwork of newer US state laws.
Practical Tips to Protect Your Privacy
Knowing your legal rights is only half the battle. The other half is reducing how much data ends up out there in the first place. Here are practical steps that work no matter which jurisdiction you live in.
- Review privacy settings on the services you use most. Social networks, search engines, and email providers all bury options that limit tracking.
- Use encrypted DNS (DNS over HTTPS or DNS over TLS) to prevent your internet provider from logging every site you visit.
- Choose privacy-respecting browsers like Firefox or Brave, and enable strict tracking protection.
- Submit data subject access requests to companies you suspect have collected too much about you. Most have a privacy portal or dedicated email address.
- Use tools that don't profile you. When shortening links, for example, pick a service that doesn't sell click data. We've covered the privacy trade-offs in our Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide.
- Opt out of data broker lists. Sites like data brokers will remove you if you ask, though it takes persistence.
- Limit app permissions on your phone. Most apps don't need your location, microphone, or contacts to function.
The Future of Global Privacy Law
GDPR set the global benchmark, and CCPA proved that strong privacy law can also work in the United States. The trend is unmistakable: more jurisdictions are adopting GDPR-style frameworks, while the US is moving toward a patchwork of state-level laws that increasingly resemble each other. Brazil's LGPD, Canada's PIPEDA reforms, India's DPDP Act, and emerging laws in countries like Australia and Saudi Arabia all borrow heavily from these two pioneers.
For businesses, the practical answer is to design for the strictest law that applies and use that as the baseline globally. For consumers, the encouraging news is that you're getting more rights every year, even if exercising them still takes effort. Tools that minimize data collection by design, like the privacy-respecting analytics built into Lunyb, can make compliance easier on both sides.
Frequently Asked Questions
Is GDPR stricter than CCPA?
Yes, in most respects. GDPR requires opt-in consent for most data processing, applies to virtually every organization handling EU data, defines personal data more broadly, and imposes much higher fines as a percentage of revenue. CCPA is more focused on giving Californians the ability to opt out of data sales and demand transparency.
Do I need to comply with both laws if I run a small online business?
Possibly. GDPR has no revenue threshold, so even a one-person business serving EU customers must comply. CCPA only kicks in if you meet its thresholds (over $25 million in revenue, data on 100,000+ Californians, or 50%+ revenue from selling data). Many small US businesses comply with GDPR but not CCPA.
What's the difference between CCPA and CPRA?
The CPRA (California Privacy Rights Act) is an amendment to the CCPA passed by voters in 2020 and fully effective from 2023. It added new rights like correction and limitation of sensitive data use, expanded "sale" to include "sharing," and created the California Privacy Protection Agency to enforce the law.
Can I sue a company for violating my privacy rights?
Under GDPR, yes, you can file complaints with your national data protection authority and pursue civil claims for damages. Under CCPA, your private right to sue is generally limited to data breaches involving unencrypted personal information, with statutory damages of $100-$750 per consumer per incident.
How do I submit a data deletion request?
Most companies provide a privacy page with a request form, email address, or web portal. Under both laws, you can also submit a written request. The business must verify your identity, then respond within 30 days (GDPR) or 45 days (CCPA), with possible extensions for complex requests.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Do a Personal Data Audit: The Complete 2026 Guide
A personal data audit helps you take back control of your digital footprint by reviewing, cleaning up, and securing every account tied to your identity. This step-by-step guide shows you how to do one in 2026 — even if you're not technical.
How Much Is Your Personal Data Worth in 2026? The Real Price Tag
Your personal data sells for pennies to advertisers and dollars to criminals — but the cumulative cost to you reaches hundreds annually. This 2026 guide breaks down the real prices, who's buying, and exactly how to shrink your data footprint.
Data Brokers: Who Is Selling Your Personal Information in 2026
Data brokers quietly collect and sell thousands of details about your life to advertisers, lenders, governments, and even scammers. Learn who they are, what they know, and exactly how to remove your personal information and reduce future tracking.
Children's Online Privacy Guide: A Parent's Complete 2026 Handbook
A complete parent's guide to protecting children's online privacy in 2026. Learn age-by-age strategies, essential settings, key laws, and how to teach kids lifelong digital safety habits.