GDPR vs CCPA: Understanding Your Privacy Rights in 2026

Two privacy laws dominate global conversations about personal data: the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA, amended by the CPRA). Both reshape how companies collect, store, and share information, but they take very different approaches. This guide breaks down GDPR vs CCPA in plain language so you can understand your rights, your obligations as a business, and how to act on them.

What Is GDPR?

The General Data Protection Regulation is a European Union law that took effect on May 25, 2018. It governs how organizations process the personal data of individuals located in the EU and European Economic Area, regardless of where the organization itself is based.

GDPR is built on seven core principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. In practice, this means a company cannot collect data "just in case" and must justify every processing activity with a clear legal basis such as consent, contract, or legitimate interest.

Who Must Comply with GDPR

GDPR applies to:

1. Any organization established in the EU, regardless of where data is processed.
2. Organizations outside the EU that offer goods or services to people in the EU.
3. Organizations outside the EU that monitor the behavior of people in the EU (for example, through tracking cookies or analytics).

What Is CCPA?

The California Consumer Privacy Act became enforceable on July 1, 2020, and was significantly strengthened by the California Privacy Rights Act (CPRA) in 2023. CCPA gives California residents specific rights over the personal information that businesses collect about them.

Unlike GDPR, CCPA is not built on a consent-first model. Instead, it operates on an opt-out framework: businesses can generally collect and "sell" or "share" personal information unless the consumer says no. The CPRA added a new category called "sensitive personal information" and created the California Privacy Protection Agency (CPPA) to enforce the law.

Who Must Comply with CCPA

CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds:

1. Gross annual revenue over $25 million.
2. Buy, sell, or share the personal information of 100,000 or more California consumers or households annually.
3. Derive 50% or more of annual revenue from selling or sharing California consumers' personal information.

GDPR vs CCPA: Side-by-Side Comparison

Although both laws aim to give people control over their data, the details differ dramatically. The table below highlights the key distinctions.

Feature	GDPR	CCPA / CPRA
Region covered	EU and EEA residents	California residents only
Effective date	May 25, 2018	January 1, 2020 (CPRA: 2023)
Consent model	Opt-in (explicit consent required)	Opt-out (consent presumed)
Who it applies to	Any organization processing EU residents' data	For-profit businesses meeting revenue/data thresholds
Definition of personal data	Any data relating to an identifiable person	Information that identifies, relates to, or could be linked to a consumer or household
Maximum fines	€20 million or 4% of global revenue	$7,500 per intentional violation; $2,500 per unintentional
Right to delete	Yes (right to erasure)	Yes, with exceptions
Right to data portability	Yes	Yes
Private right of action	Limited	Yes, for certain data breaches
Data Protection Officer	Required for some organizations	Not required

Your Rights Under GDPR

GDPR grants eight specific rights to individuals (called "data subjects"). Knowing these rights helps you exercise them with any company that holds your information.

The Eight GDPR Rights

1. Right to be informed — clear notice about what data is collected and why.
2. Right of access — request a copy of your personal data.
3. Right to rectification — correct inaccurate information.
4. Right to erasure — also called "right to be forgotten."
5. Right to restrict processing — pause how your data is used.
6. Right to data portability — receive your data in a machine-readable format.
7. Right to object — opt out of certain processing, including direct marketing.
8. Rights related to automated decision-making — human review of decisions made by algorithms.

Companies must typically respond to a rights request within one month, free of charge.

Your Rights Under CCPA

The CCPA, as expanded by the CPRA, provides California consumers with a slightly different set of rights focused heavily on transparency and the sale of personal information.

The Core CCPA Rights

1. Right to know what personal information is collected, used, shared, or sold.
2. Right to delete personal information held by a business.
3. Right to correct inaccurate personal information (added by CPRA).
4. Right to opt out of the sale or sharing of personal information.
5. Right to limit use of sensitive personal information (added by CPRA).
6. Right to non-discrimination for exercising privacy rights.
7. Right to data portability in a usable format.

Businesses subject to CCPA must respond to verifiable consumer requests within 45 days, with a possible 45-day extension.

Key Differences You Should Care About

The mechanical differences between GDPR and CCPA matter because they change how easy or hard it is to protect your data in practice.

1. Opt-In vs Opt-Out

Under GDPR, a business generally cannot process your personal data for marketing or non-essential cookies without your explicit, freely given consent. Under CCPA, the default is the opposite: companies can collect and even sell your data unless you affirmatively opt out using a "Do Not Sell or Share My Personal Information" link.

2. Scope of Personal Information

GDPR covers any data relating to an identifiable natural person. CCPA goes a step further by including household-level data, which means information that identifies a household — not just an individual — also falls under its protection.

3. Enforcement and Penalties

GDPR is famous for its eye-watering fines. Penalties can reach €20 million or 4% of global annual turnover, whichever is higher. Amazon, Meta, and Google have all faced multi-hundred-million-euro penalties. CCPA fines are smaller per violation but can scale quickly across thousands of consumers, and the law allows private lawsuits for data breaches caused by inadequate security.

4. Legal Basis vs Notice

GDPR requires a documented legal basis for every act of processing. CCPA does not require a legal basis at all — it focuses instead on giving consumers notice and the ability to opt out.

How Businesses Can Comply with Both

Many companies build a single privacy program that satisfies the stricter requirements of GDPR and layers CCPA-specific notices on top. This "highest common denominator" approach is often cheaper than maintaining two parallel systems.

A Practical Compliance Checklist

1. Map all personal data your organization collects, where it is stored, and who has access.
2. Identify the legal basis for each processing activity (for GDPR).
3. Update your privacy policy to disclose categories of data, purposes, and third-party recipients.
4. Add a clear "Do Not Sell or Share" link for California users.
5. Implement a consent management platform for EU cookies and tracking.
6. Create a documented process for handling rights requests within legal deadlines.
7. Sign data processing agreements with every vendor that touches personal data.
8. Train employees on privacy obligations and breach response.
9. Conduct Data Protection Impact Assessments for high-risk processing.
10. Review and refresh annually — privacy law is constantly evolving.

Privacy Tools That Reduce Your Exposure

Regulations are powerful, but you should not rely on them alone. Practical tools shrink the amount of personal data exposed in the first place.

• Privacy-respecting browsers like Brave or Firefox block third-party trackers by default.
• Encrypted DNS resolvers (DNS-over-HTTPS or DNS-over-TLS) hide your browsing lookups from your internet provider.
• Email aliases from services like SimpleLogin or Apple Hide My Email prevent marketers from linking accounts.
• Privacy-aware link shorteners, such as Lunyb, let you share URLs without exposing tracking parameters or your full destination URL in chats and social posts. For a deeper look, see our honest review of Lunyb.
• Password managers reduce credential reuse, the single biggest cause of account-related data breaches.

If you are choosing tools for your business or marketing stack, our 2026 buyer's guide to URL shorteners compares privacy features across the leading platforms, and our Rebrandly review looks at how enterprise shorteners handle data residency.

The Future: A Patchwork of Privacy Laws

GDPR and CCPA are no longer alone. Virginia, Colorado, Connecticut, Utah, Texas, and over a dozen other U.S. states have enacted their own consumer privacy laws, most modeled loosely on CCPA. Brazil's LGPD, India's DPDP Act, and the UK GDPR all add further layers. The trend is unmistakable: regulators worldwide are converging on the idea that personal data is the property of the person it describes, not the company that collects it.

For individuals, this is good news — your rights are expanding. For businesses, the message is to design for the strictest applicable standard and build privacy in from day one rather than bolting it on after a complaint or breach.

Frequently Asked Questions

Does GDPR apply to U.S. companies?

Yes, if a U.S. company offers goods or services to people in the EU or monitors their behavior online — for example through analytics, advertising, or e-commerce — GDPR applies regardless of where the company is headquartered.

Can I sue a company under CCPA?

You can sue under CCPA only in limited circumstances, primarily when a data breach exposes your nonencrypted personal information due to a business's failure to maintain reasonable security. For other violations, only the California Attorney General or the California Privacy Protection Agency can take enforcement action.

Which law is stricter, GDPR or CCPA?

GDPR is generally stricter. It requires opt-in consent, a documented legal basis for processing, mandatory breach notifications within 72 hours, and carries significantly higher fines. CCPA is more flexible but provides robust transparency rights and a private right of action for breaches.

What counts as "selling" data under CCPA?

CCPA defines "sale" broadly as exchanging personal information for monetary or other valuable consideration. This can include sharing data with advertising partners, even without a direct payment, which is why most ad-tech arrangements fall within the definition.

Do I need to comply with both laws?

If your business handles personal data from both EU residents and California residents and meets the applicable thresholds, then yes. Most global companies build a unified privacy program based on GDPR's stricter standards and add CCPA-specific disclosures and opt-out mechanisms for California users.

Final Thoughts

GDPR and CCPA represent two different philosophies about privacy — one rooted in fundamental rights and explicit consent, the other in consumer protection and transparency. Understanding both helps you assert your rights as an individual and design responsible practices if you run a business. As more jurisdictions follow their lead, treating personal data with care is no longer optional; it is the baseline expectation for any organization that wants to earn and keep user trust.