GDPR vs CCPA: Understanding Your Privacy Rights in 2026
Data privacy laws are no longer a niche legal topic — they shape how every website, app, and online service treats the personal information of billions of people. Two regulations dominate the global privacy conversation: the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA), as amended by the CPRA. Understanding how they compare is essential whether you're a consumer wanting to protect your data or a business operating across borders.
This guide breaks down the differences between GDPR and CCPA, explains the rights each grants you, and shows how to exercise them. By the end, you'll know exactly where you stand under each law and what practical steps to take next.
What Are GDPR and CCPA?
GDPR and CCPA are two of the most influential data privacy laws in the world, but they were designed with different philosophies and jurisdictions in mind.
GDPR Defined
The General Data Protection Regulation is a European Union law that took effect on May 25, 2018. It regulates how organizations collect, process, store, and share the personal data of individuals located in the EU and European Economic Area — regardless of where the organization itself is based. GDPR treats privacy as a fundamental human right and requires businesses to justify every use of personal data.
CCPA (and CPRA) Defined
The California Consumer Privacy Act became enforceable on January 1, 2020, and was significantly expanded by the California Privacy Rights Act (CPRA) starting January 1, 2023. It applies to for-profit businesses that collect personal information from California residents and meet certain revenue or data-volume thresholds. Unlike GDPR, CCPA is rooted in a consumer-protection framework, giving Californians control over how their data is sold or shared.
GDPR vs CCPA: Side-by-Side Comparison
The two laws share a common goal — giving individuals more power over their personal data — but they diverge sharply in scope, definitions, and enforcement.
| Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Jurisdiction | EU/EEA residents worldwide | California residents only |
| Who Must Comply | Any organization processing EU personal data | For-profit businesses meeting revenue, volume, or sales thresholds |
| Legal Basis for Processing | Required (consent, contract, legitimate interest, etc.) | Not required — notice-based model |
| Consent Model | Opt-in (explicit, informed) | Opt-out (for sale/sharing of data) |
| Definition of Personal Data | Any information relating to an identified or identifiable person | Information linked to a consumer or household |
| Right to Delete | Yes (with exceptions) | Yes (with exceptions) |
| Right to Portability | Yes | Limited |
| Maximum Penalty | €20 million or 4% of global annual revenue | $7,500 per intentional violation ($2,500 unintentional) |
| Private Right of Action | Yes (broad) | Limited (data breach only) |
| Regulator | National Data Protection Authorities | California Privacy Protection Agency (CPPA) |
Consumer Rights Under GDPR
GDPR grants eight core rights to individuals (known as "data subjects"). These rights apply to any EU or EEA resident, regardless of where the company holding their data is located.
- Right to be informed — You must be told what data is collected and why, in plain language.
- Right of access — You can request a copy of all personal data an organization holds about you.
- Right to rectification — You can correct inaccurate or incomplete information.
- Right to erasure — Also called the "right to be forgotten," this lets you request deletion of your data.
- Right to restrict processing — You can limit how your data is used in specific situations.
- Right to data portability — You can receive your data in a machine-readable format and transfer it to another provider.
- Right to object — You can object to processing based on legitimate interests, direct marketing, or profiling.
- Rights related to automated decision-making — You can request human review of decisions made solely by algorithms.
Consumer Rights Under CCPA/CPRA
The CCPA, expanded by CPRA, provides California residents with a focused set of consumer-oriented rights that emphasize transparency and choice around the sale and sharing of personal information.
- Right to know — What personal information a business collects, uses, discloses, and sells.
- Right to delete — Request deletion of personal information collected about you.
- Right to correct — Added by CPRA; correct inaccurate personal information.
- Right to opt out — Prevent the sale or sharing of your personal information.
- Right to limit use of sensitive personal information — A CPRA addition covering data like precise geolocation, race, health data, and financial account details.
- Right to non-discrimination — Businesses cannot penalize you for exercising your privacy rights.
- Right to data portability — Receive your data in a portable, usable format.
Key Differences Between GDPR and CCPA
While the rights lists look similar, the mechanics behind them differ in ways that meaningfully impact both consumers and businesses.
1. Opt-In vs Opt-Out Consent
Under GDPR, businesses generally need affirmative, informed consent before processing personal data for many purposes — especially marketing, cookies, and profiling. Silence, pre-ticked boxes, or inactivity do not count as consent.
CCPA, in contrast, uses an opt-out model. Businesses can collect and even sell your data unless you actively tell them to stop, typically through a "Do Not Sell or Share My Personal Information" link.
2. Scope of Personal Data
GDPR's definition of personal data is broader in some ways — it explicitly includes online identifiers like IP addresses, cookie IDs, and device fingerprints as personal data when they can identify a person. CCPA also covers these, but its household-level definition is uniquely broad, capturing shared devices and family accounts.
3. Legal Basis Requirement
GDPR requires a documented lawful basis for every processing activity — consent, contract necessity, legal obligation, vital interests, public task, or legitimate interests. CCPA has no equivalent requirement; businesses simply need to provide notice.
4. Penalties and Enforcement
GDPR penalties are famously severe: up to €20 million or 4% of global annual turnover, whichever is higher. Regulators like Ireland's DPC and France's CNIL have issued fines exceeding €1 billion in individual cases.
CCPA penalties are lower per violation but can accumulate quickly. The California Privacy Protection Agency (CPPA), created by CPRA, is now empowered to investigate and enforce independently.
5. Private Right of Action
Under GDPR, individuals can sue for material and non-material damages, including emotional distress. Under CCPA, private lawsuits are largely limited to data breaches involving certain categories of unencrypted personal information.
Which Businesses Must Comply?
Compliance obligations depend on where your users live and how much data your business handles — not on where your servers or headquarters are located.
GDPR Applicability
GDPR applies to any organization that:
- Is established in the EU/EEA, or
- Offers goods or services (paid or free) to individuals in the EU/EEA, or
- Monitors the behavior of individuals in the EU/EEA (for example, through tracking cookies or analytics).
CCPA Applicability
CCPA applies to for-profit businesses that collect California residents' personal information and meet at least one of these thresholds:
- Annual gross revenue over $25 million, or
- Buy, sell, or share the personal information of 100,000 or more California residents or households annually, or
- Derive 50% or more of annual revenue from selling or sharing California residents' personal information.
How to Exercise Your Privacy Rights
Both laws give you concrete tools to control your data. Here's a step-by-step process that works for either regulation.
- Identify the data controller. Locate the company's privacy policy — it should name the entity responsible for your data and list a contact email or Data Protection Officer.
- Choose your right. Decide whether you want access, deletion, correction, portability, or an opt-out.
- Submit a formal request. Use the company's designated privacy request form, email address, or toll-free number (required under CCPA for many businesses).
- Verify your identity. Expect to confirm who you are — usually by matching account details or providing government-issued ID for sensitive requests.
- Wait for a response. GDPR requires a reply within one month (extendable by two months for complex requests). CCPA gives businesses 45 days, extendable by another 45.
- Escalate if ignored. File a complaint with your local Data Protection Authority (GDPR) or the California Privacy Protection Agency (CCPA).
Practical Privacy Tips for Consumers
Legal rights only work if you actively use them. Combine formal requests with everyday privacy hygiene to minimize your exposure in the first place.
- Audit your accounts. Every few months, list the services holding your data and delete accounts you no longer use.
- Read cookie banners carefully. Reject non-essential cookies where possible, especially on ad-heavy sites.
- Use privacy-first tools. Encrypted DNS resolvers, privacy-focused browsers like Firefox or Brave, and password managers with breach monitoring all reduce data leakage.
- Be careful with shared links. Tracking parameters in URLs can leak your identity and behavior. Services like Lunyb let you create clean, private short links without invasive third-party analytics — useful when sharing content publicly or across platforms.
- Turn on Global Privacy Control (GPC). This browser signal is legally recognized under CPRA as an opt-out request for the sale and sharing of personal information.
Compliance Checklist for Businesses
If your organization touches data from EU or California residents, treat compliance as a shared foundation rather than two separate projects.
- Map every data flow — what you collect, why, where it's stored, and who has access.
- Publish a clear, plain-language privacy notice covering both GDPR and CCPA disclosures.
- Implement consent management for cookies and marketing under GDPR, plus opt-out mechanisms (including GPC) for CCPA.
- Appoint a Data Protection Officer if required by GDPR or a privacy lead for CCPA.
- Sign Data Processing Agreements with every vendor handling personal data.
- Establish a process for handling data subject requests within legal deadlines.
- Conduct annual data protection impact assessments (DPIAs) for high-risk processing.
- Train employees on privacy basics, incident response, and breach notification timelines (72 hours under GDPR).
The Global Trend: More Laws Are Coming
GDPR and CCPA set the template, but they're no longer alone. Brazil's LGPD, Canada's PIPEDA (with the pending CPPA reform), the UK GDPR, India's DPDP Act, and state-level laws in Virginia, Colorado, Connecticut, Utah, Texas, and beyond mean nearly every business now faces overlapping obligations. Aligning your privacy program with GDPR — the strictest of the two flagship laws — generally puts you in a strong position for most other regimes.
For businesses that rely on link sharing, analytics, and campaign tracking, choosing tools that respect these frameworks matters. If you're evaluating URL platforms, our 2026 buyer's guide to URL shorteners compares the leading options with privacy in mind, and our honest review of Lunyb looks at how a privacy-conscious shortener stacks up against traditional players like those covered in our Rebrandly review.
Frequently Asked Questions
Does GDPR apply to me if my business is in the US?
Yes, if you offer goods or services to individuals in the EU/EEA or monitor their behavior online — for example, through analytics or targeted advertising. Physical presence in Europe is not required.
Can I request deletion of my data under both GDPR and CCPA?
Yes. Both laws include a right to erasure/deletion, though each has exceptions — for example, when the business must retain data for legal, security, or contractual reasons. GDPR's right is generally broader.
What's the biggest practical difference between GDPR and CCPA?
The consent model. GDPR is opt-in — businesses need your permission before most data processing. CCPA is opt-out — data can be collected and even sold unless you explicitly say no.
Are IP addresses considered personal data?
Under GDPR, yes — courts and regulators have consistently ruled that IP addresses are personal data when they can identify a person. CCPA also treats IP addresses as personal information in most contexts.
How do I file a complaint if a company ignores my request?
For GDPR, file with your national Data Protection Authority (for example, the CNIL in France or the ICO in the UK). For CCPA, file with the California Privacy Protection Agency (CPPA) or the California Attorney General's office. Both processes are free.
Do smaller businesses have to comply?
Under GDPR, size doesn't matter — even a one-person shop processing EU personal data must comply, though some documentation requirements are relaxed for organizations under 250 employees. Under CCPA, businesses below the revenue and data-volume thresholds are generally exempt.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Do a Personal Data Audit: A Complete Step-by-Step Guide
A personal data audit helps you find, review, and clean up every place your information lives online. This step-by-step guide walks you through mapping your digital footprint, closing dormant accounts, opting out of data brokers, and building lasting privacy habits.
Online Privacy Tips for UK Residents 2026: Complete Guide
A practical 2026 guide to online privacy for UK residents, covering UK GDPR rights, essential tools, everyday habits, and how to respond to data breaches. Learn how to protect your identity, finances, and digital footprint under the latest British privacy laws.
How Much Is Your Personal Data Worth in 2026? The Real Price Tag
Your personal data is bought and sold every second — but how much is it actually worth? We break down real 2026 prices from ad platforms to the dark web, and show you how to shrink your data footprint.
AI and Privacy: What You Need to Know in 2026
AI touches nearly every online interaction in 2026 — and every touchpoint creates privacy risk. This guide covers how AI systems use your data, the biggest current threats, the global regulations that now protect you, and 10 practical steps to stay in control.