Quick overview
Two laws, two continents, a lot of overlap — and a lot of confusion about which one applies to you. Here's the one-paragraph version before we go deeper:
GDPR is an EU regulation that applies to any company processing personal data of EU or EEA residents — no size threshold, no US exemption. CCPA is a California state law that applies to for-profit businesses above certain revenue or data volume thresholds. If you have EU customers and you're a mid-sized US company, you likely need both.
The good news: a strong GDPR program covers the vast majority of what CCPA requires. You don't build two separate compliance programs — you build one solid privacy program and make sure it satisfies both.
Who does GDPR apply to?
The General Data Protection Regulation applies to any organization that processes personal data of people located in the EU or EEA — regardless of where the organization is based. A SaaS company headquartered in Austin with customers in Germany must comply. A one-person consultancy in New York with a single EU newsletter subscriber is technically in scope.
Practically speaking, enforcement scales with the risk you represent. The European Data Protection Board and national supervisory authorities prioritize large-scale violations. But the legal obligation exists regardless of size.
🇪🇺 GDPR applies if you...
- Have customers, users, or employees in the EU or EEA
- Run a website that EU residents can access and you track behavior
- Process EU personal data on behalf of another company
- Offer goods or services to EU residents (even for free)
- Monitor the behavior of people in the EU
GDPR distinguishes between data controllers (organizations that determine the purpose and means of processing) and data processors (organizations that process data on behalf of controllers). Most SaaS companies are both — a controller for their own users, a processor for their customers' end-users.
Who does CCPA apply to?
The California Consumer Privacy Act — as strengthened by the CPRA amendments effective January 1, 2023 — applies to for-profit businesses that do business in California and meet at least one of these thresholds:
🇺🇸 CCPA applies if you...
- Have annual gross revenue over $25 million
- Buy, sell, or share personal information of 100,000+ consumers or households per year
- Derive 50%+ of annual revenue from selling or sharing personal information
Nonprofits and government agencies are generally exempt. Businesses that only collect employee data are partially exempt for that data. Unlike GDPR, there's a meaningful size threshold — which means many small startups only have GDPR to worry about until they scale.
Watch the 100K threshold carefully. It's not just customers — it's any consumer whose personal information you collect, buy, sell, or share. If you have a modest customer base but run marketing analytics, retargeting, or use third-party data enrichment tools, you may cross this threshold faster than you expect.
Key differences side by side
| Factor | GDPR | CCPA / CPRA |
|---|---|---|
| Geography | EU / EEA residents globally | California residents |
| Who it covers | Any organization, any size | For-profit businesses above thresholds |
| Legal basis required | Yes — must document basis for every processing activity | No — but must disclose what you collect and why |
| Default stance | Opt-in — processing requires a lawful basis | Opt-out — collection is allowed; consumers can opt out of sale/sharing |
| Consent for marketing | Explicit opt-in required | Opt-out right (not opt-in) for data sale/sharing |
| Data transfers | Strict rules for transfers outside EU (SCCs, adequacy decisions) | No equivalent restriction |
| Vendor contracts | Data Processing Agreements required with all processors | Service provider contracts required; no formal DPA structure |
| Data breach notification | 72 hours to supervisory authority; notify individuals if high risk | Private right of action for breaches; AG notification varies by state breach law |
| Max penalty | €20M or 4% of global revenue | $7,500 per intentional violation; $100–$750 per consumer per breach |
Consumer rights: GDPR vs CCPA
Both laws give individuals rights over their personal data — but the specifics differ. Here's how they map:
| Right | GDPR | CCPA / CPRA |
|---|---|---|
| Know / Access | Right of access — what data, why, how long | Right to know — categories and specific pieces collected |
| Delete | Right to erasure ("right to be forgotten") | Right to delete (with exceptions) |
| Correct | Right to rectification | Right to correct (added by CPRA) |
| Portability | Right to data portability | Right to portability |
| Opt out of sale | Not a specific right (covered by consent withdrawal) | Right to opt out of sale or sharing of personal information |
| Limit sensitive data use | Special category data requires explicit consent | Right to limit use of sensitive personal information (added by CPRA) |
| Non-discrimination | Not a specific right | Right not to be discriminated against for exercising rights |
| Response deadline | 30 days (extendable to 3 months) | 45 days (extendable by 45 more days) |
Penalties and enforcement
The penalty structures are very different. GDPR fines are massive and well-publicized. CCPA enforcement is lower-dollar per violation but scales with volume — and includes a private right of action for data breaches that GDPR doesn't have in the same form.
🇪🇺 GDPR Penalties
€20M or 4%of global annual revenue, whichever is higher — for the most serious violations. Lower-tier violations: €10M or 2%. Major fines include €1.2B (Meta), €746M (Amazon), €405M (Instagram).
🇺🇸 CCPA Penalties
$7,500/violationper intentional violation enforced by the California AG or CPPA. $2,500 per unintentional violation. Consumers can sue for $100–$750 per person per incident for data breaches — class actions can scale quickly.
Don't let the lower CCPA numbers mislead you. A data breach affecting 500,000 California consumers could expose a company to $375 million in statutory damages ($750 × 500,000) in a class action — before attorneys' fees.
Do you need to comply with both?
It depends on your users and your business size. Work through this:
- Do you have any EU or EEA users, customers, or employees? If yes, GDPR applies — full stop, no size threshold.
- Are you a for-profit company doing business in California? If yes, check the thresholds: $25M revenue, 100K+ consumer records, or 50%+ revenue from data sale. If you hit any one of them, CCPA applies.
- Do you have both EU users AND meet the CCPA thresholds? Then you need both. Most mid-sized US SaaS companies land here.
The practical reality for most US SaaS companies: If you have any EU customers, build for GDPR. GDPR is stricter in almost every dimension, so a GDPR-compliant program already satisfies most of CCPA's requirements. You'll mainly need to add CCPA-specific disclosures and the "Do Not Sell or Share" opt-out mechanism on top.
How to comply with both at once
You don't need two separate programs. Build one privacy framework designed around GDPR (the stricter law) and layer in the CCPA-specific requirements. Here's the practical sequence:
-
Build a data inventory Document every category of personal data you collect — what it is, where it lives, who has access, and how long you keep it. This is the foundation for both laws. Without it, you can't respond to rights requests or demonstrate compliance.
-
Document your legal bases (GDPR) For every processing activity, document which of the six GDPR legal bases applies: consent, contract, legal obligation, vital interest, public task, or legitimate interest. CCPA doesn't require this, but it's good privacy hygiene regardless.
-
Update your privacy policy One well-written policy can satisfy both laws. GDPR requires: legal bases, data transfers, retention periods, DPO contact if applicable. CCPA requires: categories collected, purposes, whether you sell/share data, consumer rights, and a "Do Not Sell or Share" link if applicable.
-
Implement consent management (GDPR) and opt-out (CCPA) EU users need a proper consent management platform for non-essential cookies and marketing. California users need a clear "Do Not Sell or Share My Personal Information" link if you sell or share their data with third parties.
-
Build a rights-request workflow Create a process to receive, verify identity, and respond to access, deletion, correction, and portability requests. GDPR gives you 30 days. CCPA gives you 45 days. Build the workflow once, configure the deadlines per law.
-
Audit and update vendor contracts GDPR requires Data Processing Agreements with every vendor that processes EU personal data. CCPA requires service provider contracts that restrict vendors from using data beyond the service purpose. Review your vendor list and get the paperwork in place.
Unsure which privacy laws apply to you?
Run a free gap assessment to map your current data practices against GDPR, CCPA, and other applicable frameworks.
Start Free Assessment →Frequently asked questions
GDPR is a European Union law that applies to any company processing personal data of EU residents, regardless of where the company is located. CCPA is a California state law that applies to for-profit businesses meeting certain size thresholds that collect personal information from California residents. GDPR is broader in scope, stricter in requirements, and carries higher penalties. CCPA is more limited but still significant, especially with the CPRA amendments that took effect in 2023.
Yes. GDPR applies to any company that processes personal data of people located in the EU or EEA, regardless of where the company is based. If you have EU customers, users, or even website visitors from the EU, GDPR applies to you. There is no minimum revenue or employee threshold — if you process EU personal data, you must comply.
CCPA applies to for-profit businesses that do business in California AND meet at least one of these thresholds: annual gross revenue over $25 million; buys, sells, or shares personal information of 100,000 or more consumers or households per year; or derives 50% or more of annual revenue from selling or sharing personal information. Nonprofits and government agencies are generally exempt.
GDPR fines can reach €20 million or 4% of global annual revenue, whichever is higher. Major fines have included €1.2 billion against Meta and €746 million against Amazon. CCPA allows the California AG to seek civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation. Consumers can also sue directly for data breaches — $100 to $750 per consumer per incident.
You need to comply with whichever laws apply to you based on your users and business size. If you have EU/EEA users, GDPR applies regardless of your size. If you're a for-profit company doing business in California and meet the revenue or data volume thresholds, CCPA applies. Many US companies with EU customers need both. The good news is that a strong GDPR compliance program covers most of what CCPA requires.
The CPRA (California Privacy Rights Act) is a 2020 ballot measure that significantly amended and expanded CCPA. It took effect January 1, 2023. The CPRA added a new category of sensitive personal information with additional protections, created the California Privacy Protection Agency to enforce the law, added a right to correct inaccurate data, and strengthened opt-out rights. When people say CCPA today, they usually mean CCPA as amended by CPRA.
A Data Processing Agreement is a legally required contract between a data controller (you) and a data processor (any vendor that processes personal data on your behalf). Under GDPR Article 28, you must have a DPA with every vendor that touches EU personal data — cloud providers, analytics tools, CRMs, payment processors, email platforms, etc. The DPA specifies what data is processed, for what purpose, and the security and confidentiality obligations of the processor.
Yes, for non-essential cookies. GDPR and the ePrivacy Directive together require informed, freely given, specific, and unambiguous consent before setting any cookies that aren't strictly necessary for the service to function. This means analytics cookies, advertising cookies, and most third-party tracking require an opt-in consent banner. Strictly necessary cookies (session cookies, authentication, security) do not require consent.