✦ Updated for CCPA 2026 Regulations

GDPR & CCPA Compliance Checklist: Side-by-Side Requirements + Overlap Guide

Every requirement for both privacy laws in one interactive checklist β€” showing exactly where they overlap so you can build one program that satisfies both.

58
Total requirements
26
Shared overlap areas
80%
Control overlap
2026
CCPA updated
How to use ↓ Full Checklist FAQ Download PDF Free Gap Assessment

Free Download: Print or save this checklist as a PDF for your privacy program documentation.

Before You Start

How to Use This Checklist

This checklist maps requirements across both GDPR and CCPA/CPRA side by side. Each item is tagged with which law(s) it applies to and whether it's a shared requirement you can satisfy once for both. The key insight: 80% of what CCPA requires is already covered if you build a solid GDPR program. Use the filters below to focus on what matters to you.

πŸ‡ͺπŸ‡Ί GDPR applies if...
You process personal data of EU/EEA residents β€” regardless of where your company is based. No size threshold. Fines up to €20M or 4% of global revenue.
πŸ‡ΊπŸ‡Έ CCPA/CPRA applies if...
You're a for-profit company doing business in California with $26.6M+ revenue, 100K+ consumer records, or 50%+ revenue from data sales. Fines up to $7,500 per violation.
βœ“ Overlap strategy
Build your program around GDPR (stricter). Layer CCPA-specific requirements on top. Items marked "Both" can be implemented once and satisfy both laws simultaneously.
⚠️ Disclaimer
This checklist is for informational purposes only and does not constitute legal advice. Requirements vary by jurisdiction and circumstances. Consult qualified legal counsel before making compliance decisions.

New to GDPR and CCPA? Read our plain-English guide first: GDPR vs CCPA: What's the Difference and Do You Need Both? β†’

Want a tailored privacy compliance plan?

Get a personalized assessment showing which laws apply to you, what's missing, and estimated cost β€” free.

Complete the Free Gap Assessment β†’

The Full List

GDPR & CCPA Requirements Side by Side

58 requirements across 8 categories. Items marked "Both" satisfy GDPR and CCPA simultaneously β€” these are your highest-priority quick wins.

GDPR only
CCPA/CPRA only
Both laws β€” implement once
0%

Your Compliance Progress

Check items as you implement them. Saves in your browser.

0
Done
58
Remaining
πŸ—ΊοΈ
Data Inventory & Mapping
7 requirements
β–Ό
Both lawsβœ“ Implement once
Build a complete data inventory (Record of Processing Activities)
Document every category of personal data you collect, where it lives, how it's used, who has access, and how long you retain it.
GDPR: Article 30 requires a formal Record of Processing Activities (RoPA). Mandatory for organizations with 250+ employees or high-risk processing.
CCPA: Data inventory is the foundation for honoring consumer rights requests, privacy notices, and opt-out mechanisms.
High effort
Both lawsβœ“ Implement once
Map all data flows β€” how data enters, moves, and leaves your organization
Trace every data flow: collection points, internal systems, third-party transfers, and deletion paths. Include hidden flows like analytics, ad tracking, and email sync.
GDPR: Required for accountability (Article 5(2)) and to identify cross-border transfers requiring safeguards.
CCPA: Required to identify what data is "sold" or "shared" and to support consumer rights responses.
High effort
Both lawsβœ“ Implement once
Categorize personal data by sensitivity level
Identify special/sensitive categories: health data, biometric data, financial data, racial/ethnic origin, sexual orientation, political views.
GDPR: Articles 9–10 impose strict rules on "special category" data β€” explicit consent or another specific legal basis required.
CCPA/CPRA: "Sensitive Personal Information" (SPI) category added by CPRA requires additional opt-out rights and limitations.
Med effort
GDPR only
Document lawful basis for every processing activity
For each processing activity, document which of the six GDPR legal bases applies: consent, contract, legal obligation, vital interests, public task, or legitimate interest.
GDPR: Article 6 requires a documented lawful basis before processing begins. Insufficient legal basis is the top cause of large fines.
Med effort
Both lawsβœ“ Implement once
Identify and inventory all third-party vendors receiving personal data
List every vendor, service provider, and third party that receives personal data β€” analytics tools, CRMs, email platforms, payment processors, ad networks.
GDPR: Required to identify data processors needing a Data Processing Agreement (DPA).
CCPA: Required to classify vendors as service providers, contractors, or third parties β€” each with different compliance obligations.
Med effort
GDPR only
Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
Assess risks before deploying new processing activities involving profiling, large-scale processing of sensitive data, or systematic monitoring. DPIAs are mandatory for high-risk activities.
GDPR: Article 35 requires DPIAs before high-risk processing. Regulators increasingly expect DPIAs for AI systems and large-scale profiling.
High effort
CCPA/CPRA only
Conduct formal Risk Assessments for high-risk CCPA activities (2026)
New 2026 requirement: documented risk assessments for selling/sharing personal information, processing sensitive PI, or using Automated Decision-Making Technology (ADMT).
CCPA/CPRA 2026: CPPA finalized risk assessment regulations effective January 1, 2026 for new high-risk processing activities.
High effort
πŸ“„
Privacy Notices & Transparency
7 requirements
β–Ό
Both lawsβœ“ Implement once
Publish a comprehensive privacy policy
One well-written privacy policy can satisfy both laws. Cover: what you collect, why, how long you keep it, who you share it with, and how people can exercise their rights.
GDPR: Articles 13–14 require detailed disclosures including legal basis, retention periods, and transfer safeguards.
CCPA: Requires disclosure of categories collected, purposes, whether data is sold/shared, and consumer rights. Must be updated annually.
Med effort
CCPA/CPRA only
Publish a Notice at Collection at every data collection point
Separate from the privacy policy β€” a concise disclosure at or before the point of data collection explaining what categories are collected and why.
CCPA: Required at every collection point (sign-up forms, checkout, contact forms). Must be visible and accessible without requiring navigation.
Low effort
GDPR only
Disclose data retention periods for each category
For every processing activity, document and disclose how long data will be retained and the criteria used to determine retention periods.
GDPR: Article 13 requires retention period disclosure as part of your privacy notice. "We keep data as long as necessary" is not sufficient.
Med effort
GDPR only
Disclose cross-border data transfer safeguards
If you transfer personal data outside the EU/EEA, disclose the safeguards in place: Standard Contractual Clauses, adequacy decisions, or other mechanisms.
GDPR: Articles 13–14 and Chapter V require disclosure of transfer mechanisms. A top enforcement priority for regulators.
Med effort
Both lawsβœ“ Implement once
Disclose all third parties / service providers receiving personal data
In your privacy policy, list the categories of third parties to whom personal data is disclosed, sold, or shared.
GDPR: Article 13 requires disclosure of recipients or categories of recipients.
CCPA: Must disclose categories of third parties with whom data is sold or shared, including for advertising purposes.
Low effort
CCPA/CPRA only
Add "Do Not Sell or Share My Personal Information" link if applicable
If you sell or share personal information (including for cross-context behavioral advertising), add a clear opt-out link in your website footer and privacy policy.
CCPA/CPRA: Required if you "sell" or "share" data. "Sharing" for targeted advertising counts even without money changing hands.
Low effort
CCPA/CPRA only
Confirm opt-out requests visibly (2026 requirement)
New 2026 CCPA rule: when a consumer opts out of sale/sharing, you must now display visible confirmation that the opt-out was processed β€” not just accept it silently.
CCPA 2026: Opt-out confirmation is now mandatory. Silent acceptance is no longer compliant under the CPPA's 2026 regulatory updates.
Low effort
βœ…
Consent Management
6 requirements
β–Ό
GDPR only
Implement a compliant cookie consent banner (opt-in)
GDPR requires explicit, informed, freely given consent before setting non-essential cookies. Consent must be as easy to withdraw as to give β€” pre-checked boxes are invalid.
GDPR: ePrivacy Directive + GDPR Article 7. Reject must be as easy as accept. Dark patterns (hiding reject button) are a major enforcement priority in 2026.
High effort
CCPA/CPRA only
Honor Global Privacy Control (GPC) signals automatically
Configure your website to detect and automatically process GPC browser signals as opt-out requests for sale/sharing β€” without requiring any additional consumer action.
CCPA 2026: GPC signal compliance is now mandatory and actively enforced by the CPPA. The CPPA has already issued fines for non-compliance.
Med effort
GDPR only
Maintain consent records and audit logs
Document when, how, and what each user consented to. Records must be sufficient to prove consent was valid if challenged by a regulator or individual.
GDPR: Article 7(1) places the burden of proof on the controller to demonstrate valid consent. Consent records are a top auditor request.
Med effort
Both lawsβœ“ Implement once
Obtain opt-in consent before collecting data from minors
Implement age verification and parental consent mechanisms for users under 16 (GDPR) or 16/13 (CCPA).
GDPR: Article 8 β€” parental consent required under age 16 (member states may lower to 13).
CCPA: Explicit opt-in required before selling data of consumers under 16; parental consent for under 13.
Med effort
GDPR only
Conduct Legitimate Interest Assessments (LIAs) where applicable
If relying on legitimate interest as your legal basis for processing (common for analytics, marketing), document a three-part test: purpose, necessity, and balancing test.
GDPR: Article 6(1)(f) β€” legitimate interest requires documented assessment. Broad LI claims without a proper LIA are a common enforcement finding.
Med effort
CCPA/CPRA only
Add opt-in for sensitive personal information (SPI) use beyond primary purpose
CPRA added the right to limit use of Sensitive Personal Information. If you use SPI for any purpose beyond what's necessary for the service, you need explicit opt-in consent.
CCPA/CPRA: Sensitive PI includes SSNs, financial account details, health data, biometric data, precise geolocation, and more.
Low effort
πŸ‘€
Consumer Rights & Data Subject Requests
8 requirements
β–Ό
Both lawsβœ“ Implement once
Build a rights request intake and fulfillment workflow
Create a process to receive, verify identity, track, and respond to access, deletion, correction, and portability requests. Assign ownership and define response procedures.
GDPR: 30-day response deadline (extendable to 90 days). Must provide data in portable format on request.
CCPA: 45-day response deadline (extendable by 45 days). Must provide at least two request submission methods.
High effort
Both lawsβœ“ Implement once
Honor the Right to Delete / Erasure
When a valid deletion request is received, delete or anonymize personal data across all systems β€” including backups where technically feasible β€” and notify downstream processors.
GDPR: Article 17 "right to be forgotten." Must also notify third parties to whom data was disclosed.
CCPA: Right to delete with exceptions (legal obligation, security, fraud prevention). Must instruct service providers to delete as well.
Med effort
Both lawsβœ“ Implement once
Honor the Right to Access / Know
Provide individuals with a copy of their personal data, the purposes of processing, categories of data, recipients, and retention periods upon request.
GDPR: Article 15 right of access β€” provide a copy of personal data plus processing details within 30 days.
CCPA: Right to know β€” categories and specific pieces of data collected, purposes, third parties. Can request data going back 12 months (extended under 2026 rules).
Med effort
Both lawsβœ“ Implement once
Honor the Right to Correct / Rectification
When individuals identify inaccurate personal data, correct it across your systems and notify downstream processors of the correction.
GDPR: Article 16 right to rectification β€” correct inaccurate data without undue delay.
CCPA/CPRA: Right to correction was added by CPRA effective January 2023.
Med effort
Both lawsβœ“ Implement once
Honor the Right to Data Portability
Provide personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) when requested.
GDPR: Article 20 β€” applies when processing is based on consent or contract and carried out by automated means.
CCPA: Right to portability β€” data must be provided in a usable format that allows transfer to another service.
Med effort
GDPR only
Honor the Right to Object to processing (including profiling)
When individuals object to processing based on legitimate interest or for direct marketing, stop processing unless you can demonstrate compelling legitimate grounds.
GDPR: Article 21 β€” right to object is absolute for direct marketing; for other processing, balance of interests applies.
Med effort
CCPA/CPRA only
Ensure non-discrimination for exercising rights
Do not deny service, charge different prices, or provide different quality to consumers who exercise their CCPA rights. Document your non-discrimination policy.
CCPA: Explicit right not to be discriminated against for exercising CCPA rights. Financial incentive programs (loyalty programs) are permitted with disclosure.
Low effort
CCPA/CPRA only
Implement Automated Decision-Making Technology (ADMT) opt-out (2027)
CCPA 2026 regulations introduce ADMT requirements β€” consumers will have the right to opt out of automated decisions with legal or significant effects. Full enforcement begins January 2027 for existing systems.
CCPA 2026/2027: Begin preparing ADMT inventory and opt-out mechanisms now. New systems deploying after January 2026 must comply immediately.
Med effort
🀝
Vendor & Processor Management
6 requirements
β–Ό
GDPR only
Execute Data Processing Agreements (DPAs) with all processors
Any vendor that processes EU personal data on your behalf must have a signed DPA specifying the nature, purpose, and duration of processing, plus security obligations.
GDPR: Article 28 β€” DPAs are mandatory with every data processor. This includes cloud providers, analytics, email platforms, CRMs, and any SaaS tool that handles personal data.
High effort
CCPA/CPRA only
Execute service provider contracts restricting data use
Contracts with service providers must restrict them from using personal information for any purpose other than the specific services they provide β€” no secondary use, profiling, or enrichment.
CCPA/CPRA: Service provider classification requires a written contract. Without it, sharing data counts as a "sale" triggering consumer opt-out rights.
High effort
GDPR only
Implement Standard Contractual Clauses (SCCs) for cross-border transfers
For transfers of EU personal data to countries without an EU adequacy decision (including the US for non-DPF companies), implement SCCs and conduct Transfer Impact Assessments where required.
GDPR: Chapter V β€” cross-border transfers without adequate safeguards are one of the top enforcement areas. US transfers require EU-US Data Privacy Framework or SCCs.
High effort
Both lawsβœ“ Implement once
Conduct due diligence on vendor privacy and security practices
Assess vendors before onboarding for privacy and security posture. Tier by risk level. Require evidence of compliance (certifications, audit reports, questionnaires).
GDPR: Article 28 requires selecting processors that provide "sufficient guarantees" of GDPR-compliant security.
CCPA: Correct classification and contracting depends on understanding how vendors use personal information.
Med effort
Both lawsβœ“ Implement once
Flow down deletion obligations to service providers
When you receive a deletion request, your service providers must also delete that individual's data. Ensure contracts and workflows support downstream deletion.
GDPR: Article 28 requires processors to delete or return data at controller's instruction.
CCPA: Service providers must delete personal information upon your instruction to honor consumer deletion requests.
Med effort
Both lawsβœ“ Implement once
Monitor and periodically review vendor compliance
Schedule annual vendor reviews, subscribe to breach notification services, and audit high-risk vendors' compliance posture. Update contracts when services change.
GDPR: Controllers remain liable for processor non-compliance β€” ongoing oversight is required, not just initial contracting.
CCPA: Vendor non-compliance with service provider obligations can expose you to liability for unauthorized data use.
Low effort
πŸ”’
Security & Breach Notification
7 requirements
β–Ό
Both lawsβœ“ Implement once
Implement appropriate technical and organizational security measures
Deploy encryption at rest and in transit, access controls, MFA, logging, vulnerability management, and security testing proportionate to the risk of your processing activities.
GDPR: Article 32 β€” implement "appropriate" security measures considering state of the art, cost, and risk. Risk-based, not prescriptive.
CCPA: Requires "reasonable security" for personal information. Failure to implement reasonable security is the basis for private right of action in data breaches.
High effort
Both lawsβœ“ Implement once
Build and test a data breach incident response plan
Document how you detect, contain, investigate, and notify breaches. Define escalation paths, severity classifications, and response timelines. Test with a tabletop exercise annually.
GDPR: Article 33 β€” notify supervisory authority within 72 hours of becoming aware of a breach. Article 34 β€” notify affected individuals if high risk.
CCPA: California breach notification law (separate from CCPA) requires prompt notification. CCPA's private right of action applies to breaches of unencrypted data.
Med effort
GDPR only
Notify supervisory authority within 72 hours of a qualifying breach
Report breaches to your lead EU supervisory authority (e.g., ICO in UK, CNIL in France, DPC in Ireland) within 72 hours of discovery, unless the breach is unlikely to result in risk to individuals.
GDPR: Article 33 β€” the 72-hour clock starts when you "become aware." Document your breach detection and notification processes thoroughly.
Med effort
Both lawsβœ“ Implement once
Encrypt personal data at rest and in transit
Encrypt databases, file stores, and backups containing personal data. Enforce TLS for all data in transit. Maintain key management procedures.
GDPR: Article 32 explicitly mentions encryption as an appropriate technical measure. Encrypted data may reduce breach notification obligations.
CCPA: Encryption exempts businesses from private right of action for data breaches β€” strong compliance and liability reduction incentive.
High effort
GDPR only
Implement Privacy by Design and by Default
Embed data protection principles into every new product, feature, and process from the outset. Default settings must be the most privacy-friendly option β€” users should not have to take action to protect their privacy.
GDPR: Article 25 β€” mandatory for all new processing activities. A top enforcement priority in 2026, especially for product teams building with AI.
High effort
CCPA/CPRA only
Conduct annual cybersecurity audits (large businesses β€” 2026+)
CPPA regulations require businesses engaged in high-risk data processing to undergo independent annual cybersecurity audits. Staggered implementation based on business size through 2030.
CCPA 2026: Phased requirement β€” higher-risk businesses first. Begin scoping and preparing documentation now to get ahead of the requirement.
High effort
Both lawsβœ“ Implement once
Implement data minimization and purpose limitation
Only collect data you actually need for a stated purpose. Don't use personal data for purposes beyond what was disclosed at collection. Define and enforce retention limits.
GDPR: Articles 5(1)(b) and 5(1)(c) β€” purpose limitation and data minimization are core GDPR principles. Violations are commonly cited in fines.
CCPA/CPRA: Data minimization rules added by CPRA β€” businesses must limit collection and use to what is necessary for the disclosed purpose.
Med effort
πŸ›οΈ
Governance & Accountability
8 requirements
β–Ό
GDPR only
Appoint a Data Protection Officer (DPO) if required
Required for public authorities, organizations that carry out large-scale systematic monitoring, or large-scale processing of special category data. Many companies appoint one voluntarily.
GDPR: Article 37 β€” DPO must be independent, have expert knowledge of data protection law, and be provided adequate resources. Contact details must be published.
Low effort
GDPR only
Appoint an EU representative if established outside the EU
Non-EU companies processing EU personal data on a non-occasional basis must designate a representative in the EU as a point of contact for supervisory authorities and individuals.
GDPR: Article 27 β€” required unless processing is occasional and low-risk. EU representative is legally liable alongside the controller.
Low effort
Both lawsβœ“ Implement once
Conduct annual privacy awareness training for all staff
Train all employees on privacy principles, how to handle personal data, how to recognize a data breach, and how to respond to rights requests. Document completion.
GDPR: Article 39 (DPO duties include raising awareness) and accountability principle require demonstrable staff training.
CCPA: Individuals responsible for handling consumer inquiries must be trained on CCPA rights and compliance practices.
Med effort
Both lawsβœ“ Implement once
Conduct periodic privacy audits and compliance reviews
At least annually, review your privacy program against current requirements β€” data inventory currency, vendor contracts, rights request logs, consent records, and security measures.
GDPR: Accountability principle (Article 5(2)) requires demonstrating compliance β€” ongoing review is essential.
CCPA: Annual review aligns with the CCPA requirement to update privacy policies annually and review applicability thresholds.
Med effort
Both lawsβœ“ Implement once
Maintain documentation of your compliance program
Keep records of all compliance decisions, training completions, rights request logs, breach investigations, vendor contracts, and policy versions. Regulators will ask for this evidence.
GDPR: Accountability principle requires documentation proving compliance β€” not just implementing controls but proving they operate.
CCPA: Businesses must maintain records of consumer rights requests and responses for 24 months.
Low effort
CCPA/CPRA only
Confirm CCPA applicability thresholds annually
Re-confirm each year whether your business meets CCPA applicability thresholds β€” revenue, data volume, or data sale revenue. Thresholds are adjusted for inflation annually by the CPPA.
CCPA: 2025–2026 revenue threshold: $26,625,000. Threshold is adjusted for inflation by the CPPA each year β€” don't assume last year's number still applies.
Low effort
Both lawsβœ“ Implement once
Assign clear privacy ownership and accountability
Designate who owns privacy compliance, who handles rights requests, who reviews vendor contracts, and who responds to breaches. Document these roles formally.
GDPR: Accountability principle requires demonstrable governance β€” including defined roles for data protection.
CCPA: Organizations must have individuals trained and responsible for handling consumer inquiries about privacy practices.
Med effort
Both lawsβœ“ Implement once
Review and update privacy program when regulations change
Subscribe to regulatory updates from the EDPB (GDPR) and CPPA (CCPA). Update policies, notices, and workflows when new requirements take effect. Don't set and forget.
GDPR: EDPB guidance and national supervisory authority decisions regularly clarify and update compliance expectations.
CCPA: CPPA issued major regulatory updates in 2025–2026 covering consent, ADMT, and cybersecurity audits β€” active monitoring is essential.
Low effort
πŸ’»
Website & Technical Compliance
9 requirements
β–Ό
Both lawsβœ“ Implement once
Audit all tracking technologies on your website
Identify every cookie, pixel, script, and SDK collecting personal data. Categorize by type (essential, analytics, advertising). This is the foundation for consent management and opt-out.
GDPR: Non-essential trackers require prior consent. You cannot obtain valid consent for trackers you haven't identified.
CCPA: Third-party advertising trackers likely constitute "sharing" personal data β€” triggering opt-out obligations even without payment.
Med effort
GDPR only
Deploy a compliant Consent Management Platform (CMP) for EU visitors
Use a CMP (OneTrust, Cookiebot, Osano, etc.) that captures valid prior consent for non-essential cookies from EU/EEA visitors. Consent must be granular, specific, and easily withdrawable.
GDPR 2026 priority: Dark patterns that make rejecting cookies harder than accepting are a top enforcement priority. CNIL fined Google €100M for this.
High effort
Both lawsβœ“ Implement once
Audit and configure analytics tools for privacy compliance
Configure Google Analytics (or alternative) with IP anonymization, data sharing disabled, and appropriate consent mode. Consider privacy-friendly analytics alternatives for EU users.
GDPR: Several EU DPAs (Austria, France, Italy, Denmark) have found standard Google Analytics to be non-compliant due to US data transfers.
CCPA: Analytics data sharing may constitute "sharing" for cross-context behavioral advertising β€” triggering opt-out obligations.
Med effort
Both lawsβœ“ Implement once
Publish privacy policy link in website footer on every page
Privacy policy must be clearly accessible from every page of your website β€” typically in the footer. Link text should be unambiguous ("Privacy Policy" not "Legal").
GDPR: Transparency principle requires privacy information to be easily accessible.
CCPA: Privacy policy must be "conspicuously posted" on your website. Footer link on every page satisfies this requirement.
Low effort
Both lawsβœ“ Implement once
Implement a working privacy request submission mechanism
Provide at least one (CCPA requires two) clear method for individuals to submit rights requests β€” privacy@yourcompany.com, a web form, or an in-app request flow.
GDPR: Rights requests can be submitted verbally or in writing β€” you must have a process to receive and handle them promptly.
CCPA: Must provide at least two designated methods for submitting requests (e.g., email + online form). One must be a toll-free number for businesses with a physical presence.
Med effort
Both lawsβœ“ Implement once
Implement identity verification for rights requests
Before responding to access or deletion requests, verify the requester's identity through a reasonable process β€” without collecting more data than necessary for verification.
GDPR: Article 12 β€” reasonable identity verification is permitted but must be proportionate. Cannot collect excessive data purely for verification.
CCPA: Requires "reasonable" verification β€” method varies by request type. Sensitive requests (SSN, financial data) require higher verification than general access requests.
Med effort
Both lawsβœ“ Implement once
Enforce data retention limits and automated deletion
Implement automated processes to delete or anonymize data when retention periods expire. Don't keep data "just in case." Document retention schedules for each data category.
GDPR: Storage limitation principle (Article 5(1)(e)) β€” data must not be kept longer than necessary. Regulators increasingly check for actual deletion, not just policies.
CCPA/CPRA: Data minimization requires limiting retention to what's necessary for the disclosed purpose. CPPA enforcement targets data hoarding.
Med effort
CCPA/CPRA only
Add "Limit the Use of My Sensitive Personal Information" link if applicable
CPRA added the right to limit use of Sensitive Personal Information (SPI). If you use SPI beyond the primary business purpose, add a clearly labeled link for consumers to exercise this right.
CCPA/CPRA: Can be combined with the "Do Not Sell or Share" link. Must be functional β€” a dead link or non-working mechanism violates the regulation.
Med effort
GDPR only
Configure email marketing for GDPR consent compliance
Marketing emails to EU contacts require prior opt-in consent β€” pre-checked boxes, inferred consent, and "legitimate interest" for unsolicited marketing to individuals are not valid under GDPR.
GDPR + ePrivacy: Soft opt-in is permitted only for existing customers and similar products. All other marketing requires explicit prior consent with a clear opt-out mechanism.
Med effort

Want a tailored privacy compliance plan?

Get a personalized assessment showing which laws apply to you, what's missing, and estimated cost β€” free.

Complete the Free Gap Assessment β†’

Common Questions

GDPR & CCPA FAQ

Do I need to comply with both GDPR and CCPA?+
You need to comply with whichever laws apply based on your users and business size. GDPR applies if you process personal data of EU/EEA residents β€” no size threshold. CCPA applies if you're a for-profit company in California with $26.6M+ revenue, 100K+ consumer records, or 50%+ revenue from data sales. Many US SaaS companies with EU customers need both. The good news: a strong GDPR program covers most CCPA requirements β€” build for GDPR and layer CCPA-specifics on top.
What's the fastest way to comply with both at once?+
Build your foundation around GDPR β€” it's stricter in almost every dimension. Complete your data inventory, document lawful bases, execute vendor DPAs, and implement a compliant consent management platform. Then layer on the CCPA-specifics: Notice at Collection, "Do Not Sell or Share" link, CCPA rights request workflow, GPC signal compliance, and CCPA-specific vendor contracts. The 26 "Both" items in this checklist are your first priority β€” they satisfy both laws simultaneously.
What are the new CCPA requirements for 2026?+
The CPPA finalized major regulatory updates effective January 1, 2026: mandatory opt-out confirmation (you must visibly confirm when a consumer opts out of sale/sharing), expanded right-to-know provisions extending data access windows, formal risk assessment requirements for high-risk processing activities started after January 2026, and mandatory GPC signal compliance with active enforcement. Cybersecurity audit requirements are phasing in through 2030, and Automated Decision-Making Technology (ADMT) opt-out rules take effect January 2027 for existing systems.
Does GDPR apply to US companies?+
Yes. GDPR applies to any organization processing personal data of EU/EEA residents, regardless of where the organization is based. If you have EU customers, users, or even website visitors from the EU and collect any data about them (including IP addresses via analytics), GDPR applies to you. There is no minimum revenue or employee threshold β€” the obligation exists from day one of having any EU data subject.
What's the difference between "selling" and "sharing" under CCPA?+
"Selling" means exchanging personal information for money or other valuable consideration. "Sharing" β€” added by CPRA β€” means disclosing personal information to a third party for cross-context behavioral advertising, even without payment. This is significant because many businesses that use Google Analytics, Meta Pixel, or programmatic advertising are "sharing" personal data without realizing it, which triggers consumer opt-out rights. If you run any form of retargeting or behavioral advertising, you're almost certainly "sharing."
What is a Data Processing Agreement (DPA) and do I need one?+
A DPA is a legally required contract between you (as a data controller) and any vendor that processes EU personal data on your behalf (as a data processor). Under GDPR Article 28, DPAs are mandatory with every vendor that touches EU personal data β€” cloud providers, analytics tools, CRMs, email platforms, payment processors, etc. Most major vendors (AWS, Google, Salesforce) offer standard DPAs β€” you typically need to sign them in your account settings, they're not automatically applied. CCPA has a separate requirement for "service provider contracts" but with different terms.
What are the penalties for non-compliance?+
GDPR fines reach up to €20 million or 4% of global annual revenue β€” whichever is higher. Major fines include €1.2B against Meta, €746M against Amazon. CCPA allows the CPPA to seek $2,500 per unintentional violation and $7,500 per intentional violation. Consumers can sue directly for data breaches β€” $100 to $750 per consumer per incident. A breach affecting 500,000 California consumers could expose you to $375M in statutory damages before attorneys' fees. Don't let the lower per-violation CCPA numbers mislead you β€” at scale, it adds up quickly.

Not sure which privacy laws apply to you?

Run a free gap assessment and get your readiness score across GDPR, CCPA, and 30+ other frameworks in 10 minutes.

Start Your Free Gap Assessment β†’

Free forever Β· No sales calls Β· Instant results

Β© 2026 Gap Assessment Β· freegapassessment.com
For informational purposes only. Not legal advice. Consult qualified legal counsel before making compliance decisions.