Two frameworks, different philosophies
If your business serves customers in both the European Union and California, you are subject to two of the world's most consequential privacy frameworks: the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA). While both laws protect personal data, they approach the problem from fundamentally different angles, and understanding these differences is essential to getting compliance right.
The GDPR is built on an opt-in model. The default position is that you cannot process personal data without a valid legal basis — and for many common activities like marketing, that legal basis is explicit consent. You need permission before you act.
The CCPA/CPRA, by contrast, follows an opt-out model. Businesses can collect and use personal information by default, but consumers have the right to opt out of certain activities — particularly the sale or sharing of their data. You can act, but you must give people the ability to say no.
This fundamental difference shapes everything downstream: how you collect consent, how you write your privacy notices, and how you handle consumer requests.
Scope: who is covered
GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is based. There is no revenue threshold or minimum size — a one-person consultancy that collects an EU customer's email address is technically in scope.
CCPA/CPRA has narrower applicability. It applies to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue exceeding $25 million, buying, selling, or sharing the personal information of 100,000 or more California consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information. If you do not meet any of these thresholds, the CCPA/CPRA does not apply to you directly — though California's general privacy principles and other sector-specific laws may still be relevant.
Data covered
The GDPR protects "personal data" — any information relating to an identified or identifiable natural person. The CCPA/CPRA protects "personal information" — information that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household. In practice, the scope is similar, but the CCPA explicitly includes household-level data, which the GDPR does not.
Both frameworks cover names, email addresses, IP addresses, purchase histories, browsing behavior, and geolocation data. The CCPA/CPRA additionally includes inferences drawn from personal information to create consumer profiles.
Consumer rights: a side-by-side comparison
Both frameworks grant individuals a set of rights, but the specifics vary:
Right to know / Right of access. Both laws give individuals the right to know what data you hold on them. Under GDPR, this is the "right of access" (Article 15). Under CCPA/CPRA, it is the "right to know" — consumers can request the categories and specific pieces of personal information collected, the sources, the purposes, and the third parties it has been shared with.
Right to delete. Both laws provide a right to deletion, though the GDPR's version (the "right to erasure" or "right to be forgotten") is slightly broader, applying whenever the data is no longer necessary for the original purpose.
Right to correct. Both frameworks now include a right to correction. GDPR has always included this under Article 16. CPRA added this right for California consumers.
Right to opt out of sale/sharing. This is unique to the CCPA/CPRA. If your business "sells" or "shares" personal information (and the definition of "sell" is broader than you might expect — it includes sharing data for cross-context behavioral advertising), you must provide a clear "Do Not Sell or Share My Personal Information" link on your website.
Right to data portability. The GDPR gives individuals the right to receive their data in a structured, machine-readable format. The CCPA/CPRA does not have an equivalent right at the same level of specificity.
What you actually need to do if you serve both markets
If your business is subject to both frameworks, the practical approach is to build your compliance program to the higher standard — which is generally the GDPR — and then layer on CCPA/CPRA-specific requirements where they differ. Here is what that looks like:
Privacy notices. You need a privacy policy that satisfies both laws. The GDPR requires you to disclose your lawful basis for processing, data retention periods, and the contact details of your Data Protection Officer (if applicable). The CCPA/CPRA requires you to disclose the categories of personal information collected, the purposes, whether you sell or share data, and consumer rights under California law. A well-structured, layered privacy notice can address both.
Consent mechanisms. For EU visitors, you need opt-in consent for cookies and marketing. For California consumers, you need opt-out mechanisms. In practice, this often means implementing a cookie consent banner that geo-targets: EU visitors see an opt-in banner, while California visitors see an opt-out mechanism with the required "Do Not Sell or Share" link.
Consumer request workflows. Both laws require you to respond to data requests. The GDPR gives you 30 days; the CCPA/CPRA gives you 45 days (extendable by a further 45). You need a process for receiving, verifying, and fulfilling these requests — ideally a single workflow that satisfies both frameworks.
Vendor management. Both laws require you to manage your relationships with third-party data processors/service providers. Under the GDPR, you need formal Data Processing Agreements. Under the CCPA/CPRA, you need service provider or contractor agreements that include specific contractual terms.
The practical path forward
Rather than treating GDPR and CCPA/CPRA as entirely separate compliance exercises, smart businesses build a unified program. Dxtra handles this automatically — when you answer questions about your business, the AI generates documentation that satisfies both frameworks (and the other 500+ privacy obligations it covers across 140+ countries). Your privacy policy addresses GDPR Article 13/14 requirements and CCPA/CPRA disclosure requirements simultaneously. Your consent management adapts based on where the visitor is located. Your data subject rights workflows cover both the 30-day GDPR deadline and the 45-day CCPA timeline.
The key insight is that privacy compliance is not about learning every detail of every law. It is about having the right documentation, the right processes, and the right tools to respond to whichever framework applies to the data you are processing at any given moment.