GDPR vs CCPA in 2026: Key Differences Every Business Should Know
Both are landmark privacy laws, but they work very differently. Here's a clear, side-by-side breakdown of what matters for your business.
Quick Overview
The GDPR (EU, 2018) is an opt-in framework - companies need a legal basis before processing personal data. The CCPA/CPRA (California, 2020/2023) is an opt-out framework - companies can collect data but must let consumers opt out.
This fundamental difference shapes everything else: consent models, penalties, and compliance costs.
Side-by-Side Comparison
| Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Scope | Anyone processing EU residents' data | Businesses with $25M+ revenue, 100K+ consumers, or 50%+ revenue from data sales in California |
| Consent model | Opt-in (need legal basis first) | Opt-out (collect, then let users opt out) |
| Who it protects | All EU residents ("data subjects") | California residents ("consumers") |
| What's covered | Any personal data | Personal information (broader, includes household data) |
| Right to delete | Yes | Yes |
| Right to correct | Yes | Yes (added by CPRA) |
| Right to portability | Yes | Yes |
| Data minimization | Required | Not explicitly required |
| DPO required | Yes (for certain orgs) | No |
| Breach notification | 72 hours to authority | "Expedient" to consumers |
| Max penalty | 4% of global revenue or €20M | $7,500 per intentional violation |
| Private right of action | Limited | Yes (for data breaches) |
| Enforced by | DPAs in each EU country | California AG + CPPA |
What Changed in 2026
GDPR enforcement hit record levels - fines in 2024–2025 exceeded €2 billion combined. Cross-border enforcement between EU data protection authorities is now more coordinated, making it harder for companies to exploit jurisdictional gaps.
CCPA/CPRA got major new regulations in 2026: mandatory cybersecurity audits, formal risk assessments for automated decision-making, and the California Delete Act's opt-out platform went live - creating new obligations for data brokers. The California Privacy Protection Agency (CPPA) is now fully operational and issuing enforcement actions independently.
Which Applies to You?
GDPR applies if you offer goods or services to people in the EU, monitor the behavior of people in the EU, or process personal data of EU residents - even if you have no physical presence in Europe.
CCPA applies if you do business in California and meet any one of three thresholds: $25M+ annual revenue, buy/sell/share data of 100,000+ consumers, or derive 50%+ of revenue from selling personal information.
Many businesses are subject to both. If that's you, the practical approach is to build your compliance program around GDPR (the stricter framework) and layer CCPA-specific requirements on top, particularly around the right to opt out of data sales and the private right of action for data breaches.
Do both GDPR and CCPA apply to you?
Answer 7 questions to find out exactly which of 30+ privacy laws affect your business.
Check My Compliance →The Bottom Line
GDPR is broader, stricter, and has bigger penalties. CCPA is more specific to California but includes a private right of action that GDPR mostly lacks. If you comply with GDPR, you're 80% of the way to CCPA compliance. But don't forget the other 19 US state laws - many have their own unique requirements that neither GDPR nor CCPA fully cover.
Cybersecurity professionals building free privacy tools for the 2026 compliance landscape.