GDPR vs CCPA/CPRA: European vs Californian privacy compared
GDPR covers personal data of EU residents with consent-centric, rights-extensive obligations. CCPA/CPRA covers California residents with opt-out-centric, business-focused rules. Overlap: ~50%. Different legal philosophies. SaaS selling to both typically builds GDPR-level posture and layers CCPA specifics on top.
Side-by-side
| Dimension | GDPR | CCPA/CPRA |
|---|---|---|
| Jurisdiction | EU residents (worldwide extraterritoriality) | California residents (worldwide reach if applicable) |
| Entity threshold | All data controllers/processors of EU personal data | Businesses: $25M+ revenue OR process 100k+ CA residents' data OR 50%+ revenue from selling CA data |
| Legal basis for processing | 6 bases (consent, contract, legal obligation, vital interest, public task, legitimate interest) | No ex-ante legal basis required — notice + opt-out model |
| Data subject rights | 8 rights (access, rectify, erasure, restrict, portability, object, no automated decision-making, withdraw consent) | 5 rights (know, delete, correct, opt-out of sale/sharing, limit sensitive data use) |
| Penalties | Higher of €20M or 4% global turnover | $7,500 per intentional violation, $2,500 per unintentional; $100-750 per consumer in private lawsuits for breach |
| Private right of action | Limited (through supervisory authority) | Data-breach-specific private right of action |
| Enforcement | National DPAs (BfDI, LfDI in DE) + EDPB | CA Attorney General + CA Privacy Protection Agency |
| International transfer | Restricted; requires safeguards (SCCs, DPF) | Generally permitted with notice |
| Children's data | Art. 8 (GDPR); special protections | CCPA specifics for under-16 (opt-in required for sale) |
| DPIA / risk assessment | Mandatory for high-risk processing | Risk assessment requirements under CPRA |
When to choose which
GDPR
Your business processes EU personal data. GDPR applies; no alternative.
CCPA/CPRA
Your business processes California residents' data and meets thresholds. CCPA/CPRA applies.
Both
Global SaaS almost always needs both. Philosophy: build GDPR-level posture first (more rigorous), then layer CCPA specifics (sell/share definitions, private right of action for breaches, specific opt-out mechanisms).
The overlap
~50% — both regulate personal data, give individuals rights, require notices, and impose penalties. The core 'data subject rights' concept appears in both but with different scope. The philosophical difference: GDPR is consent + rights-first (opt-in philosophy); CCPA is notice + opt-out (business-first philosophy).
Key differences
- GDPR requires a legal basis for processing. CCPA requires notice and opt-out.
- GDPR applies to all organizations processing EU data. CCPA has size thresholds.
- GDPR fines are percentage-based and substantial (€20M/4%). CCPA fines are per-violation (lower individual amounts).
- CCPA has explicit private right of action for breaches. GDPR generally doesn't.
- GDPR has explicit international transfer restrictions. CCPA doesn't.
- GDPR requires DPIAs for high-risk processing. CPRA introduced risk assessments but less prescriptive.
Frequently asked questions
If my SaaS is GDPR-compliant, is it automatically CCPA-compliant?+
Mostly close, but not automatic. Add: explicit CCPA-compliant privacy notice, opt-out mechanisms for sale/share, 'Do Not Sell or Share My Personal Information' link, CCPA-specific sensitive data handling. About 70% of the work is already done. Gap is CCPA-specific requirements around opt-out rights and notice language.
Does CCPA apply to European SaaS with California users?+
Yes, if you meet thresholds ($25M revenue OR 100k CA residents' data OR 50%+ revenue from CA data). European SaaS typically satisfies threshold via user count. Requires California-specific notice language and opt-out mechanisms.
Can I just use GDPR notice for CCPA?+
Not fully. GDPR notice language doesn't meet CCPA's specific requirements — CCPA demands explicit 'Do Not Sell or Share My Personal Information' link, specific category disclosures, and opt-out mechanics. Practice: extend your GDPR privacy policy with California-specific sections.
Matproof covers all major EU frameworks.
One platform, 11 frameworks, EU-hosted. 30-minute demo tailored to your framework mix.