CCPA vs GDPR: Key Differences for US Businesses

GDPR Compliance Does Not Equal CCPA Compliance

Many US businesses that have already implemented GDPR compliance assume they are also compliant with CCPA and other US state privacy laws. While there is significant overlap, critical differences exist that can expose your business to enforcement actions.

Key Differences

Consent Model

GDPR requires opt-in consent before most data processing. CCPA follows an opt-out model — businesses can collect and process data by default, but must allow consumers to opt out of sale/sharing. This fundamental difference affects your entire consent architecture.

Scope of "Personal Information"

CCPA defines personal information more broadly than GDPR in some ways. For example, CCPA explicitly covers household-level data and inferences drawn from other data points. On the other hand, GDPR has stricter rules around "special categories" of data.

Right to Delete vs Right to Erasure

While both laws grant deletion rights, CCPA provides more exceptions allowing businesses to retain data (e.g., for completing transactions, detecting security incidents, complying with legal obligations).

Private Right of Action

CCPA grants consumers a private right of action for data breaches — they can sue directly. GDPR relies primarily on data protection authorities for enforcement, though individuals can also bring claims.

What GDPR-Compliant Businesses Still Need to Do

1. Add a "Do Not Sell or Share My Personal Information" link if you share data with third parties
2. Implement GPC signal detection and honoring
3. Update your privacy policy to include CCPA-specific disclosures
4. Ensure your data subject request process meets CCPA response timelines (45 days vs GDPR 30 days)
5. Review whether your business meets CCPA-specific thresholds

Use our privacy law calculator to check which US state laws apply to your business alongside your GDPR obligations.