The four real differences
| Dimension | GDPR (EU/UK) | CCPA / CPRA (California) |
|---|---|---|
| Consent model | Opt-in — ask before tracking | Opt-out — track by default, allow refusal |
| Who it covers | All EU/UK residents | California residents only |
| Who it applies to | Any business serving EU users | Businesses with $25M+ revenue or 100k+ CA records |
| Max fine | €20M or 4% of global revenue | $7,500 per intentional violation |
| Personal data definition | Very broad — includes IP, cookie IDs | Broad — includes inferences and household data |
| Right to be forgotten | Yes (full erasure) | Yes (with more exceptions) |
| Visible banner element | Consent banner with Accept/Reject | "Do Not Sell My Personal Information" link in footer |
1. The consent model is the biggest difference
This is the one most websites get wrong when expanding from US-only to international audiences. Under GDPR, tracking is off by default; the user must affirmatively click "Accept" before non-essential cookies fire. Under CCPA, tracking is on by default; the user has the right to opt out after the fact via the "Do Not Sell" link.
This means a US site adding EU traffic needs to invert its default behaviour for EU visitors — which is why geo-targeting in your consent tool matters.
2. Who actually has to comply
GDPR applies to any business — regardless of size or location — that processes data of EU residents. There is no revenue threshold. A solo freelancer with a contact form and a single German subscriber falls under GDPR.
CCPA only applies to businesses that meet at least one of these thresholds:
- Annual gross revenue over $25 million, OR
- Buys, sells, or shares the personal information of 100,000+ California consumers/households per year, OR
- Derives 50%+ of annual revenue from selling/sharing California consumers' personal information
If you're a small business under all three thresholds, CCPA technically doesn't apply to you. But the other state laws (Virginia, Colorado, Connecticut, etc.) have lower thresholds, and the moment you do hit one of CCPA's thresholds, you need the infrastructure to flip on.
3. Fines and enforcement
GDPR penalties are dramatically higher on paper — €20M or 4% of global turnover is the headline. But in practice, both regulators have shown a pattern of fines in the $10k–$500k range for small business violations.
One important difference: CCPA gives consumers a private right of action only for data breaches involving unencrypted personal information. GDPR does not give consumers direct private action, but EU regulators are far more active in opening investigations from complaints.
4. The visible compliance element
The most visible compliance element differs:
- GDPR — a consent banner with at least Accept and Reject buttons of equal weight, plus granular category controls
- CCPA — a "Do Not Sell or Share My Personal Information" link in the website footer, plus a Privacy Choices page
Both regulations also require a privacy policy that meets their specific disclosure requirements.
The dual-stack solution
The fastest way to comply with both GDPR and CCPA is a consent management platform that detects visitor location and switches behaviour automatically. We tested five tools and ranked them in our 2026 cookie consent comparison. The short list for sites with EU + California traffic:
- CookieYes — best for most sites, free tier covers both regulations
- iubenda — best if you also need privacy policy generation
- Termly — best free tier for US-focused small business
One banner, dual compliance — CookieYes
Auto-detects visitor location and switches between GDPR opt-in mode and CCPA opt-out mode. Free tier covers most small sites.
Other US state laws to watch in 2026
CCPA was the first comprehensive US state privacy law, but as of 2026 there are similar laws active in:
- Virginia — Consumer Data Protection Act (VCDPA)
- Colorado — Colorado Privacy Act (CPA)
- Connecticut — Connecticut Data Privacy Act (CTDPA)
- Utah — Utah Consumer Privacy Act (UCPA)
- Texas — Texas Data Privacy and Security Act (TDPSA)
- Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey — variations of the same opt-out + privacy policy model
The good news: most of these laws follow the CCPA opt-out + privacy policy model, so a CCPA-compliant setup gets you most of the way to compliance across all the others. The bad news: each has its own quirks (Colorado bans dark patterns explicitly, Texas adds children's data rules, Oregon requires deletion confirmation), so review your privacy policy if your user base spans many states.
Compliance priorities for a typical website
- Audit your traffic — pull Google Analytics, look at Country and US State dimensions. Note share of EU, UK, and California traffic.
- If you have any EU/UK traffic — install a GDPR-compliant cookie banner. This is the loudest, riskiest gap most sites have.
- If you hit CCPA thresholds or have a "Do Not Sell" obligation — add the footer link and Privacy Choices page.
- Publish or regenerate your privacy policy using a generator that covers both regulations.
- Document your data handling process — privacy@ email, 30-day SLA, internal log of requests.