CCPA vs GDPR: How US and EU Privacy Laws Compare for Analytics

If your business serves customers in both California and Europe, you are subject to two of the most influential privacy laws in the world: the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). They share a goal — giving people control over their personal data — but they differ enough in scope, mechanics and penalties that treating them as interchangeable is a costly mistake.

This is part two of our US data privacy series. If you need the wider context first, start with Is There a US Data Privacy Act?. Here we compare CCPA and GDPR across the dimensions that matter most to data and analytics teams.

The two laws at a glance

The GDPR came into effect in 2018 and applies to any organisation that processes the personal data of individuals in the European Economic Area, regardless of where the company is based. It is built around data subjects, controllers and processors, and it requires a documented lawful basis for every processing activity.

The CCPA took effect in 2020 and applies to for-profit businesses that do business in California and meet certain thresholds — revenue, the volume of personal information handled, or revenue derived from selling personal information. It centres on consumer rights and transparency rather than enumerating lawful bases.

Scope and territorial reach

The single biggest difference is breadth. GDPR covers all organisations processing EEA residents' data, full stop. CCPA applies only to medium and large for-profit businesses meeting its thresholds, and exempts non-profits, government agencies and many smaller companies. In practice, a small business might fall under neither law, some under only CCPA, and most global businesses under both — often requiring different data-handling pipelines for California, Europe and elsewhere.

Opt-out vs opt-in: the defining contrast

This distinction shapes everything about analytics:

• Under GDPR, you generally need explicit, informed opt-in consent before collecting data. No consent, no tracking. Analytics cookies almost always require active opt-in.
• Under CCPA, businesses can collect data by default as long as they provide a clear way to opt out of the sale or sharing of personal data.

For data teams, this means EU traffic typically yields less data unless users consent, while California traffic can be tracked by default — provided opt-out requests are honoured promptly. Failing to process opt-outs has led to real enforcement, including multi-million-dollar settlements.

Consumer rights compared

Both laws grant a right to access/know, a right to delete/erase, and a right to non-discrimination for exercising privacy rights. Beyond that, they diverge:

• Unique to CCPA: the right to opt out of the sale or sharing of personal data, the right to notice about collection practices, and the right to disclosure of specific information collected.
• Unique to GDPR: the right to rectification, the right to restrict processing, the right to data portability, and the right to withdraw consent at any time.

Penalties

The financial stakes differ sharply. GDPR fines can reach €20 million or 4% of global annual turnover, whichever is higher — the record being a €1.2 billion fine against a major platform in 2023. CCPA penalties are assessed per violation per affected consumer, which can still add up quickly across large user bases. The lesson for analytics professionals is the same on both sides of the Atlantic: non-compliance directly threatens budgets and operations.

A few more dimensions that matter

• Parental consent: CCPA requires consent for children under 13; GDPR sets the bar at 16 (member states may lower it to 13).
• International transfers: CCPA only requires that you inform consumers; GDPR demands genuine safeguards for transfers outside the EEA.
• Legal basis: GDPR enumerates six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests); CCPA focuses on rights and transparency instead.

California in 2026: a moving target

California keeps tightening the screws. The CPRA created the California Privacy Protection Agency (CPPA), which now issues regulations and enforces alongside the Attorney General. Recent updates add mandatory cybersecurity audits, risk assessments for higher-risk processing (effective January 2026), and new rules for Automated Decisionmaking Technology (ADMT) taking effect in 2027. Separately, the Delete Act introduced the Delete Request and Opt-Out Platform (DROP), letting residents send deletion requests to data brokers from a single place. Penalties now rise every odd year. In short, "CCPA compliance" is not a one-time project.

What this means for your data stack

Most global businesses cannot pick one regime and ignore the other. The pragmatic path is to design data collection that satisfies the stricter standard by default — opt-in consent, documented purposes, honoured deletion and opt-out requests, and clear records of processing. That is exactly the philosophy we explore in part three, Privacy by Design: Data Minimisation and Future-Proofing Your Analytics. Privacy-first analytics platforms such as Apivom Opus make it far easier to configure tracking that respects consent choices by region without losing the insights you need.

Not sure which rules apply to your traffic? Get in touch or revisit the start of the series on our blog.