GDPR vs CCPA: Privacy Laws Explained
Disclosure: This article contains affiliate links. We may earn a commission at no extra cost to you.
Every time you visit a website, you're greeted by a cookie banner. Every app asks for permissions. Every service has a privacy policy longer than a novel. But do you actually know what rights you have over your personal data?
Two major privacy laws have reshaped how companies handle your data: the GDPR (Europe) and the CCPA/CPRA (California). Together, they've set the global standard for privacy rights—and understanding them can help you take control of your digital life.
This guide explains both laws in plain language, compares them side-by-side, and shows you exactly how to exercise your rights.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific legal questions, consult a qualified attorney in your jurisdiction.
GDPR: The European Standard
The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. It's arguably the most comprehensive privacy law in the world and has influenced legislation globally.
Who Does GDPR Protect?
- All EU/EEA residents — regardless of citizenship
- Anyone whose data is processed by EU companies
- Anyone targeted by EU-based marketing
Crucially, GDPR applies to any company that processes data of EU residents—even if the company is based elsewhere. A US website targeting European customers must comply with GDPR.
Your Rights Under GDPR
| Right | What It Means |
|---|---|
| Right to Access | Request a copy of all personal data a company holds about you |
| Right to Rectification | Correct inaccurate or incomplete data |
| Right to Erasure | "Right to be forgotten" — request deletion of your data |
| Right to Restrict Processing | Limit how a company uses your data |
| Right to Data Portability | Receive your data in a machine-readable format to transfer elsewhere |
| Right to Object | Opt out of certain processing, including direct marketing |
| Rights Related to Automated Decision-Making | Not be subject to decisions based solely on automated processing (including profiling) |
GDPR Consent Requirements
Under GDPR, consent must be:
- Freely given — not coerced or bundled with other terms
- Specific — for a defined purpose
- Informed — clear explanation of what you're agreeing to
- Unambiguous — requires a clear affirmative action (no pre-checked boxes)
This is why European cookie banners require you to actively click "Accept" rather than just continuing to browse.
GDPR-Compliant Cookie Banner Example:
We use cookies to improve your experience. We use:
Essential cookies (required for site functionality)
Analytics cookies (help us understand usage)
Marketing cookies (personalized ads)
GDPR Penalties
GDPR has teeth. Violations can result in fines up to:
- €20 million or 4% of global annual revenue (whichever is higher) for serious violations
- €10 million or 2% of global annual revenue for lesser violations
Major fines issued include:
- Amazon: €746 million (2021) — targeted advertising without consent
- Meta (Facebook): €1.2 billion (2023) — illegal data transfers to US
- Google: €90 million (2022) — cookie consent violations in France
CCPA/CPRA: California Leading the US
The California Consumer Privacy Act (CCPA) took effect January 1, 2020. It was strengthened by the California Privacy Rights Act (CPRA) in 2023, which added new rights and created a dedicated enforcement agency.
While California-specific, CCPA/CPRA has become the de facto US privacy standard. Many companies apply it nationwide rather than maintaining separate systems.
Who Does CCPA/CPRA Protect?
- California residents (consumers)
- Applies to businesses that:
- Have gross revenue over $25 million, OR
- Buy/sell data of 100,000+ consumers annually, OR
- Derive 50%+ of revenue from selling personal information
Unlike GDPR, CCPA has business size thresholds. Small businesses may be exempt.
Your Rights Under CCPA/CPRA
| Right | What It Means |
|---|---|
| Right to Know | Request what personal information a business collects, uses, and shares |
| Right to Delete | Request deletion of your personal information |
| Right to Opt-Out | Opt out of the sale or sharing of your personal information |
| Right to Correct | Correct inaccurate personal information (added by CPRA) |
| Right to Limit Use of Sensitive Data | Restrict use of sensitive personal information (added by CPRA) |
| Right to Non-Discrimination | Cannot be penalized for exercising your privacy rights |
The "Do Not Sell" Requirement
CCPA introduced the famous "Do Not Sell My Personal Information" link requirement. Businesses that sell personal data must provide a clear opt-out mechanism.
CCPA-Style Privacy Notice:
We value your privacy. As a California resident, you have the right to:
- Know what personal information we collect
- Request deletion of your data
- Opt out of the sale of your information
Do Not Sell or Share My Personal Information | Limit Use of Sensitive Data
CCPA/CPRA Penalties
- $2,500 per unintentional violation
- $7,500 per intentional violation
- Private right of action for data breaches (consumers can sue directly)
The California Privacy Protection Agency (CPPA) now actively enforces these rules.
GDPR vs CCPA: Side-by-Side Comparison
| Aspect | GDPR (EU) | CCPA/CPRA (California) |
|---|---|---|
| Effective Date | May 25, 2018 | Jan 1, 2020 (CPRA: Jan 1, 2023) |
| Who's Protected | EU/EEA residents | California residents |
| Who Must Comply | Any organization processing EU data | Businesses meeting revenue/data thresholds |
| Consent Model | Opt-in (explicit consent required) | Opt-out (consent assumed until withdrawn) |
| Right to Access | Yes | Yes ("Right to Know") |
| Right to Delete | Yes | Yes |
| Right to Correct | Yes | Yes (added by CPRA) |
| Data Portability | Yes | Limited |
| Opt-Out of Sale | N/A (sale requires consent) | Yes (core feature) |
| Max Penalty | €20M or 4% global revenue | $7,500 per violation |
| Private Lawsuits | Limited | Yes (for breaches) |
| Enforcement Body | National Data Protection Authorities | California Privacy Protection Agency |
Key Difference: GDPR requires opt-in consent before collecting data. CCPA allows collection by default but gives you the right to opt out. This fundamental difference shapes how cookie banners and privacy notices look in Europe vs. the US.
Other Privacy Laws Around the World
GDPR and CCPA inspired privacy legislation globally:
| Law | Region | Effective | Key Features |
|---|---|---|---|
| UK GDPR | United Kingdom | 2021 | Post-Brexit version of EU GDPR, nearly identical |
| LGPD | Brazil | 2020 | GDPR-inspired, covers all Brazilian residents |
| POPIA | South Africa | 2021 | Comprehensive data protection, similar to GDPR |
| PDPA | Thailand | 2022 | GDPR-style consent requirements |
| PIPL | China | 2021 | Strict data localization, consent requirements |
| State Laws | Virginia, Colorado, Connecticut, Utah, etc. | 2023+ | CCPA-inspired state-level privacy laws |
The trend is clear: privacy regulation is expanding worldwide. Understanding GDPR and CCPA prepares you for most global privacy frameworks.
How to Exercise Your Rights
Knowing your rights is one thing. Actually using them is another. Here's how to make data requests under both laws.
Step 1: Find the Right Contact
Look for:
- Privacy policy — usually linked in website footer
- "Do Not Sell" link — required for CCPA
- Data Protection Officer (DPO) contact — required for GDPR
- Privacy settings — in your account dashboard
Step 2: Submit Your Request
Most companies have online forms. If not, use email. Here are templates:
GDPR Data Access Request Template
Subject: GDPR Data Subject Access Request Dear Data Protection Officer, Under Article 15 of the General Data Protection Regulation (GDPR), I am requesting access to all personal data you hold about me. Please provide: 1. Confirmation of whether you process my personal data 2. A copy of all personal data you hold about me 3. The purposes of processing 4. The categories of data concerned 5. Recipients to whom data has been disclosed 6. The retention period for my data 7. Information about the source of the data (if not collected from me) My details for identification: - Full name: [Your Name] - Email address: [your.email@example.com] - Account username (if applicable): [username] - Additional identifiers: [any other relevant info] Under GDPR Article 12, you must respond within one month. Regards, [Your Name]
GDPR Deletion Request Template
Subject: GDPR Right to Erasure Request Dear Data Protection Officer, Under Article 17 of the General Data Protection Regulation (GDPR), I am requesting the erasure of all personal data you hold about me. I am exercising this right because: [ ] The data is no longer necessary for its original purpose [ ] I withdraw my consent for processing [ ] I object to the processing under Article 21 [ ] The data was unlawfully processed [ ] Other: [specify] My details for identification: - Full name: [Your Name] - Email address: [your.email@example.com] - Account username (if applicable): [username] Please confirm deletion within one month as required by GDPR Article 12. Regards, [Your Name]
CCPA Data Request Template
Subject: CCPA Consumer Data Request To Whom It May Concern, As a California resident, I am exercising my rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). I request the following: [ ] Right to Know: Disclose all personal information collected about me [ ] Right to Delete: Delete all personal information you hold about me [ ] Right to Opt-Out: Do not sell or share my personal information [ ] Right to Correct: Correct inaccurate information (specify below) My details for verification: - Full name: [Your Name] - Email address: [your.email@example.com] - California residence: [City, CA ZIP] - Account information: [if applicable] Under CCPA, you must respond within 45 days. Sincerely, [Your Name]
Step 3: Follow Up
- GDPR: Companies must respond within 30 days (extendable to 90 for complex requests)
- CCPA: Companies must respond within 45 days (extendable to 90)
If they don't respond or deny your request without valid reason:
- GDPR: File a complaint with your national Data Protection Authority (e.g., Autoriteit Persoonsgegevens in the Netherlands)
- CCPA: File a complaint with the California Privacy Protection Agency
What This Means for Businesses
If you run a website or business, here's what you need to know:
GDPR Compliance Checklist
- Cookie consent banner with granular options (not just "Accept All")
- Privacy policy explaining data collection and processing
- Data Processing Agreements with all vendors
- Process for handling data requests within 30 days
- Data breach notification procedure (72-hour reporting)
- Data Protection Officer (if processing sensitive data at scale)
- Records of processing activities
CCPA Compliance Checklist
- "Do Not Sell My Personal Information" link on website
- Updated privacy policy with CCPA-required disclosures
- Two methods for submitting requests (e.g., web form + email)
- Verification process for consumer requests
- 45-day response process
- Employee training on handling privacy requests
- "Limit Use of Sensitive Data" link (CPRA requirement)
Real-World Example: In 2025, Dutch city employees uploaded thousands of personal files to ChatGPT—a clear GDPR violation with no data processing agreement. The incident demonstrates how easy it is to violate privacy laws through everyday AI tool usage.
Protecting Your Privacy Beyond the Law
Privacy laws give you rights, but exercising them is reactive. Here's how to be proactive:
1. Minimize Data Sharing
- Use fake/burner emails for non-essential services
- Don't provide optional information (phone numbers, birth dates)
- Review app permissions regularly
2. Use Privacy Tools
Recommended:
- VPN: NordVPN hides your IP address and encrypts your traffic
- IP Check: Verify your VPN at myip.foo
- Leak Tests: DNS Leak Test | WebRTC Leak Test
- Extensions: Privacy Browser Extensions
3. Regular Privacy Audits
- Review what accounts you have (and delete unused ones)
- Check privacy settings on social media
- Search your name/email on Have I Been Pwned
- Follow our Privacy Checklist 2026
Frequently Asked Questions
I'm not in Europe or California. Do these laws protect me?
Possibly. If a European or Californian company processes your data, you might benefit from their compliance practices. Additionally, many US states (Virginia, Colorado, Connecticut, etc.) have passed their own privacy laws. Check your local legislation.
Can a company refuse my data request?
Yes, but only for valid reasons. GDPR allows refusal if requests are "manifestly unfounded or excessive." CCPA allows refusal if they can't verify your identity. They must explain the reason and your right to appeal.
What if a company doesn't respond?
File a complaint with the relevant authority (Data Protection Authority for GDPR, CPPA for CCPA). These agencies have enforcement power and can investigate or fine non-compliant companies.
Do privacy laws apply to AI companies like OpenAI?
Yes. GDPR and CCPA apply to AI services that process personal data. This is why the Shadow AI phenomenon is such a legal risk—employees using free ChatGPT without data processing agreements can create GDPR violations for their employers.
What counts as "personal data"?
Any information that can identify you directly or indirectly: name, email, IP address, location data, cookies, device identifiers, biometrics, health data, financial information, and more. Even pseudonymous data (like a user ID) can be personal data if it can be linked back to you.
Conclusion
GDPR and CCPA have fundamentally changed how companies handle personal data. Whether you're in Europe, California, or elsewhere, understanding these laws empowers you to take control of your digital privacy.
Key takeaways:
- GDPR (EU) requires opt-in consent and provides comprehensive rights including access, deletion, and data portability
- CCPA/CPRA (California) focuses on opt-out rights and the ability to stop companies from selling your data
- Both laws give you the right to access and delete your personal data
- Companies face significant fines for non-compliance (up to 4% of global revenue under GDPR)
- Use the email templates above to exercise your rights
- Privacy regulation is expanding globally—more countries and US states are adopting similar laws
Don't just accept cookie banners and privacy policies at face value. You have rights. Use them.
Take Action:
- Check what data companies have on you using the templates above
- Protect your IP address with a VPN
- Test for leaks at myip.foo
- Follow our Privacy Checklist 2026
Your data. Your rights. Your control.
Sources: Official GDPR text (EUR-Lex), California Civil Code (CCPA/CPRA), European Data Protection Board guidelines, California Privacy Protection Agency.