The EU's General Data Protection Regulation (GDPR) took effect in May 2018. California's Consumer Privacy Act (CCPA) followed in January 2020, with the California Privacy Rights Act (CPRA) amending and strengthening it from 2023. Both are widely cited as landmark privacy legislation. Both generate compliance documents that companies paste together with boilerplate. And both give you real but limited rights that are worth understanding precisely — not in summary form.
The Foundational Difference: Opt-In vs Opt-Out
The most important structural difference between the two frameworks is their default posture toward data processing.
GDPR requires a legal basis for processing personal data. Before a company can collect and use your data for a given purpose, it must have one of several legal justifications: your explicit consent, a legitimate interest it can articulate and defend, performance of a contract with you, a legal obligation, vital interests, or a public task. Consent must be specific, informed, freely given, and withdrawable. Bundled consent buried in terms of service does not meet the standard. This is opt-in by default for processing that requires consent.
CCPA/CPRA is primarily opt-out. California businesses meeting certain thresholds can collect and sell your personal information unless you affirmatively request they stop. The "Do Not Sell or Share My Personal Information" link required on California-facing websites is the mechanism — you have to take action to exercise the right. The CPRA added an opt-in requirement for the sale of sensitive personal information and for minors under 16, but the general framework remains opt-out.
The practical consequence: under GDPR, a company that lacks a valid legal basis for processing is already in violation before you object. Under CCPA, the same company is in compliance until you exercise your opt-out right — and only then must it stop selling (not stop collecting) your data.
Rights Side by Side
| Right | GDPR (EU) | CCPA/CPRA (California) |
|---|---|---|
| Right to know | What data is held, for what purpose, for how long | What categories of data are collected and shared, and with whom |
| Right to access | Full copy of your personal data, within 30 days | Copy of specific personal information collected, within 45 days |
| Right to erasure | Delete data in most circumstances; exceptions for legal obligation, public interest, defense of legal claims | Delete personal information; exceptions are broader (business's operational use, security purposes, completing a transaction) |
| Right to portability | Receive data in a structured, machine-readable format and transfer to another controller | Receive data in a portable format; no explicit transfer-to-another-provider right |
| Right to object / opt out | Object to processing based on legitimate interests; absolute right to object to direct marketing | Opt out of sale or sharing of personal information; opt out of automated decision-making (CPRA) |
| Right to correction | Correct inaccurate data | Correct inaccurate personal information (CPRA addition) |
| Non-discrimination | Implicit in general anti-discrimination provisions | Explicit: cannot be denied service or charged more for exercising CCPA rights |
Who Is Actually Covered
GDPR applies to any organization, anywhere in the world, that processes personal data of people in the EU — regardless of where the organization is based. A US startup with no EU office but with EU customers must comply if it monitors EU residents' behavior or offers goods or services to them. This extraterritorial reach is one of GDPR's most significant features.
CCPA/CPRA applies to for-profit businesses that collect California residents' personal information and meet at least one of these thresholds: annual gross revenues over $25 million; annually buy, receive, sell, or share personal information of 100,000 or more consumers/households (CPRA raised this from the original 50,000); or derive 50% or more of annual revenues from selling or sharing consumers' personal information. Small businesses with California customers can fall outside the law entirely.
CCPA explicitly exempts non-profit organizations. GDPR applies to non-profits that process member or beneficiary data. If a non-profit data broker is selling information about you, CCPA doesn't reach it in California — a significant gap given how the data broker ecosystem operates.
Enforcement: Where Theory Meets Reality
GDPR enforcement is handled by national Data Protection Authorities (DPAs) in each EU member state, with cross-border cases coordinated through the Irish DPA for most US tech companies (since many have their EU headquarters in Ireland). Penalties can reach €20 million or 4% of global annual turnover, whichever is higher. Several major fines have been issued: Meta Ireland has received multi-hundred-million-euro fines; Amazon Luxembourg received a €746 million fine from Luxembourg's CNPD. These are real penalties, though legal appeals sometimes reduce or delay them.
CCPA enforcement is handled by the California Privacy Protection Agency (CPPA), created by CPRA, and the California Attorney General. Penalties are $2,500 per unintentional violation and $7,500 per intentional violation. Private right of action is available — but only for data breaches involving specific categories of information, not for general CCPA violations. This means consumers cannot individually sue for most CCPA violations; enforcement depends on the CPPA or AG acting. In practice, enforcement has been slower than GDPR and focused on more egregious violations.
What Neither Law Covers
Both laws contain significant carve-outs that are easy to miss in summary descriptions:
- Law enforcement and national security: GDPR Article 23 allows member states to restrict rights for "national security, public security, criminal offences" and related purposes. CCPA/CPRA has similar law-enforcement exemptions. Neither law protects your data from intelligence agencies operating under national security authorities. The FISA Section 702 regime in the US, for instance, operates entirely outside CCPA's reach.
- Employee data (CCPA): CPRA extended CCPA protections to employee and B2B data, but with significant limitations compared to consumer protections.
- Publicly available information: CCPA excludes "publicly available information" from the definition of personal information — a definition data brokers have argued broadly.
- Data already collected: erasure requests must be honored going forward, but companies may retain data if they have a permissible retention reason, and what you can compel them to erase is narrower than most people expect.
How to Actually Exercise Your Rights
For GDPR rights: submit a data subject access request (DSAR) to any organization you believe holds your data. Organizations must respond within 30 days. You can escalate to the relevant national DPA if the response is inadequate. Tools like Privacy Bee and services from DPA offices in some countries can help automate this.
For CCPA rights: look for the "Do Not Sell or Share" link in the footer of California-facing websites (required if the business is covered). Deletion requests go through the same channel — a web form, email address, or toll-free number that covered businesses must provide. Businesses have 45 days to respond, with a possible 45-day extension.
Combining data rights requests with reducing your exposure at the source — using services that don't collect more than they need, using email aliases to compartmentalize your identity, and using privacy-preserving communication tools — produces better outcomes than legal rights alone. The law gives you remedies after the fact; good tool choices reduce what needs to be remedied in the first place.
The Honest Summary
GDPR is the stronger framework: consent-forward defaults, broader coverage, higher penalties, and more established enforcement practice. CCPA/CPRA is meaningful but structurally weaker — opt-out rather than opt-in, narrower enforcement, and with more carve-outs. For users in neither jurisdiction, neither law applies directly, though many large companies extend some GDPR-aligned controls globally for operational simplicity.
Neither law protects you from surveillance conducted under national security authorities, from data that's already been shared by the time you invoke your rights, or from the collective action problem of a data ecosystem where data about you exists across hundreds of companies simultaneously. They are useful tools in a larger privacy strategy — not substitutes for one.