CCPA vs GDPR: Key Differences for Multinational Companies
If your organization collects personal data from both California residents and EU citizens, you're navigating two of the world's most comprehensive privacy regimes. While the California Privacy Rights Act (CPRA, which amends the CCPA) and the General Data Protection Regulation (GDPR) share a common goal—protecting individual privacy rights—their implementation differs significantly. Understanding these distinctions is essential for designing compliant global data governance programs without over-engineering or under-protecting.
Scope: Where Each Law Applies
The GDPR applies to any organization processing personal data of EU residents, regardless of where the organization is located (GDPR Art. 3). This extraterritorial reach is broad: even a California company with no EU office must comply if it processes data of EU subjects. The CPRA takes a narrower approach, applying only to for-profit businesses that collect personal information of California residents and meet specific thresholds: annual gross revenues exceeding $25 million, buying/selling personal data of 100,000+ residents, or deriving 50%+ of revenue from selling consumer data.
Practically, this means a mid-size SaaS company serving global clients may fall under GDPR but not CPRA. Conversely, a data broker operating nationwide but headquartered outside California still triggers CPRA obligations if it meets the revenue or data volume thresholds. Audit your customer base and revenue streams early to determine applicability.
Rights Granted to Individuals
Both regimes grant consumers access, deletion, and correction rights, but with important variations. Under GDPR Art. 17 (Right to Erasure), individuals can request deletion in broad circumstances, including when data is no longer necessary for its original purpose or when consent is withdrawn. The CPRA mirrors this but adds a "right to correct" inaccurate personal information—a right explicitly codified in CPRA § 1798.100(d).
However, GDPR includes additional rights absent from the CPRA: the right to restrict processing (GDPR Art. 18), the right to object to automated decision-making (GDPR Art. 22), and importantly, the right to data portability (GDPR Art. 20). The data portability right requires you to provide personal data in a structured, commonly used format—creating significant technical obligations. The CPRA includes a similar portability requirement but frames it more narrowly.
For compliance teams: GDPR rights are generally more expansive and frequently more costly to operationalize. If you're building a single global rights management system, plan for GDPR requirements as your floor.
Legal Basis for Processing
GDPR Article 6 establishes six lawful bases for processing: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Organizations must identify and document at least one basis before processing begins. This "lawful basis" framework is fundamental—without it, processing is unlawful regardless of technical safeguards.
The CPRA uses a different model. It doesn't require a pre-identified legal basis. Instead, it grants consumers opt-out rights for "sale" and "sharing" of data and requires opt-in consent for processing sensitive personal information. This creates a permission-based rather than basis-based system. In practice, GDPR demands you justify why you're processing data; CPRA focuses on what you do with it post-collection.
This difference affects consent management. GDPR typically requires explicit, freely given, informed consent (GDPR Art. 7) before processing. The CPRA allows processing under a valid business purpose and only requires opt-out mechanisms for sale/sharing (with opt-in for sensitive data). Your consent banners, privacy notices, and processing justifications must reflect these distinct frameworks.
Data Protection by Design and Accountability
Both frameworks emphasize proactive compliance. GDPR mandates data protection by design and default (GDPR Art. 25) and requires organizations to maintain detailed processing records (Data Processing Impact Assessments and Records of Processing Activities). Non-compliance can result in fines up to €20 million or 4% of global revenue—whichever is higher.
The CPRA requires similar privacy assessments and includes a "right to know" and "right to delete" that necessitate transparent data handling. However, CPRA penalties max out at statutory damages of $100-$750 per consumer per incident or actual damages, plus civil penalties up to $7,500 per violation. Mathematically, GDPR carries significantly higher financial exposure.
Cross-Border Data Transfers
A critical divergence: GDPR heavily restricts transferring EU personal data outside the EU/EEA without specific safeguards. The Schrems II ruling eliminated the Privacy Shield framework, leaving Standard Contractual Clauses and Binding Corporate Rules as primary mechanisms. This creates substantial friction for multinational operations.
The CPRA doesn't restrict transfers per se but requires disclosure of recipients in your privacy notice. The practical burden is lower, though not insignificant.
Strategic Recommendations
Build your compliance program around GDPR's stricter requirements. Implement lawful basis documentation, data protection impact assessments, and robust consent mechanisms globally. Map your data flows, classify personal data by sensitivity, and document all processing activities. Use Standard Contractual Clauses for EU data transferred to the US. Finally, designate a data protection officer or assign clear accountability for privacy compliance.
Treat the CPRA as an additional overlay addressing California-specific rights and sensitive data categories. Your GDPR-compliant program will largely satisfy CPRA obligations, with enhancements for opt-out mechanisms and sensitive data consent.