If you collect or use individuals' personal information through your website, app, or service, you likely already know that it's essential to comply with applicable privacy laws. But what happens when you are subject to both the European Union's (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)?
This article explains what the GDPR and the CCPA are, different scenarios where both laws can apply, and what to do in case of conflict.
- 1. What Is the GDPR?
- 2. What Is the CCPA?
- 3. What Happens When the GDPR and the CCPA Apply at the Same Time?
- 3.1. GDPR Consent and Right to Object Requirements vs. CCPA Opt Out and Data Use Limitation Requirements
- 3.2. GDPR vs. CCPA Privacy Policy Requirements
- 3.3. CCPA vs. GDPR Personal Information Definitions
- 3.4. CCPA vs. GDPR Consumer Request Response Timeframe
- 3.5. GDPR Legal Basis Requirement vs. CCPA Data Processing Disclosure Requirement
- 4. Best Practices for Complying with Both the GDPR and the CCPA
- 5. Summary
What Is the GDPR?
The GDPR is the EU's main privacy law. It is designed to protect EU residents' personal data and sets rules for how applicable businesses must handle data. The GDPR defines personal data as information related to a data subject (an individual to whom personal data belongs) that can be used to identify the person.
Special care must be taken with sensitive personal data, which includes data about race, ethnicity, religious beliefs, and sexual orientation.
Article 4 of the GDPR explains that personal data includes names, ID numbers, and location data, among other information.
The GDPR applies to organizations that collect or process (use) EU residents' personal data and organizations located outside of the EU that offer goods or services to EU residents or monitor EU residents' behavior.
The GDPR gives EU residents the following rights:
- The right to be informed about how their data is used
- The right to correct inaccurate data
- The right to access their data
- The right to delete their data
- The right to limit how their data is processed
- The right to data portability
- The right to object to using their data for marketing purposes
- The right to not be subject to automated decision-making processes
Businesses must take steps to comply with the GDPR, including honoring data subjects' privacy rights, choosing a lawful basis for data processing, keeping the data they collect secure, and maintaining a Privacy Policy.
Article 13 of the GDPR lists the types of information a data controller (the person who makes decisions about how and why to process personal data) must provide data subjects at the point of data collection, including their identity and contact info and their reasons and legal basis for processing the data.
What Is the CCPA?
The CCPA protects California consumers' (residents) privacy rights and requires applicable businesses to take steps to safeguard consumers' personal information. The law defines personal information as any information that identifies, relates to, or could be linked to an individual or a household.
It can include names, email addresses, browsing history, and IP addresses. The CCPA also protects sensitive personal information, which includes data such as ID numbers, financial information, and race and ethnicity.
The CCPA applies to for-profit businesses that:
- Collect California consumers' personal information (or have their personal information collected on their behalf)
- Decide how and why to process personal information
- Do business in California
- Meet at least one of the CCPA's thresholds
The CCPA's thresholds are as follows:
- The business made at least $25.625 million in gross annual revenue (as of January 1, 2025) in the previous calendar year or
- The business buys, sells, or shares personal information belonging to at least 100,000 California residents or households or
- The business gets at least 50% of their annual revenue from selling or sharing California consumers' personal information
The CCPA (as amended by the 2020 privacy law, the California Privacy Rights Act–or CPRA) grants California residents the following rights:
- The right to know what personal information a business collects about them and how it is processed and shared
- The right to delete their personal information
- The right to opt out of the sale or sharing of their personal information
- The right to non-discrimination for exercising their privacy rights
- The right to correct personal information
- The right to limit the use and disclosure of their sensitive personal information
In order to comply with the CCPA, businesses must respect consumers' privacy rights, respond to consumer requests, and notify consumers about their privacy practices.
Section 3 (B) of CPRA lists the responsibilities of applicable businesses under the law, including informing California residents about their reasons for collecting and using personal information and how consumers can exercise their privacy rights.
What Happens When the GDPR and the CCPA Apply at the Same Time?
If both laws apply at the same time, you'll need to comply with both laws. However, this can get tricky in situations where the requirements of the two laws may seem to be at odds with one another.
While the GDPR and the CCPA are not inherently incompatible, the laws have a few different requirements that businesses that cater to both EU and California users need to comply with.
Let's look at some scenarios where the two laws' requirements differ and how to handle them.
GDPR Consent and Right to Object Requirements vs. CCPA Opt Out and Data Use Limitation Requirements
The GDPR requires businesses that rely on consent as their legal basis to get consent from data subjects before:
- Collecting or processing their personal data
- Processing data for marketing purposes
Processing special category data (such as health data or information about religious beliefs or race) - Using non-essential cookies
Additionally, businesses must provide an easy way for users to withdraw their consent.
Article 4 of the GDPR explains that consent must be freely given, specific, informed, and unambiguous. Consent cannot be passive (such as consent obtained through a pre-ticked checkbox); data subjects must take affirmative action to signal their consent to have their personal data processed.
Businesses that process personal data under other legal bases-such as legitimate interests-typically must provide a way for users to opt out of certain types of data processing, including when the processing is for marketing purposes.
Article 21 of the GDPR covers data subjects' right to object to the processing of their personal data, including for direct marketing purposes.
In comparison, the CCPA typically only requires consent if a business intends to sell or share data belonging to minors or if a business wants to enter a consumer into a financial incentive program. However, businesses must provide a way for consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information.
Section 1798.120 of CPRA explains that businesses must provide a way for consumers to opt out of the sale or sharing of their personal information and get consent from minors before selling or sharing their data.
So what do you do to manage consent or enable users from the EU to object to the processing of their data while also giving California consumers a way to control how their personal information is processed?
One way to handle this issue is to set up a Privacy Preference Center where users can provide or withdraw consent for various data processing activities, object to the processing of their personal data, opt out of the sale or sharing of their data, or limit the processing of their sensitive personal information.
For instance, P&G's Privacy Preference Center provides privacy choices based on the user's country. With the US version, users can submit requests to limit the use of their sensitive personal information, access, erase, or correct their data, unsubscribe from marketing content, or request a portable copy of their data.
If a P&G user changes their country to an EU member country such as Ireland, they are presented with a cookie banner that includes links to a list of its partners that use cookies, its Privacy Policy, and its Cookie Consent Tool. Users can click a button to accept or reject all cookies or adjust their preferences.
Once they have signaled their decisions via the cookie banner, users can make privacy choices that correspond with the GDPR's requirements, including requesting to stop receiving targeted advertising and communications.
Similarly, AT&T's Privacy Center helps the company comply with both the CCPA and the GDPR by providing users with its Privacy Notice and methods for submitting requests to not sell or share their information, to control their sensitive personal information, and to access, delete, port, or correct their data. It includes a cookie consent banner that explains why it uses cookies and contains options for managing cookie preferences, opting out of cookies, or accepting cookies.
You can also use a Consent Management Platform (CMP) that provides region-based privacy options on your website.
For instance, TermsFeed is a CMP that automatically detects users' geographic locations and provides preset consent banners where users can manage their data preferences.
Another option for larger companies is establishing region-specific websites that provide privacy dashboards tailored to the user's individual country.
Amazon's US Your Ads Privacy Choices page explains that certain US privacy laws give users the right to opt out of targeted advertising based on their behavior across multiple websites and apps that are owned by different companies. Users can choose to allow or opt out of cross-context behavioral ads. It includes links to information about users' privacy rights and interest-based ads.
Amazon's United Kingdom (UK) Advertising Privacy and Preferences page gives users the option to consent to see or opt out of being shown interest-based ads. Additionally, a pop-up box at the bottom of the page explains its use of cookies and provides links to its Cookie notice, a list of the third parties that use cookies on its service, its Cookie preferences page, and its Privacy notice.
GDPR vs. CCPA Privacy Policy Requirements
The GDPR and the CCPA require businesses to include similar information within their Privacy Policies, but there are a few differences between the two.
Both the GDPR and the CCPA require Privacy Policies to contain the following information:
- The types of personal information the business collects
- The business's reasons for collecting and processing personal information
- A list of individuals' privacy rights and how they can exercise them
- The categories of third parties the business shares individuals' data with
- How long the business intends to retain data
A GDPR-compliant Privacy Policy must also contain the following clauses:
- The business's legal basis for processing data subjects' personal data
- The identify and contact information of the data controller, its representative, and its Data Protection Officer (DPO)
- Information about whether personal data is transferred to a third country and how the data is kept safe
- Whether the sharing of personal data is part of a contractual requirement and what happens if the data isn't provided
- Whether an automated decision-making system exists and how it works
The CCPA also requires Privacy Policies to include information about:
- Whether the business sells or shares consumers' personal information
- The sources of the personal information the business collects
Both the GDPR and the CCPA require Privacy Policies to be clearly written, easily accessible, and regularly updated.
So how do you ensure your Privacy Policy complies with both laws?
One solution to this issue is to include region-specific sections within your Privacy Policy to make it easier for users to find relevant information based on their location.
The Walt Disney Company's Privacy Policy includes sections covering the privacy rights of residents of the US and the EU, among others.
Reebok's Privacy Policy contains supplemental information for California residents, including information about the types of personal information it collects.
Netflix's Privacy Statement contains region and service-specific clauses, including information about the types of personal information it collects, how it uses it, and who it shares it with, as well as privacy information specifically for US residents.
You can also maintain different Privacy Policies for different countries, as Warner Bros. Discovery does on its Privacy Center page.
CCPA vs. GDPR Personal Information Definitions
While the GDPR protects personal data belonging to individuals located in the EU, the CCPA applies to personal information belonging to California individuals and households.
So how do you keep track of the different types of personal information you collect and process?
Data mapping consists of identifying the types of data you collect and process, where it comes from, where it's stored, and how it travels. Accurately mapping your data helps you understand exactly what types of data you are handling and which laws apply to your processing activities.
Data mapping can help you identify personal information as defined by both laws and is an essential step in meeting privacy law requirements including the CCPA's notification requirement, the GDPR's transparency and record-keeping requirements, and both laws' privacy request response requirements.
Article 30 of the GDPR requires data controllers to maintain records of their data processing activities.
If you are a sole proprietor or have a smaller-scale business, you may be able to use a simple tool such as a spreadsheet to map your data. Larger organizations may want to use more robust data mapping software to map their data.
CCPA vs. GDPR Consumer Request Response Timeframe
The CCPA requires applicable businesses to respond to consumer requests to access, modify, or delete their personal information within 45 days of receipt of a request, while the GDPR requires organizations to respond to data subject requests within one month.
The time you have to respond to individuals' requests concerning their personal information can be extended by an additional 45 days under the CCPA, or an additional two months under the GDPR.
Section 1798.130 (2) (A) of CPRA explains that businesses have 45 days to respond to consumer requests regarding their personal information.
Similarly, Article 12 of the GDPR gives data controllers one month to respond to consumer requests.
Implementing a system for responding to consumer requests that is region-sensitive and responding to requests without delay can help you comply with both laws' consumer request response time requirements. Responding to privacy requests within one month can help ensure compliance with both the CCPA and the GDPR.
GDPR Legal Basis Requirement vs. CCPA Data Processing Disclosure Requirement
The GDPR requires applicable organizations to have a legal basis for processing personal data.
If you are required to comply with the GDPR, you must satisfy at least one of the following six lawful bases:
- Consent. The data subject agrees to let you process their personal data for a specific purpose.
- Contract. You must process personal data to fulfill a contract with or contract-related requests from a data subject.
- Legal obligation. A law requires you to process personal data.
- Vital interests. The data processing is necessary to protect someone's life.
- Public interest. You need to process personal data to execute a task in the public interest or to exercise official authority.
- Legitimate interests. The data processing is necessary to fulfill your legitimate interests (or those of a third party)–as long as the data subject's rights and freedoms don't override your legitimate interests.
The CCPA has no such requirement, but it does require businesses to disclose their reasons for processing personal information, not use the data they collect for any non-disclosed purpose, and let consumers know whether they intend to sell or share the data.
Section 1798.100 of the CCPA explains that businesses must inform consumers at the point of data collection about the types of personal information they intend to collect, their reasons for collecting or processing personal information, and whether they sell or share consumers' data.
You can comply with both laws by taking the following steps:
- Identify a legal basis for each data processing activity.
- Ensure that you can justify your legal basis (or bases) and be sure to document them.
- Implement methods for responding to individuals' requests concerning their data that align with your legal basis (for instance, providing a way for users to withdraw consent or object to the data processing).
- Include a clause within your Privacy Policy that informs users about your lawful basis and any other reasons for processing their data and make sure your Privacy Policy is accessible to users at the point of data collection.
- Let users know whether you intend to sell or share their personal information, and provide them with a way to opt out.
- Only process data in accordance with your disclosed legal basis (for EU residents) or other disclosed reasons (for California consumers).
ZSL's Privacy Policy explains that its legal bases for processing personal data include legitimate interest, contract, and consent.
Before users can make a purchase through the ZSL Shop, they must create an account. ZSL includes a link to its Privacy Policy on the account sign-up page to ensure that users have access to its privacy information at the point of data collection.
ZSL's Privacy Policy explains that it does not sell data and details the circumstances in which it may share users' personal information.
Best Practices for Complying with Both the GDPR and the CCPA
We've already discussed how to comply with the the GDPR and the CCPA by:
- Maintaining a Privacy Preference Center
- Using a CMP that detects users' locations
- Providing different websites for users from different locations
- Keeping a clearly written, regularly updated, and easily accessible Privacy Policy that includes required clauses from both laws
- Mapping data
- Responding to consumer requests in a timely manner
- Having and disclosing a legal basis for processing EU users' data
- Disclosing any other reasons for processing California consumers' data
- Providing a way for California residents to opt out of the sale or sharing of their data
Other steps you may consider to comply with the GDPR and the CCPA include:
- Training staff on how to handle data in accordance with applicable privacy laws
- Maintaining accurate records
- Ensuring third parties comply with both laws
- Limiting data collection and retention to what is necessary to fulfill your purposes
- Setting up your websites or apps so that they detect and honor privacy preference signals such as the GPC
Summary
The GDPR is the EU's primary privacy law. It gives EU residents rights concerning their personal data and requires applicable organizations to take steps to honor those rights.
The CCPA is California's main privacy law. It protects California residents' personal information and requires certain businesses that meet its criteria to comply with the law.
When both the GDPR and the CCPA apply to you, you need to take steps to ensure you are complying with both laws.
If you process personal data under the GDPR's legal basis of consent or legitimate interest and are required to comply with the CCPA's opt-out requirements, you can:
- Maintain a Privacy Preference center where users can provide or withdraw consent or object to data processing and opt out of the sale or sharing of their data or limit the use of their sensitive personal information
- Honor GPC signals
- Use a CMP that provides region-specific consent banners
- Operate different websites for people located in different countries
The GDPR and the CCPA have slightly different requirements as far as Privacy Policies go, but you can comply with both laws by maintaining a clearly written, easily accessible, and regularly updated Privacy Policy that contains the following clauses:
- The types of personal information you collect
- Your reasons for collecting and processing personal information
- A list of individuals' privacy rights and how they can exercise them
- The types of third parties you share personal data with
- Your retention policy
- Your lawful basis for processing personal data
- Your identity and contact information, as well as the contact info of your representative and your DPO
- Whether you transfer personal data to a third country and how you keep the data secure
- Whether you share personal information as part of a contractual requirement and what happens if a data subject chooses to not share their data
- Whether you rely on an automated decision-making system and how it works
- Whether you sell or share consumers' personal information
- The sources for the personal information you collect
You can break this information up into region-specific sections to make pertinent information easier for users to find, or establish different Privacy Policies for users from different countries.
Mapping your data can help you identify the types of data you collect, data sources, and how and where data is moved. Data mapping can help you comply with the CCPA's notification requirement, the GDPR's transparency and record-keeping requirements, and both laws' privacy request requirements.
Responding to consumer requests concerning their personal data within one month can help you comply with both the GDPR and the CCPA's consumer request response time requirements.
Identifying a legal basis for processing EU data subjects' personal data and disclosing that basis–along with any other reasons for processing California residents' personal information–and not processing data for purposes beyond those disclosed can help you comply with both the GDPR and the CCPA.
Additional best practices for complying with privacy laws include:
- Training staff
- Maintaining records
- Limiting data collection and retention
- Only working with third parties that comply with both the CCPA and the GDPR
- Ensuring that your websites and apps can detect and respond to privacy preference signals
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.