ComplianceMar 11, 2026 | FlexyConsent

CCPA vs GDPR: Key Differences Every Business Must Understand in 2026

If your website has visitors from both Europe and California, you need to comply with two different privacy frameworks: GDPR and CCPA (now CPRA). They share the same goal — protecting personal data — but differ fundamentally in approach, scope, and requirements. Understanding these differences is critical for configuring your consent management correctly.

The Core Philosophical Difference

  • GDPR: Opt-in model — you cannot collect data until the user actively consents
  • CCPA/CPRA: Opt-out model — you can collect data by default but must allow users to opt out of sale/sharing

Key Differences

1. Consent Model

GDPR requires affirmative opt-in before any non-essential data collection. CCPA allows collection by default but requires a visible "Do Not Sell or Share My Personal Information" link.

2. Who Is Protected

GDPR protects all individuals in the EU/EEA regardless of citizenship. CCPA protects California residents specifically.

3. What Triggers Compliance

GDPR applies if you process data of EU residents — no revenue threshold. CCPA applies to businesses with $25M+ revenue, 100K+ consumers' data, or 50%+ revenue from data sales.

4. Fines

GDPR: Up to €20M or 4% global turnover. CCPA: $2,500 per unintentional violation, $7,500 per intentional violation, plus private right of action for data breaches.

5. Data Subject Rights

Both provide access, deletion, and portability rights. GDPR adds right to rectification and right to restrict processing. CCPA adds right to know what categories of data are sold.

How Your CMP Must Handle Both

FlexyConsent

  • Automatic geo-detection — correct framework per visitor
  • GDPR opt-in + CCPA opt-out in one platform
  • Google Consent Mode V2 + IAB TCF 2.3
  • 43+ languages
  • From €0/month

FlexyConsent — GDPR + CCPA compliance from a single CMP.

Start Free Trial
← Blog Read All →