If you have ever wondered why a website asks Europeans to accept cookies but quietly serves Americans a tiny link reading Do Not Sell My Personal Information, you are looking at the philosophical gulf between two privacy regimes. The General Data Protection Regulation, in force across the European Union and the United Kingdom since 2018, treats data collection as something that must be justified. The California Consumer Privacy Act, in force since 2020 and sharpened by the CPRA amendments in 2023, treats it as something that must be disclosed.
Both laws are real. Both have teeth. Neither covers everyone. And depending on which passport you carry, the difference between them can be the difference between a default-on and a default-off life.
Who each law actually covers
The GDPR follows the data subject, not the geography. If you are a resident of any EU member state or the United Kingdom, an organisation processing your personal data must comply, regardless of where it is based. A Brazilian SaaS company holding the email address of a French citizen falls under the GDPR. So does a Californian retailer shipping to Berlin.
The CCPA, by contrast, is tied to one state. It protects consumers who are residents of California and only when they deal with for-profit businesses meeting a size threshold: at least $25 million in annual revenue, data on 100,000 or more Californians, or 50% of revenue from selling personal information. A Florida resident reading the same website gets nothing.
This matters. The GDPR is portable; it travels with you. The CCPA is territorial; it stops at the state line.
What counts as "personal information"
The GDPR defines personal data as anything relating to an identified or identifiable natural person. The word that does the work is identifiable. An IP address counts. A device fingerprint counts. A pseudonymous advertising ID that could, with reasonable effort, be linked back to you, counts. European regulators have spent six years stretching this definition further.
The CCPA goes wider in one specific dimension. It explicitly includes inferences drawn from any of the above to create a profile reflecting your preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, or aptitudes. In other words: the score a broker gave you after watching you for a year is itself personal information you can ask to see.
The GDPR is wider on what it considers identifying. The CCPA is wider on what it considers personal. Both are right about different things.
Opt-in versus opt-out
This is the single largest difference, and almost everything else flows from it.
Under the GDPR, a company cannot process your data unless it has one of six lawful bases: your consent, performance of a contract, a legal obligation, vital interests, a public task, or a legitimate interest that does not override your rights. Consent must be freely given, specific, informed, and unambiguous. The default is no.
Under the CCPA, a company is generally free to collect and even sell your personal information, provided it tells you and gives you a way to object. The default is yes. The flagship mechanism is the "Do Not Sell or Share My Personal Information" link that the law requires on the homepage of any covered business. The 2023 CPRA amendments added a similar right to limit the use of sensitive personal information.
One framework asks permission. The other asks forgiveness in writing.
Enforcement and the price of getting it wrong
GDPR penalties are the headline most regulators want you to remember. Maximum fines run to 4% of global annual turnover or €20 million, whichever is higher. Meta has been hit with €1.2 billion. Amazon with €746 million. Google with €50 million in a single early case. National data protection authorities, from the Irish DPC to the German Länder regulators, have real enforcement budgets.
The CCPA caps statutory penalties at $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Privacy Protection Agency and the state Attorney General. There is also a narrow private right of action, but only for data breaches involving certain categories of unencrypted information, capped at $750 per consumer.
The numbers are not directly comparable. A single GDPR breach can produce one nine-figure fine; a CCPA action can stack $7,500 across millions of affected consumers. Sephora paid $1.2 million in 2022 for failing to disclose data sales. DoorDash paid $375,000 in 2024. The bite is smaller per incident but more frequent.
The rights you actually get
On paper, the two laws grant overlapping rights: know what is collected, access a copy, correct inaccuracies, delete what is held, and opt out of certain uses. The differences are in the texture.
| Right | GDPR | CCPA |
|---|---|---|
| Access your data | Yes, free, within one month | Yes, twice per year, within 45 days |
| Delete your data | Yes, with broad exceptions for legal obligation | Yes, with exceptions for transaction history |
| Object to processing | Yes, including profiling | Opt-out of sale or sharing only |
| Data portability | Machine-readable copy on request | Limited to access copy |
| Automated decisions | Right not to be subject to them | Limited rules pending under CPRA |
The GDPR's right to object to automated decision-making is, in practice, the most far-reaching difference. If an algorithm decides whether you get the loan, the insurance quote, or the job interview, a European can demand human review. A Californian, for now, cannot.
So which one actually protects you
The honest answer depends on where you live and what you are trying to stop.
If you are a resident of the EU or the UK, the GDPR gives you the stronger hand. Consent is the default question, the regulators are well-funded, and the rights travel with you when you cross borders or sign up for a US service.
If you are a Californian, the CCPA gives you the only privacy law of meaningful scope you have, and it is genuinely better than the federal vacuum that surrounds it. You can see what brokers infer about you, you can demand deletion, and you can sue when your unencrypted data leaks. What you cannot do is start from a position of no.
If you live anywhere else in the United States, the picture darkens. Virginia, Colorado, Connecticut, Utah and a handful of others have passed CCPA-style statutes, but coverage is patchy and enforcement is thinner. The asymmetry is the point: a Texan and a German can sit on the same website at the same moment, and only one of them has rights worth invoking.
Neither law is best. They are different shapes. The GDPR asks the company to justify itself. The CCPA asks the consumer to object.
For most people, the practical conclusion is this. The laws exist, the rights exist, and exercising them is a paperwork exercise of writing to roughly 150 data brokers, one at a time, in the correct format, with the correct identity proof, and chasing the ones who ignore you. The right to deletion is only as strong as your patience.
If you would rather not spend three weekends doing it yourself, Nox Æterna handles all 150+ UK and US brokers in a single £89 payment, using the same rights both laws give you, and sends you a PDF proof when the work is done.