CCPA · Comparison

CCPA vs GDPR.

Opt-out versus opt-in. Consumer rights versus data subject rights. The structural differences between CCPA and GDPR create distinct compliance requirements that cannot be merged into a single program.

PE firms with portfolio companies operating in both the US (California) and EU face a compliance challenge that is structural, not procedural. CCPA and GDPR are built on different philosophical foundations. GDPR starts from the position that personal data processing requires a legal basis before it begins. CCPA starts from the position that data processing can proceed, but consumers must have the right to know about it and opt out. This fundamental difference means that a single compliance program cannot cover both frameworks without explicit, jurisdiction-specific implementations.

Consent Model: Opt-In vs. Opt-Out

GDPR requires a lawful basis before any personal data processing begins. For marketing purposes, the two primary bases are consent (which must be freely given, specific, informed, and unambiguous) and legitimate interest (which requires a documented balancing test). In practice, GDPR requires opt-in consent for most marketing data processing, especially for cookies, email marketing, and advertising tracking.

CCPA takes the opposite approach. There is no consent requirement before data collection. The law gives consumers rights they can exercise after the fact: the right to know what data has been collected, the right to delete it, and the right to opt out of its sale or sharing. The default under CCPA is that processing is permitted until the consumer objects. The default under GDPR is that processing is prohibited until the data subject consents.

For PE-backed companies operating in both jurisdictions, this means the consent infrastructure must be dual-track. EU visitors require opt-in consent before tracking pixels fire. California visitors require opt-out mechanisms and disclosures, but tracking can proceed by default (subject to GPC signal processing). A single CMP configuration cannot serve both requirements. The CMP must be geolocation-aware and implement different default behaviors based on the visitor's jurisdiction.

Field observation: A PE-backed SaaS company implemented a single consent banner for all visitors globally, defaulting to GDPR's opt-in standard. The intent was to apply the stricter standard universally. The result was a 34% reduction in California marketing data capture with no CCPA compliance benefit, because the company had not implemented the CCPA-specific disclosures and opt-out mechanisms that CCPA requires regardless of the consent model used. Applying the stricter standard did not produce compliance with the less strict standard.

Scope of Protected Data

GDPR protects "personal data," defined as any information relating to an identified or identifiable natural person. The scope is broad and includes pseudonymized data that can be re-identified. GDPR applies to all processing of personal data by organizations within the EU or that target EU residents.

CCPA protects "personal information," defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. CCPA's scope is arguably broader in one respect: it extends to household-level data, not just individual data. But CCPA has a revenue-based applicability threshold that GDPR lacks. Not every company that processes California consumer data is subject to CCPA.

CPRA's addition of "sensitive personal information" as a distinct category with separate rights creates a third layer. GDPR's "special categories" and CPRA's "sensitive personal information" overlap significantly but are not identical. Companies must map their data inventory against both taxonomies and implement the appropriate controls for each.

Individual Rights and Response Obligations

Both frameworks grant individuals rights over their data, but the rights differ in scope, mechanics, and timeline. GDPR grants eight rights: information, access, rectification, erasure, restriction of processing, data portability, objection, and rights related to automated decision-making. Response deadline is one month, extendable to three months for complex requests.

CCPA/CPRA grants the right to know, the right to delete, the right to correct, the right to opt out of sale/sharing, the right to limit use of sensitive personal information, the right to opt out of automated decision-making, and the right to non-discrimination. Response deadline is 45 days, extendable by an additional 45 days. CCPA also requires a toll-free phone number as an intake method, which GDPR does not.

The right to data portability exists in both frameworks but differs in practice. GDPR's portability right requires the controller to provide data in a structured, commonly used, machine-readable format. CCPA's right to know requires disclosure of the specific pieces of personal information collected, but the format requirements are less prescriptive. Companies must implement separate fulfillment workflows for each framework, because the scope of data included and the format requirements differ.

The non-discrimination right under CCPA has no direct GDPR equivalent. CCPA prohibits businesses from discriminating against consumers who exercise their privacy rights by charging different prices, providing a different level of service, or denying goods or services. This creates specific constraints on loyalty programs, personalized pricing, and tiered service models that must be evaluated separately from GDPR compliance.

Enforcement and Penalty Structure

GDPR enforcement is conducted by Data Protection Authorities in each EU member state, with the "lead authority" mechanism determining which DPA takes primary jurisdiction for cross-border processing. Penalties can reach 4% of worldwide annual turnover or EUR 20 million. GDPR DPAs have imposed billions of euros in fines since 2018, with a substantial body of case law and enforcement precedent.

CCPA enforcement is conducted by the CPPA (since July 2023) and the California Attorney General. Penalties are $2,500 per unintentional violation and $7,500 per intentional violation, with no aggregate cap. CCPA also provides a private right of action for data breaches involving unencrypted personal information, with statutory damages of $100-$750 per consumer per incident. The private right of action creates litigation risk that GDPR does not (GDPR allows individual claims but does not provide statutory damages).

For PE deal teams, the enforcement difference creates a different risk profile. GDPR risk is concentrated in large regulatory fines that target the company as an entity. CCPA risk is distributed across per-violation penalties that scale with the number of affected consumers and class-action litigation that can produce significant settlement costs. A company with 500,000 California consumers that fails to honor GPC signals faces a different risk calculation than the same company failing to implement GDPR cookie consent.

The practical takeaway for PE firms with cross-jurisdictional portfolio exposure is that compliance cannot be consolidated. GDPR compliance does not produce CCPA compliance. CCPA compliance does not produce GDPR compliance. Each framework requires separate implementation, separate documentation, separate training, and separate audit. The cost of maintaining dual compliance should be modeled explicitly in portfolio company budgets, not assumed to be covered by a generic "privacy program."

RELATED ANALYSIS

CCPA Pre-LOI Due Diligence GDPR Hub LGPD vs GDPR

Cross-Jurisdictional Compliance

Portfolio companies with both US and EU exposure?

We audit CCPA and GDPR compliance in parallel, identifying the gaps that single-framework reviews miss. Talk to us.

Request a Briefing