GDPR is the EU's comprehensive privacy law and reaches anyone offering goods or services to people in the EU; CCPA/CPRA is California's law, applying above set thresholds to businesses handling Californians' data. GDPR wants a lawful basis up front and opt-in consent for non-essential cookies; CCPA leans on disclosure plus an opt-out of sale/sharing. Have customers in both places? You generally need both.
| PrivacyProof | CCPA Ready | |
|---|---|---|
| Rule | GDPR privacy & cookie consent | US state privacy (CCPA/CPRA) |
| Region | EU rules | US rules |
| Applies if you… | collect personal data from visitors in the EU or UK | sell to or collect data from consumers in California or other US states |
| Status | In force | In force |
| Maximum exposure | up to €20M or 4% of global turnover (Art. 83) | $2,500/violation — $7,500 if intentional or a minor |
| Official source | EUR-Lex — Regulation (EU) 2016/679 | California AG — CCPA |
Often yes. They're separate obligations, so if your business falls within scope of each — for example, customers or activities that each one covers — you have to meet both. The free checkers tell you where you stand on each in about a minute.
Informational only, not legal advice. Scope and figures can be fact-specific — confirm against each cited source. Last reviewed 2026-06-30.