Data International Rescue Part 2: GDPR vs. California Privacy Laws

Jan 23, 2024
4 mins read
 GDPR vs. California Privacy Laws

Whichever side of the Atlantic your business operates on, there’s no escaping the increasingly stringent data privacy regulations that now exist to protect the rights of citizens throughout Europe and the US. The European Union's General Data Protection Regulation (GDPR) and Californian privacy laws - including the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA) - are perhaps the most significant regulatory frameworks developed to date.

In this blog post, we will compare and contrast the GDPR with Californian privacy laws, unpacking the main features of both and highlighting their similarities and differences.

Scope and Applicability


The GDPR is a comprehensive data protection regulation applicable to all EU member states. It applies to businesses and organisations that process the personal data of EU residents, irrespective of where the organisation is located. It covers a broad spectrum of personal data, including names, email addresses, and even IP addresses.

The CCPA and CPRA:

Californian privacy laws primarily focus on residents of California. The CCPA, and subsequently the CPRA, apply to businesses that exceed certain thresholds in terms of revenue and data processing volume. They are more specific to California and its residents, unlike the GDPR, which has global implications.

However, it is worth noting that throughout 2023, four states (Virginia, Connecticut, Colorado, and Utah) also have comprehensive data privacy laws coming into effect, with California being widely viewed as the trailblazer in this field.

Data Subject Rights


The GDPR grants individuals several rights, including the right to access their data, rectify inaccuracies, and request data erasure (the "right to be forgotten"). It also enforces the right to data portability, giving individuals control over their data.

The CCPA and CPRA:

CCPA and CPRA also provide data subject rights, including the right to access and delete personal information. These laws place a strong emphasis on the right to opt out of the sale of personal data and include provisions for opt-in consent for minors. CPRA introduces additional rights, such as the right to correct inaccurate data and limit data usage.

Data Protection Officers


The GDPR mandates that certain organizations (those dealing with sensitive personal information being a primary case) appoint a Data Protection Officer (DPO) to oversee data protection and compliance. DPOs play a crucial role in ensuring GDPR adherence.

The CCPA and CPRA:

Californian privacy laws do not require the appointment of a DPO. Instead, they focus on giving consumers the ability to control their data directly.

Penalties and Fines


The GDPR imposes hefty fines for non-compliance, with penalties reaching up to 4% of a company's global annual revenue or €20 million, whichever is higher. This has made GDPR compliance a high-stakes issue for businesses.

The CCPA and CPRA:

CCPA and CPRA impose fines of up to $7,500 per violation/consumer, which may seem less daunting than GDPR fines. However, a data breach (for example) of one million records could result in a fine of up to $7.5 billion.

Data Protection Impact Assessments


The GDPR mandates Data Protection Impact Assessments (DPIAs) to evaluate and mitigate data protection risks, ensuring privacy is integrated into data processing activities.

The CCPA and CPRA:

CCPA and CPRA do not explicitly require DPIAs. Instead, they emphasize transparency, consumer rights, and compliance with specific data protection obligations, but there is a need to understand and map the location and types of data being processed.


While both the GDPR and Californian privacy laws aim to protect individual privacy and personal data, they do differ in scope, requirements, and enforcement. The GDPR is more global in reach and comprehensive in its approach, while Californian privacy laws are more specific to Californian residents, wherever they may be transacting business, at least within the United States.

The penalties for non-compliance between the two regulations are different, but they are both have potentially substantial financial impact on businesses.

Understanding these differences is crucial for organisations that operate on both sides of the Atlantic or serve customers internationally, as they need to navigate the complexities of multiple regulatory frameworks to ensure compliance and safeguard individuals' privacy.

Sources (CCPA and CPRA) (GDPR) (Four other US states introducing privacy laws in 2023)