GDPR vs CCPA: Understanding Your Privacy Rights

Two privacy laws have reshaped how companies handle your personal data: the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA). Whether you are a European resident, a Californian, or simply someone who wants to understand your rights, these two frameworks define the most important consumer privacy protections in the world today. They share common goals -- giving you control over your data -- but they take fundamentally different approaches to getting there. Here is everything you need to know about how GDPR and CCPA compare, what rights they give you, and how to actually exercise them in 2026.

What Are GDPR and CCPA?

The General Data Protection Regulation (GDPR) is a comprehensive privacy law that took effect across the European Union in May 2018. It applies to any organization anywhere in the world that processes the personal data of EU residents. The GDPR is widely considered the gold standard for data privacy, and it has influenced privacy legislation on every continent.

The California Consumer Privacy Act (CCPA), later strengthened by the California Privacy Rights Act (CPRA), is the most significant state-level privacy law in the United States. It applies to for-profit businesses that meet at least one of these thresholds: annual gross revenue exceeding $25 million, buying or selling the personal information of 50,000 or more California consumers, or deriving 50% or more of annual revenue from selling consumer data.

The Fundamental Difference: Opt-In vs Opt-Out

The single most important distinction between GDPR and CCPA comes down to consent.

GDPR operates on an opt-in model. Before a company can collect or process your personal data, it must obtain your explicit consent (or establish another valid legal basis). You must actively agree -- pre-checked boxes, buried terms, and implied consent do not count. This means companies cannot touch your data until you say yes.

CCPA operates on an opt-out model. Businesses can collect and process your personal data by default. You have the right to tell them to stop -- specifically, to opt out of the sale or sharing of your information -- but the burden is on you to take that action. If you do nothing, your data flows freely.

This distinction reflects a deeper philosophical difference. In the EU, privacy is treated as a fundamental right that companies must respect from the start. In the U.S., the default assumption is that businesses can operate freely unless consumers actively assert their rights.

Key Differences at a Glance

Who Is Covered

The GDPR covers all EU residents, regardless of the size or revenue of the company processing their data. Even a small business with a mailing list must comply. The CCPA is narrower: it covers California residents and only applies to businesses that meet the revenue or data volume thresholds described above.

What Counts as Personal Data

The GDPR defines personal data very broadly: any information that can directly or indirectly identify a person, including names, IP addresses, cookie identifiers, biometric data, and even pseudonymized data if it can be re-linked to an individual. The CCPA also has a broad definition, but it is framed around consumer, device, and household information -- including names, addresses, browsing history, purchasing records, geolocation, and inferences drawn from this data.

Legal Basis for Processing

Under the GDPR, a company must establish one of six legal grounds before processing your data: consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interest. Under the CCPA, there is no requirement to establish a legal basis for collecting data. Instead, the law focuses on transparency and the right to opt out -- businesses must disclose what they collect and give you the ability to say no to the sale or sharing of your information.

Penalties and Enforcement

The GDPR carries severe penalties: fines of up to 4% of global annual revenue or 20 million euros, whichever is greater. These fines have been enforced aggressively -- Meta, Amazon, and Google have each faced GDPR fines in the hundreds of millions of euros. The CCPA's penalties are smaller on a per-violation basis: $2,500 per unintentional violation and $7,500 per intentional violation. However, the CCPA also grants a private right of action for data breaches, allowing consumers to sue for $100 to $750 per person per incident, which can add up to enormous sums in class-action lawsuits.

What Rights Do You Have?

Despite their differences, GDPR and CCPA grant consumers a similar core set of rights. Here is how they compare:

• Right to know: Both laws give you the right to find out what personal data a company has collected about you and how it is being used. Under the GDPR, this is called a Data Subject Access Request (DSAR). Under the CCPA, businesses must respond to "right to know" requests within 45 days.
• Right to delete: Both laws allow you to request that a company delete your personal data. Under the GDPR, this is known as the "right to erasure" or "right to be forgotten." Under the CCPA, businesses must delete your data and instruct their service providers to do the same.
• Right to opt out: The CCPA explicitly grants the right to opt out of the sale or sharing of your personal information. The GDPR achieves a similar result through its consent model -- if you withdraw consent, processing must stop.
• Data portability: Both laws give you the right to receive a copy of your personal data in a portable, commonly used format so you can transfer it to another service.
• Right to non-discrimination: The CCPA explicitly prohibits businesses from denying services or charging different prices because you exercised your privacy rights. The GDPR addresses this through its broader anti-discrimination principles.

How to Exercise Your Rights

Under the GDPR

If you are an EU resident, you can submit a Data Subject Access Request (DSAR) to any company that holds your data. Most companies provide a privacy contact or online form. The company must respond within 30 days. If it fails to comply, you can file a complaint with your country's data protection authority (such as the ICO in the UK, the CNIL in France, or the BfDI in Germany). There is no cost to submit a DSAR.

Under the CCPA

California residents can exercise their rights by submitting requests directly to businesses -- look for links labeled "Do Not Sell or Share My Personal Information" or "Your California Privacy Rights" in website footers. Businesses must provide at least two methods for submitting requests (typically an online form and a toll-free number) and must respond within 45 days.

A major 2026 development is the full launch of California's DROP platform (Delete Request and Opt-Out Platform), created by the DELETE Act. DROP allows California residents to submit a single deletion and opt-out request that reaches every registered data broker in the state. Instead of contacting hundreds of brokers individually, you submit one request through DROP. Beginning August 1, 2026, all registered data brokers must process DROP requests every 45 days.

Use Global Privacy Control

The CCPA now requires businesses to honor the Global Privacy Control (GPC) signal -- a browser-level setting that automatically communicates your opt-out preference to every website you visit. If you enable GPC in a supported browser (such as Firefox, Brave, or DuckDuckGo), California businesses must treat it as a valid opt-out of data sales and sharing. This is one of the most powerful and underused tools available to California consumers.

2026 Updates: AI Disclosures and New State Laws

Privacy law is evolving rapidly. In 2026, the CCPA now requires businesses to provide disclosures about their use of automated decision-making and AI systems. If a company uses AI to make decisions that affect you -- such as credit scoring, hiring, or insurance pricing -- you have the right to know how the system works and to opt out of automated processing in certain circumstances.

California is not alone. A growing number of U.S. states have enacted comprehensive privacy laws modeled on the CCPA framework, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, and others. While each law varies in scope and enforcement, they collectively represent a clear trend toward stronger consumer privacy protections nationwide. However, none yet match the CCPA's breadth, and there is still no comprehensive federal privacy law in the United States.

Where the Gaps Remain

Even with GDPR and CCPA in effect, significant gaps persist. Data brokers operate across state and national borders, and many are not covered by either law. Your personal information can appear on dozens of broker sites that fall outside the jurisdiction of any single regulation. And even when you do exercise your rights, data has a tendency to reappear -- brokers rebuild profiles from public records, commercial databases, and scraped online sources.

This is where ongoing, automated protection makes a meaningful difference. PrivacyOn removes your personal information from more than 100 data broker sites, complementing the legal rights you have under GDPR, CCPA, and other state laws. Instead of submitting individual requests to each broker and hoping they comply, PrivacyOn handles opt-outs on your behalf and runs continuous monitoring to catch and re-remove data as it reappears. Combined with dark web monitoring, it provides a layer of protection that goes beyond what any single law can guarantee.

Privacy laws give you the rights. Tools like DROP and Global Privacy Control make those rights easier to exercise. And services like PrivacyOn ensure that your data actually stays removed -- across every broker, in every state, month after month.