In a world where personal data has become a strategic asset, data protection has moved from a formality to a critical element of a company’s reputational, legal, and financial security. This is especially true for digital businesses that operate in global markets: from SaaS platforms to e-commerce, marketing technologies, and fintech solutions.

Entrepreneurs, especially SaaS, e-commerce, and adtech companies, often ask themselves the following questions:

  • Does GDPR apply to us if we are not in the EU?
  • Does CCPA apply if we are not in California?
  • What obligations does each law impose and what are the penalties for violating them?

This article will provide a clear yet in-depth analysis of the key differences between CCPA and GDPR to help businesses: avoid fines, update privacy policies correctly, and build customer trust.

At first glance, it may seem that the GDPR (EU regulation) and the CCPA (California state law) are simply regional regulations with the same purpose. But there are a number of critical differences between them that affect:

  • how personal data is processed and classified;
  • privacy policy requirements;
  • user rights;
  • business obligations to interact with suppliers and contractors;
  • and, of course, the size of fines for non-compliance.

In 2025, the question of “does one regulation apply to us or another” is no longer precise enough. After all, even companies registered outside the EU or the US, but with traffic, users or customers in the respective jurisdictions, are automatically subject to these laws.

For example: If you are a SaaS company that provides services to customers from the EU or California, you are required to comply with the GDPR and/or CCPA, respectively.

If you work with advertising networks, collect cookies, IP addresses or analytics, the likelihood of a breach increases exponentially without proper documentation and user consent.

Incorrect assessment of requirements or focusing only on “minimum obligations” can lead to:

  • significant fines (from tens of thousands of dollars to millions of euros),
  • reduced customer trust, especially in regulated markets,
  • potentially blocking activities if a systemic violation of data processing norms is detected.

Therefore, this article aims not only to superficially compare GDPR and CCPA, but to provide a structured, analytical understanding of:

  • which application criteria should be considered,
  • how a company’s obligations change depending on the jurisdiction,
  • which technical and organizational measures should be implemented now,
  • how the requirements of the two regulations can be combined into a single Data Protection Framework that works effectively from both a legal and operational point of view.

For those planning to scale their business to the US or EU markets, understanding this distinction is not just desirable, but critically necessary.

Brief Definition: What is GDPR and CCPA?

GDPR (General Data Protection Regulation) is the European Union’s general data protection regulation that came into force on May 25, 2018 and is considered the most stringent and comprehensive data protection regulation in the world.

This regulation:

  • regulates the processing of personal data of individuals who are EU residents, regardless of the company’s geographical location;
  • imposes obligations on companies that:
    – collect, store, process or transfer personal data of EU residents;
    – use cookies, tracking, marketing analytics or other identification technologies;
  • requires a lawful basis for data processing (e.g. consent, performance of a contract, legal obligation, etc.);
  • establishes principles for processing, including: transparency, data minimization, purpose limitation, security and accountability for processing.

GDPR applies to any industry (SaaS, fintech, e-commerce, HR, marketing, etc.) and does not depend on the size of the business.

CCPA (California Consumer Privacy Act) is a law of the state of California (USA), which came into force on January 1, 2020 and aims to ensure transparency in the collection and sale of consumer personal data.

This act:

  • applies to “businesses” operating in California and meeting at least one of the following criteria:
    – annual revenue of more than $25 million;
    – processing personal data of more than 100,000 consumers, households or devices; – receiving more than 50% of revenue from the sale of personal data;
  • focuses on protecting consumer rights, with an emphasis on:
    * the right to know what data is being collected;
    – the right to prohibit its sale (“Do Not Sell My Personal Information”);
    – the right to delete data;
  • does not require mandatory consent for processing, but obliges companies to provide the ability to opt out of the sale or transfer of data to third parties;
  • provides for civil liability, including class action lawsuits in the event of data breaches.

Basic Similarities and Differences

CriterionGDPRCCPA
GeographyResidents of the EUResidents of California (USA)
Type of RegulationComprehensive regulation on personal data processingConsumer privacy law regarding personal information
Consent ApproachExplicit consent or other legal grounds requiredConsent not required, but mandatory opt-out right
Definition of “Personal Data”Any information that identifies an individualData that identifies or could be linked to a consumer or household
Regulation OrientationProtection of fundamental human rightsEnsuring consumer control over their data
Effective DateMay 25, 2018January 1, 2020
Penalties for ViolationsUp to €20 million or 4% of global turnover$2,500–$7,500 per violation + potential class action lawsuits

That is, GDPR is a systemic, strict and European legal framework focused on human rights, binding consent and legal liability. And CCPA is a more commercial-oriented legislation with an emphasis on business transparency, the right to refuse and the protection of the consumer as a customer.

In both cases, businesses must not only know the law, but also operationally comply with its requirements – by implementing policies, mechanisms for processing requests and agreements with partners.

Who does the GDPR and CCPA apply to and what is considered personal data?

Understanding the jurisdictional scope and definition of “personal data” is critical to assessing whether your company is subject to the GDPR or CCPA, even if you are not located in the EU or the US. Both acts are extraterritorial in nature, but operate under different logics.

GDPR: Who is affected and what data is covered

The GDPR applies to:

  • any company in the world that processes personal data of European Union residents;
  • regardless of whether the company has an office, legal entity or employees in the EU;
  • with no exceptions for business size — even an early-stage startup with users from the EU is subject to regulation.

For example,  а SaaS platform with Ukrainian registration that has 300 users from Germany, an e-commerce store that delivers goods to France, an analytics service that tracks the IP addresses of European visitors.

What is “personal data” under the GDPR?

Any information that directly or indirectly identifies a natural person: name, email, phone number, IP address, MAC address, cookie ID, geolocation, UID, health data, biometrics, video surveillance footage, behavioral information (e.g. click analytics).

Key: GDPR operates with a very broad interpretation of personal data and obliges companies to identify any data that potentially allows to identify an individual, even in combination with others.

CCPA: Who is covered and how data is defined

The CCPA only applies to “businesses” that operate in California (even remotely) if they meet at least one of the following criteria:

  • The company’s annual gross revenue exceeds $25 million;
  • The company processes personal data from 100,000+ consumers, households, or devices;
  • The company derives more than 50% of its revenue from selling personal data.

For example а marketing agency with email contact databases of California residents,  mobile app that tracks and collects behavioral data from California residents, а SaaS company that sells user data for retargeting.

What is “personal information” under the CCPA?

Information that identifies, relates to, describes, or can be linked to a specific consumer or household: name, email, address, phone, driver’s license number? IP address, browsing history, behavioral patterns, geolocation, device data, inferences drawn from profiling.

Important: CCPA defines “Sensitive Personal Information” separately, but has a narrower list than GDPR. For example, not all biometric or behavioral data is automatically considered “sensitive.”

What Does It Mean in Practice?

CriterionGDPRCCPA
Geographical ApplicabilityAny company processing data of EU residentsCompanies doing business in California
Size Limitations❌ None✅ (Revenue, number of subjects, revenue from data sales)
Scope of Data Definition✅ Very broad, including IP, cookies, UID⚠️ More limited, consumer and household-oriented
Sensitive DataDefined separately, includes biometrics, health, politicalHas a list, but more flexible and less formalized
Extraterritoriality✅ Yes✅ Yes (if the company works with clients in California)

 

If you have any access to data of individuals from the EU or California, you need to:

  • conduct Data Mapping: where, how and what data you process;
  • assess whether your company falls under the regulatory criteria;
  • implement policies, processes and tools for compliance (even if you are a small business or startup);
  • do not focus only on the legal address – actual activity and revenue structure are important.

Both laws – GDPR and CCPA – provide users with a set of rights regarding their personal data. But the set and depth of these rights differ in scope and approach.

GDPR provides a wider range of rights based on the protection of privacy as a fundamental human right:

  • Right to access – the user has the right to find out what data about them is stored and how it is processed.
  • Right to rectification – the ability to update or correct inaccurate information.
  • Right to erasure (“right to be forgotten”) – a requirement to delete data if the legal basis for its processing no longer exists.
  • Right to restriction of processing – temporary suspension of data processing under certain conditions.
  • Right to data portability – the ability to receive data in a machine-readable format and transmit it to another controller.
  • Right to object – refusal of processing based on legitimate interest or for direct marketing purposes.
  • Right to withdraw consent – at any time.

CCPA focuses on the right to control the sale and disclosure of data:

  • Right to know – what data is collected, for what purpose and to whom it is transferred.
  • Right to erasure – request the deletion of personal data that a company has collected.
  • Right to opt out of the sale of data – “Do Not Sell My Personal Information” mechanism.
  • Right not to be discriminated against – a company cannot limit access to services or increase prices because of the exercise of user rights.
  • Right to rectification (added as part of CPRA, from 2023) – albeit limited.

Consent Requirements: How to Start Processing Data?

The GDPR requires that consent to process personal data be explicit, informed, specific, and freely given. In most cases, companies must obtain the user’s consent before processing begins or justify the processing on other legitimate grounds, such as performance of a contract or legitimate interest.

In contrast, the CCPA does not require prior consent to process personal data. However, it does require companies to provide users with the right to opt out of the sale of their data, typically through a “Do Not Sell My Personal Information” mechanism. This means that control is exercised retrospectively, rather than at the point of collection.

Fines for violations: how much do they cost businesses?

One of the key factors that motivates businesses to comply with the GDPR and CCPA is the high cost of a violation. Both acts provide for financial and reputational liability, but again, with different approaches to the scale and mechanism of recovery.

GDPR: strict financial liability

The GDPR establishes a two-tier system of fines depending on the nature and severity of the violation:

  • up to €10 million or 2% of global annual turnover – for less serious violations (e.g. lack of agreements with processors, lack of a processing register, etc.);
  • up to €20 million or 4% of global turnover – for serious violations (unlawful data processing, lack of consent, personal data leakage, violation of data subjects’ rights).

What is important: Regulators take into account the volume, duration and systematic nature of the violations, as well as the company’s cooperation in the investigation process. Fines can even be applied to companies outside the EU if they process data of EU residents.

CCPA: Monetary sanctions with private right of action

Unlike GDPR, CCPA:

  • has no percentage link to turnover;
  • applies fixed amounts of fines:
Type of ViolationFine Amount
Unintentionalup to $2,500
Intentionalup to $7,500
Violation without remediation within 30 days after notificationclassified as intentional

The CCPA (as modified by the CPRA) also allows individuals to sue for data breaches resulting from inadequate security. This paves the way for class action lawsuits that can cost businesses millions of dollars even for a minor incident.

GDPRCCPA
Maximum Fine€20 million or 4% of global turnover
Minimum ThresholdNone
Private Right to Sue❌ (through the regulator)
Consideration of Circumstances✅ (context, size, cooperation with the regulator)

In any case, non-compliance costs businesses much more than implementing preventive measures.

Business Responsibilities in 2025: What You Need to Have to Comply with GDPR and CCPA

In today’s regulated digital environment, companies cannot limit themselves to a policy statement — regulators expect operational, technical, and legal mechanisms to confirm real compliance with GDPR and CCPA. This is especially true for businesses operating in multiple markets at the same time.

Below are the key elements of the Data Protection Framework that must be implemented in 2025.

  1. Updated Privacy Policy

The company is required to publicly inform users about:

  • what personal data is collected;
  • for what purpose and on what legal basis it is processed;
  • to whom the data is transferred (including to third parties, outside the EU/USA);
  • what rights the user has and how to exercise them;
  • how the right to refuse sales (in the case of CCPA) is exercised.

The policy should be clear, accessible and regularly updated in case of changes in processing practices.

  1. Data Subject Request System

The company should provide a transparent and effective process for processing data subject requests, including:

  • requests for access, deletion, correction and portability (GDPR);
  • requests to prohibit the sale or disclosure of personal data (CCPA).

This should not be just a form on the website – but a proven process with recording the request, deadlines for implementation and evidence of response. Regulators often check this element during audits.

  1. Data Mapping

To effectively control data, the company should have an internal data flow map:

which categories of personal data are processed;

  • where they are stored;
  • who has access to them;
  • how the security of transfers to third parties is ensured.

This document is the basis for risk assessment, DPIA execution, consent setting and retention policies.

  1. Contracts with processors and suppliers

GDPR requires Data Processing Agreements (DPAs) with all third-party contractors who process data on behalf of the company. CCPA is similar, but with additional requirements if the company transfers data to third parties for “sale”.

Contracts should:

  • define the scope and purposes of processing;
  • contain obligations regarding confidentiality, security, subprocessors;
  • provide for an audit or verification of compliance with the terms.
  1. Transparent mechanism for refusing to sell data (for CCPA)

A company subject to CCPA must implement the “Do Not Sell My Personal Information” functionality:

  • a separate button/form on the website;
  • integration with the Consent Management Platform;
  • an internal log to track requests and company actions.
  1. Data Governance Policies

In addition to the privacy policy, a business should have:

  • Retention Policy — terms and rules for storing personal data;
  • Access Policy — control of access to data within the organization;
  • Incident Response Policy — procedures for action in the event of a leak or violation;
  • Privacy by Design — principles of built-in privacy when developing new products.

Practical advice: audit before fines

In 2025, it is important not only to formally “close the checklist”, but to actually implement operational solutions that reduce risks:

  • automation of user requests (via DSR platforms);
  • validation of consent via cookie-banner with a registry;
  • regular Compliance Health Check with a review of policies, processes and contracts.

Ready to start the path to compliance? Riskora.Сonsulting helps SaaS, fintech and adtech companies implement comprehensive Data Protection Frameworks under GDPR, CCPA and other regulations.

Write to us if you need a Compliance Health Check or implementation support — we will help you save time, avoid fines, and increase customer trust.