Foundations
GDPR vs CPRA overview
While both GDPR and CPRA protect personal data and give individuals more control over their information, they differ in scope, terminology, and obligations. Understanding these differences helps teams design systems that can support both frameworks without confusion.
GDPR vs CPRA Overview
While both GDPR and CPRA protect personal data and give individuals more control over their information, they differ in scope, terminology, and obligations. Understanding these differences helps teams design systems that can support both frameworks without confusion.
Geographic Scope
GDPR: Applies to any company processing personal data of people in the European Union, regardless of where the company is located.
CPRA: Applies to businesses operating in California or handling data of California residents, even if the business is outside the state.
Applicability Thresholds
GDPR: No size threshold—applies to all organizations processing EU personal data.
CPRA: Applies to businesses that meet certain criteria, such as $25M+ in annual revenue, 100,000+ consumers’ data, or deriving 50%+ of revenue from selling or sharing data.
Key Rights
GDPR: Access, rectification, erasure, portability, restriction, objection, and rights around automated decision-making.
CPRA: Right to know, delete, correct, opt-out of selling/sharing, and limit use of sensitive personal information.
Enforcement and Penalties
GDPR: Fines up to €20M or 4% of global annual turnover, whichever is higher.
CPRA: Fines up to $2,500 per violation or $7,500 per intentional violation, enforced by the California Privacy Protection Agency (CPPA).
Example: Tracking Users for Marketing
Under GDPR, companies must obtain opt-in consent before tracking users with cookies or profiling.
Under CPRA, companies must provide a “Do Not Sell or Share My Personal Information” link so users can opt-out of targeted advertising.
Quick Comparison Checklist
Confirm if your company handles EU or California resident data
Determine if CPRA thresholds apply to your business
Implement opt-in consent for GDPR and opt-out options for CPRA
Update privacy policies to address both sets of rights
Track penalties to understand enforcement risk levels
Category
GDPR
CPRA
Region
European Union (and companies processing EU resident data worldwide)
California residents (applies even if business is outside CA)
Applicability
Any organization processing personal data
Businesses with $25M+ revenue, 100k+ consumers’ data, or 50%+ revenue from selling/sharing data
Legal Basis
Six lawful bases required for processing (consent, contract, legal obligation, etc.)
No explicit lawful bases; focus on consumer rights and opt-out/opt-in requirements
Individual Rights
Access, rectification, erasure, portability, restriction, objection, automated decision-making protections
Know, delete, correct, opt-out of selling/sharing, limit sensitive data use
Consent Standard
Opt-in required (explicit, informed, freely given)
Opt-out for selling/sharing data; opt-in for minors under 16
Sensitive Data
Special categories (health, race, biometrics, etc.) need explicit consent
Sensitive PI includes SSN, geolocation, health, biometrics, financial data; consumers can limit use
Enforcement
Supervisory Authorities in each EU member state
California Privacy Protection Agency (CPPA) and Attorney General
Penalties
Up to €20M or 4% of global annual turnover
$2,500 per violation, $7,500 if intentional or involving minors
Conclusion
GDPR and CPRA share a commitment to data protection but differ in how they apply and enforce compliance. By recognizing where the laws overlap and where they diverge, companies can design a single compliance program that addresses both, reducing complexity while ensuring legal coverage across regions.