CCPA vs GDPR: Key Differences in Cookie Consent Requirements

Two Approaches to Privacy

The EU's General Data Protection Regulation (GDPR) and California's California Consumer Privacy Act (CCPA) — as amended by the California Privacy Rights Act (CPRA) — are the two most influential privacy laws affecting websites globally. Both regulate cookies and tracking technologies, but they take fundamentally different approaches.

Understanding these differences is critical for businesses that serve customers in both jurisdictions, which includes most businesses with an online presence.

Consent Model: Opt-In vs Opt-Out

This is the most significant practical difference between the two laws:

• GDPR: Opt-in consent required. Non-essential cookies cannot be placed on a user's device until the user explicitly agrees. The default state is "no cookies." This requires a consent banner that blocks tracking until the user clicks "Accept."
• CCPA: Opt-out model. Businesses can set cookies by default but must give consumers the right to opt out of the "sale" or "sharing" of their personal information. This means providing a "Do Not Sell or Share My Personal Information" link and honoring the Global Privacy Control (GPC) signal.

In practice, this means a GDPR-compliant site fires zero tracking cookies until consent is given, while a CCPA-compliant site may fire cookies immediately but must stop when a user opts out.

Scope: Who Is Protected?

• GDPR applies to anyone in the EU/EEA, regardless of citizenship. It also applies extraterritorially: if your website targets or monitors individuals in the EU, you must comply, regardless of where your business is located.
• CCPA applies to California residents. Your business must comply if it meets certain thresholds: annual gross revenue over $25 million, buys/sells/shares personal information of 100,000+ consumers or households, or derives 50% or more of revenue from selling/sharing personal information.

Definition of Personal Data

• GDPR defines personal data broadly: any information relating to an identified or identifiable natural person. Cookie IDs, IP addresses, and device fingerprints are all personal data.
• CCPA uses the term "personal information" with a similarly broad definition, but extends it to households and devices. Notably, the CCPA explicitly includes online identifiers, browsing history, and inferences drawn from other personal information.

User Rights Comparison

Both laws grant consumers significant rights, but they differ in specifics:

• Right to know/access — Both laws grant this. GDPR calls it the "right of access"; CCPA calls it the "right to know."
• Right to delete — Both laws include this right, with similar exceptions.
• Right to opt out — CCPA specifically grants the right to opt out of the sale/sharing of personal information. GDPR achieves similar goals through the right to withdraw consent and the right to object to processing.
• Right to correct — Both laws include this since the CPRA amendment to the CCPA.
• Right to data portability — GDPR explicitly includes this. CCPA provides a version of this through the right to access in a portable format.
• Right to limit use of sensitive data — CPRA introduced this right under the CCPA. GDPR has a broader concept of "special categories" of data requiring explicit consent.

Enforcement and Penalties

• GDPR: Enforced by Data Protection Authorities in each EU member state. Maximum fines are EUR 20 million or 4% of global annual turnover, whichever is higher. Fines exceeding EUR 1 billion have been issued.
• CCPA: Enforced by the California Attorney General and the California Privacy Protection Agency (CPPA). Fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a private right of action for certain data breaches.

Practical Implementation for Websites

If your website serves both EU and California audiences, the best practice is to implement a consent management platform that:

1. Detects user location automatically (via GeoIP) and applies the appropriate regulation.
2. Shows a GDPR-compliant opt-in banner to EU/EEA visitors with granular cookie controls.
3. Shows a CCPA-compliant experience to California visitors with a "Do Not Sell or Share" link and GPC signal support.
4. Applies appropriate defaults for visitors from other jurisdictions (e.g., LGPD for Brazil, POPIA for South Africa, PIPEDA for Canada).

GetCookies handles multi-jurisdictional compliance automatically. It detects each visitor's location, applies the correct regulatory framework, and adjusts the consent interface accordingly — so you comply everywhere without maintaining separate configurations for each region.