Artifact GuideEU

EU GDPR vs California CCPA

Use this page as a GDPR-first comparison and source boundary check: the GDPR side is grounded in the available EU GDPR source folder, while California CCPA/CPRA detail is intentionally limited to the California references present in that folder.

The comparison helps privacy, legal, product, security, vendor, and support teams avoid reusing GDPR artifacts as CCPA evidence unless a separate California source supports the same claim.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
3

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This artifact compares GDPR implementation facts with the limited California privacy-law context available in the GDPR grounding folder. It does not state CCPA thresholds, consumer-right deadlines, cure rules, penalties, or CPRA-specific duties because those facts are not grounded in this folder.

Side-by-side comparison

EU GDPR vs California CCPA: what this source set can and cannot prove

Use the left column for grounded GDPR implementation facts. Use the right column only as a source-limit warning unless separate California CCPA/CPRA sources are added.

Review all sources
First framework
EU GDPR

Grounded in the GDPR text and EU GDPR guidance available in the source folder.

Second framework
California CCPA/CPRA

Grounded in California CPPA regulations and FAQs available in the California source folder, covering notice, opt-out, limit, access, verification, service-provider, and enforcement rules.

Comparison row 1

Scope boundary

EU GDPR

GDPR applies to processing in the context of an EU establishment and can also apply to non-EU controllers or processors that offer goods or services to people in the Union or monitor their behaviour in the Union.

Regulation (EU) 2016/679 (GDPR)Sources 1
California CCPA/CPRA

The CCPA applies to qualifying for-profit businesses that do business in California and meet statutory thresholds, and it also imposes separate obligations on service providers, contractors, and third parties.

Frequently Asked Questions (FAQs)Sources 1
Operational implication

Run GDPR Article 3 first for EU processing facts, then run a separate California-source check for CCPA applicability and thresholds instead of copying the GDPR scope answer.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 2

Covered actors

EU GDPR

GDPR assigns duties to controllers, processors, joint controllers, representatives where applicable, and DPOs where required; processor processing must follow controller instructions unless Union or Member State law requires otherwise.

Regulation (EU) 2016/679 (GDPR)Sources 1
California CCPA/CPRA

CCPA rules distinguish businesses, service providers, contractors, third parties, and certain other covered entities, each with different obligations.

Frequently Asked Questions (FAQs)Sources 1
Operational implication

Do not map GDPR controller or processor labels directly to California role labels without California authority.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 3

Trigger

EU GDPR

GDPR processing needs an Article 6 legal basis such as consent, contract, legal obligation, vital interests, public task, or legitimate interests; consent must be demonstrable and withdrawable.

Data Protection Commission guidance on legal bases for processing personal dataSources 1
California CCPA/CPRA

CCPA focuses on purpose limitation, reasonable expectations, notice, and consumer choice rights such as opt-out of sale/sharing and limit of sensitive personal information, rather than a GDPR-style Article 6 lawful-basis test.

California Consumer Privacy Act Regulations (March 2023)Sources 1
Operational implication

Keep GDPR lawful-basis analysis separate from California choice or opt-out analysis until California sources are added.

Data Protection Commission guidance on legal bases for processing personal dataSources 1
Comparison row 4

Core obligations

EU GDPR

GDPR Articles 12 to 22 cover transparent communications and rights such as access, rectification, erasure, restriction, portability, objection, and safeguards for certain automated decisions; responses are due without undue delay and within one month, with a limited extension path.

Regulation (EU) 2016/679 (GDPR)Sources 1
California CCPA/CPRA

CCPA gives consumers rights to know, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and obtain equal treatment, and businesses generally must confirm within 10 business days and respond within 45 days, with a possible 45-day extension.

Frequently Asked Questions (FAQs)Sources 1
Operational implication

A shared request portal may be practical, but the queue must preserve the source, right type, response clock, and exception logic for each regime.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 5

Evidence record

EU GDPR

GDPR Article 30 records identify the controller or processor, purposes, data-subject and personal-data categories, recipient categories, third-country transfers, erasure time limits where possible, and security measures where possible.

Data Protection Commission guidance on Records of Processing Activities under Article 30 GDPRSources 1
California CCPA/CPRA

CCPA records and privacy disclosures can include categories of personal information, categories of sources, categories of third parties, sale/share disclosures, request metrics, and response logs, plus California-specific notices and request-processing records.

California Consumer Privacy Act Regulations (March 2023)Sources 1
Operational implication

Reuse inventories only after each field is tagged as GDPR evidence, California evidence, or shared operational context.

Data Protection Commission guidance on Records of Processing Activities under Article 30 GDPRSources 1
Comparison row 6

Timing and deadlines

EU GDPR

GDPR Article 32 requires risk-appropriate technical and organisational security measures. Article 33 requires supervisory-authority notification for notifiable personal data breaches without undue delay and, where feasible, not later than 72 hours after awareness.

EDPB notify a data breach pageSources 1
California CCPA/CPRA

CCPA request timing is more specific to the right being exercised: delete, correct, know, and ADMT appeals generally get a 10-business-day acknowledgement and a 45-day response period; opt-out of sale/sharing and limit requests generally must be handled within 15 business days.

California Consumer Privacy Act Regulations (March 2023)Sources 1
Operational implication

Calendar the GDPR breach clock separately and do not use it as a California deadline.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 7

Enforcement

EU GDPR

GDPR supervisory authorities have corrective powers, and Article 83 sets administrative fine factors and upper tiers up to EUR 20,000,000 or 4% of total worldwide annual turnover for specified infringements.

Regulation (EU) 2016/679 (GDPR)Sources 1
California CCPA/CPRA

The California Privacy Protection Agency can investigate, audit, and enforce the CCPA, and California law also includes civil penalties and other remedies for certain violations.

Frequently Asked Questions (FAQs)Sources 1
Operational implication

Do not combine GDPR administrative-fine tiers with California penalty statements in one unsourced risk score.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 8

Overlap and reuse

EU GDPR

GDPR requires a DPIA before processing likely to result in high risk, including systematic extensive automated evaluation with legal or similarly significant effects, large-scale special-category or criminal-offence data processing, and large-scale systematic monitoring of publicly accessible areas.

Regulation (EU) 2016/679 (GDPR)Sources 1
California CCPA/CPRA

CCPA also has risk-assessment and cybersecurity-audit requirements for certain businesses, and a GDPR DPIA can be reused only if the California-specific required information is added and the California scope is documented.

California Consumer Privacy Act Regulations (March 2023)Sources 1
Operational implication

A GDPR DPIA may contain facts useful to another review, but it should not be labeled as California compliance evidence without California authority.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 9

Practical decision rule

EU GDPR

GDPR Chapter V governs transfers of personal data to third countries or international organisations, including adequacy decisions, appropriate safeguards such as SCCs, binding corporate rules, and derogations for specific situations.

European Commission Standard Contractual Clauses pageSources 1
California CCPA/CPRA

If a team is choosing where to start, use GDPR first for EU data flows and California CCPA/CPRA first when the business activity turns on California consumer rights, CCPA notices, opt-out handling, or California-specific request timing.

Frequently Asked Questions (FAQs)Sources 1
Operational implication

Keep SCCs, transfer impact assessments, and adequacy references in the GDPR evidence set unless a California source says they answer a California requirement.

Regulation (EU) 2016/679 (GDPR)Sources 1
Practical decision rule

How should teams use this comparison?

  • Start with GDPR when the question is about EU establishment, lawful basis, rights handling, breach notification, or transfer safeguards.
  • Start with California CCPA/CPRA when the question is about California consumer rights, CCPA notices, opt-out or limit links, request deadlines, or California audit and risk-assessment rules.
  • Label shared artifacts by source: GDPR evidence, California evidence, or operational context.
  • Escalate any row marked source-limited before using it in customer, regulator, audit, or board materials.
Regulation (EU) 2016/679 (GDPR)Sources 1European Commission report on the EU-US Data Privacy Framework first periodic reviewSources 2
Section 1

Use GDPR as the grounded side of the comparison

The GDPR source text supports concrete implementation questions: whether personal data is processed, whether the controller or processor is established in the Union or targets or monitors people in the Union, which lawful basis applies, which rights and notices are required, and which records or safeguards must exist.

For the California side, the available GDPR grounding folder supports only a narrow comparator fact: a European Commission report says California was one of eight U.S. states with comprehensive privacy laws in application as of July 2024. Detailed CCPA/CPRA duties need a separate California source before they are used in an evidence pack.

  • Separate GDPR scope from California scope before assigning a shared privacy control.
  • Treat RoPA entries, lawful-basis analysis, DPIAs, SCC files, and breach records as GDPR evidence unless a California source is attached to the same record.
  • Do not infer California request deadlines, opt-out duties, sensitive-data rules, contract terms, or enforcement amounts from GDPR sources.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Grounds GDPR scope, definitions, principles, rights, controller and processor duties, transfers, supervisory authorities, remedies, and administrative fines.
European Commission report on the EU-US Data Privacy Framework first periodic review
Grounds only the limited comparator fact that California was listed among U.S. states with comprehensive privacy laws in application as of July 2024.
Section 2

Evidence that can be reused only after relabeling

A data inventory can support both a GDPR assessment and a California assessment, but the labels matter. Under GDPR, records of processing activities identify controllers, processors, purposes, categories of data subjects and personal data, recipients, transfers, erasure time limits, and security measures where applicable.

A shared rights-request queue can also be useful, but GDPR response handling should remain tied to GDPR Articles 12 to 22 and the one-month response rule. California request timing and exceptions are not grounded in this folder.

  • Mark each evidence item with the legal source it supports.
  • Keep a GDPR lawful-basis field separate from any California notice, sale, sharing, or opt-out field until California sources are attached.
  • Retain rejected comparisons, such as a decision that a GDPR DPIA is not evidence of a CCPA/CPRA risk assessment without a separate California citation.
Sources for this answer
Data Protection Commission guidance on Records of Processing Activities under Article 30 GDPR
Supports the GDPR record fields and the use of RoPA to demonstrate accountability.
Regulation (EU) 2016/679 (GDPR)
Supports the GDPR one-month response rule for data-subject rights requests and the rights framework in Articles 12 to 22.
Section 3

GDPR facts that should not be converted into CCPA facts

GDPR requires a lawful basis for personal-data processing, supports special-category processing only under Article 9 conditions, requires risk-appropriate security measures, and uses a 72-hour supervisory-authority notification clock for notifiable personal data breaches.

Those are GDPR facts. They may be operationally useful when building a privacy program, but they do not prove a California CCPA/CPRA duty unless the California side is separately sourced.

  • Do not call GDPR consent a California opt-out mechanism without a California source.
  • Do not use the GDPR 72-hour breach clock as a California breach deadline.
  • Do not use GDPR administrative-fine caps as California penalty figures.
  • Do not treat SCCs or EU adequacy decisions as California transfer mechanisms.
Sources for this answer
Data Protection Commission guidance on legal bases for processing personal data
Supports the GDPR requirement to identify a legal basis for processing personal data.
EDPB notify a data breach page
Supports GDPR breach-notification routing and the Article 33 risk-based notification condition.
European Commission Standard Contractual Clauses page
Supports the GDPR international-transfer safeguard context for SCCs.
Recommended next step

Build a comparison with source-labeled evidence

Sorena can help turn this GDPR-first comparison into source-labeled scope findings, evidence requests, and gaps for a separate CCPA/CPRA review.

Research workflow
Open Research Copilot for GDPR

Ask source-linked questions about GDPR scope, lawful basis, rights, RoPA, breach notification, DPIAs, SCCs, and comparison gaps.

Explore next step
Talk to Sorena
Talk through implementation

Review which GDPR evidence can be reused and which California facts need separate source support.

Explore next step
Primary sources

References and citations

EDPB notify a data breach page
edpb.europa.eu
Referenced sections
  • Supports the Article 33 notification condition and DPA routing context.
"unlikely to present any risk"
Frequently Asked Questions (FAQs)
cppa.ca.gov
Referenced sections
  • Explains California rights, business responsibilities, and how to exercise them.
"Businesses must generally designate at least two methods"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.