CCPA vs GDPR: Key Differences Every SaaS Founder Should Know

Two laws, one headache

If you're building a SaaS product with users in both the EU and California, you're potentially subject to both GDPR and CCPA. They're often mentioned in the same breath, but they're meaningfully different in scope, rights, and enforcement. Here's the practical breakdown.

Quick overview

• GDPR (General Data Protection Regulation) — EU law, in force since May 2018. Applies to any organisation processing personal data of EU residents, regardless of where the organisation is based.
• CCPA (California Consumer Privacy Act) — California state law, in force since January 2020, significantly strengthened by CPRA (2023). Applies to for-profit businesses that meet certain thresholds and handle California residents' personal information.

Who does each law apply to?

GDPR threshold

GDPR applies if you:

• Are established in the EU/EEA, OR
• Process personal data of EU residents in connection with offering goods/services to them, OR
• Monitor the behaviour of EU residents (e.g., behavioural advertising)

There is no revenue or data volume threshold. If you have one EU user and you're processing their data, GDPR applies.

CCPA/CPRA threshold

CCPA applies to for-profit businesses that do business in California AND meet at least one of:

• Annual gross revenue > $25 million
• Buy, sell, receive, or share for commercial purposes the personal information of 100,000+ California consumers or households per year
• Derive 50%+ of annual revenue from selling or sharing consumers' personal information

Implication: Most early-stage SaaS companies are below the CCPA threshold. GDPR, however, applies from day one if you have EU users.

Legal basis for processing: a key difference

This is where the two laws diverge most sharply:

• GDPR requires a legal basis for every processing activity (consent, contract, legal obligation, vital interests, public task, legitimate interests). You must identify and document the basis before you process.
• CCPA does not require a legal basis for processing. Instead, it gives consumers opt-out rights (for sale/sharing) and opt-in rights (for sensitive data and minors). You can generally process first, with disclosure obligations.

Consumer/data subject rights

GDPR rights

• Right to access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights related to automated decision-making and profiling

CCPA/CPRA rights

• Right to know (what data is collected, used, disclosed)
• Right to delete
• Right to opt-out of sale or sharing
• Right to correct
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising rights

Both laws have overlapping rights (access, deletion, portability-ish), so building a unified request-handling process makes sense.

What counts as "personal data" vs "personal information"?

• GDPR defines "personal data" broadly: any information relating to an identified or identifiable natural person. IP addresses, cookie IDs, and device identifiers are personal data.
• CCPA defines "personal information" similarly broadly but adds specific categories like commercial information (purchase history), biometric data, and inferences drawn to create a consumer profile.

For practical purposes, treat both identically: if it can be linked to a real person, it's covered.

Enforcement and penalties

• GDPR: Up to €20M or 4% of global annual turnover (whichever is higher) for the most serious violations. DPAs (like the Irish DPC, CNIL, or BfDI) can investigate and fine. Private litigation is possible in some jurisdictions.
• CCPA: No private right of action for most violations. California Attorney General can impose civil penalties of $2,500 per unintentional violation or $7,500 per intentional violation. Data breach: $100–$750 per consumer per incident in private lawsuits.

GDPR fines are far larger in practice. The biggest fines to date have hit Meta ($1.3B), Amazon ($780M), and WhatsApp ($267M).

Privacy policy requirements

Both laws require a privacy policy/notice, but with different specifics:

• GDPR: Articles 13/14 prescribe exact information to include (controller identity, legal bases, retention periods, data subject rights, DPA contact, etc.)
• CCPA: Requires disclosure of categories of personal information collected, purposes, categories of third parties data is shared with, and consumer rights. Must include a "Do Not Sell or Share My Personal Information" link if you sell/share data.

A well-structured GDPR privacy policy will satisfy most CCPA disclosure requirements — but you'll want a CCPA-specific section covering California rights and the sale/sharing opt-out if applicable.

Data transfers

GDPR restricts transfers of personal data outside the EU/EEA to countries without an "adequacy decision" — you need Standard Contractual Clauses (SCCs), Binding Corporate Rules, or another approved mechanism. CCPA has no equivalent cross-border transfer restriction.

What should you do?

1. Determine applicability — GDPR almost certainly applies if you have EU users. Check the CCPA thresholds for your revenue and data volumes.
2. Write a compliant privacy policy — Cover both GDPR Art. 13/14 requirements and CCPA disclosures in a single document.
3. Implement data subject/consumer rights workflows — A shared inbox for access/deletion requests works for most early-stage companies.
4. If you sell or share personal information under CCPA — Add the "Do Not Sell or Share" opt-out mechanism.
5. For cross-border transfers out of EU — Implement SCCs with your US service providers.

Generate a GDPR and CCPA-aware Privacy Policy

ComplyKit's Privacy Policy generator covers both GDPR and CCPA requirements in a single document. Customise it for your SaaS stack, select your data categories, and download in minutes.