Why These Two Laws Matter
If your website has visitors from Europe or California — and most websites do — then GDPR and CCPA are two laws you need to understand. They're both about protecting people's personal data, but they work differently and have different requirements for website owners.
The good news is that if you comply with both, you're covering the vast majority of your global audience.
What is GDPR?
GDPR stands for the General Data Protection Regulation. It was introduced by the European Union in 2018 and applies to any website that collects data from people in the EU — regardless of where the website owner is based. So if someone in Germany visits your Indian or American website and fills in a form, GDPR applies to that interaction.
Under GDPR, you must have a clear legal reason for collecting data, get explicit consent before using cookies, allow users to access or delete their data on request, report data breaches within 72 hours, and keep your privacy policy updated and easy to find.
The penalties for GDPR violations can be severe — up to 4% of global annual revenue or €20 million, whichever is higher. For small websites, enforcement is less common, but it's still a real risk.
What is CCPA?
CCPA stands for the California Consumer Privacy Act. It came into effect in 2020 and applies to businesses that collect data from California residents. Unlike GDPR, CCPA has a higher threshold — it mainly applies to businesses that earn over $25 million annually, collect data on over 100,000 consumers, or earn more than half their revenue from selling personal data.
Under CCPA, California residents have the right to know what data you collect, the right to delete their data, and the right to opt out of having their data sold. You must also not discriminate against users who exercise these rights.
Key Differences at a Glance
- Scope: GDPR covers all EU residents. CCPA covers California residents who interact with qualifying businesses.
- Consent: GDPR requires opt-in consent for data collection. CCPA uses an opt-out model — you can collect data unless the user says no.
- Who it applies to: GDPR applies to almost everyone. CCPA has revenue and data thresholds.
- Penalties: GDPR fines are typically larger. CCPA fines are up to $7,500 per intentional violation.
Do Both Apply to Your Website?
For small websites and blogs, GDPR is the more pressing concern since it applies regardless of your business size. CCPA is less likely to affect small personal sites. However, it's good practice to include CCPA disclosures in your privacy policy anyway — it shows professionalism and protects you as you grow.
How to Comply With Both
The simplest approach is to write a privacy policy that addresses both laws, use a cookie consent banner, give users a way to contact you to request data deletion, and keep your policy updated when you add new tools or services. PolicyCraft's generator includes options for both GDPR and CCPA compliance — you can generate a policy covering both laws in under two minutes.