Both the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) aim to protect individuals’ privacy rights, but there are some key differences between the two. In this blog post, we’ll look at some of the important distinctions between the CCPA vs. the GDPR.  

Core Concepts

Only in the GDPR 

Only in the CCPA 

CCPA vs. GDPR Terminology 

In addition to differences in their core concepts, the CCPA and GDPR have variances in terminology. 

Consumer vs. Data Subject 

Under the CCPA, a consumer is a natural person who must be a California resident. According to the GDPR, a data subject is any identified or identifiable natural person, that is, a person who can be identified directly or indirectly.  In contrast to the CCPA’s residency requirements, a data subject under the GDPR does not necessarily need to be an EU citizen or resident. 

The GDPR applies outside of the EU when a company sells products or services to individuals inside the EU or when individuals are targeted or monitored. It covers “processing” of personal data, defined to include any operation performed on personal data, including collection. 

Personal Information vs. Personal Data 

The CCPA broadly defines personal information (PI) as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. The GDPR defines personal data as any information relating to an identified or identifiable person, by reference to an identifier. In fact, an individual can be both a consumer and a data subject if an EU-established company processes personal data of California residents. 

Business vs. Controller/Processor 

The CCPA classifies the following as a business: 

The GDPR defines the controller the organization that determines the purposes and means of the processing.  The GDPR applies under the following circumstances: 

Right to Opt-Out vs. the Right to Object and the Right to Withdraw Consent

Under the CCPA, the Right to Opt-Out means: 

Under the GDPR, the Right to Object means: 

Under the GDPR, the Right to Withdraw Consent means that: 


Both the GDPR and the CCPA grant individuals rights that enable them to protect their privacy. Regardless of where you are in your privacy program, it’s never too late to start preparing for the CCPA. For more information on our CCPA Same Day Fast Track Implementation Program or to request a live OneTrust for CCPA software demo, visit or email [email protected].  


Check out our CCPA blog series: