CCPA vs GDPR: What Website Owners Actually Need to Know

Two privacy laws dominate the conversation for website owners: the EU’s GDPR and California’s CCPA. Both aim to protect user data, but they take fundamentally different approaches — and the differences matter for how you run your website.

If you have visitors from both Europe and the United States, you may need to comply with both. However, meeting one doesn’t automatically mean you’re covered for the other. I’ve seen plenty of small business owners assume their GDPR compliance extends to CCPA, only to discover gaps that could lead to fines.

This guide breaks down both laws in plain English, highlights the key differences that affect your website, and shows you the simplest path to compliance with both.

What Is GDPR?

The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data protection law, in effect since May 2018. It applies to any organization that processes personal data of EU residents — regardless of where the organization is based.

For website owners, GDPR means:

• Consent before tracking — You need explicit opt-in permission before setting analytics or marketing cookies
• Right to access and deletion — Users can request all data you hold about them, and ask you to delete it
• Data minimization — Only collect what you genuinely need
• Privacy by design — Build privacy into your systems from the start, not as an afterthought
• Breach notification — Report data breaches to authorities within 72 hours

GDPR defines “personal data” broadly. It includes IP addresses, cookie identifiers, device IDs, and even behavioral data — essentially anything that could identify a person, directly or indirectly. Consequently, most analytics tools fall under GDPR’s scope because they process at least some of this data.

As I explained in my GDPR compliance guide, the practical impact for most websites is straightforward: either get consent before tracking, or use tools that don’t collect personal data at all.

What Is CCPA?

The California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA) in 2023, is California’s landmark privacy law. It gives California residents specific rights over their personal information.

CCPA applies if your business meets any one of these thresholds:

1. Annual gross revenue exceeding $25 million
2. Buys, sells, or shares personal information of 100,000+ California consumers or households
3. Derives 50% or more of annual revenue from selling or sharing personal information

For website owners, CCPA provides consumers with these rights:

• Right to know — What personal information you collect and why
• Right to delete — Request deletion of their personal information
• Right to opt out — Opt out of the sale or sharing of their data
• Right to non-discrimination — You can’t penalize users who exercise their rights
• Right to correct — Request correction of inaccurate personal information (added by CPRA)

A critical distinction: CCPA uses an opt-out model. You can collect and process data by default, as long as you provide a clear way for users to opt out. This is fundamentally different from GDPR’s opt-in requirement.

CCPA vs GDPR: Key Differences at a Glance

The differences between these two laws go deeper than most summaries suggest. Here’s a detailed comparison:

Aspect	GDPR (EU)	CCPA/CPRA (California)
Consent model	Opt-in (explicit consent required)	Opt-out (collect by default, allow opt-out)
Who it applies to	Any org processing EU residents’ data	Businesses meeting revenue/data thresholds
Personal data scope	Very broad (includes IP, cookies, device IDs)	Broad (includes household data, inferences)
Cookies/tracking	Consent banner required before tracking	“Do Not Sell/Share” link required
Legal basis for processing	6 legal bases (consent, contract, etc.)	No legal basis concept — focuses on rights
Data breach notification	72 hours to report to authority	Must notify consumers “expeditiously”
Right to deletion	Yes (“right to erasure”)	Yes (with broader exceptions)
Data portability	Yes (machine-readable format)	Yes (added by CPRA)
DPO requirement	Required in certain cases	Not required
Max penalties	EUR 20M or 4% global revenue	$7,500 per intentional violation
Private right of action	Yes (through national courts)	Limited (data breaches only)
Enforcement body	National Data Protection Authorities	California Privacy Protection Agency (CPPA)

The Consent Model: The Biggest Practical Difference

This is the difference that affects your website most directly.

GDPR requires opt-in consent. Before you can set any non-essential cookies or tracking scripts, you need the user to actively agree. This means a cookie consent banner that blocks tracking until the user clicks “Accept.” If they don’t consent, you can’t track them — period.

In practice, only about 31% of visitors accept cookie consent banners. As a result, GDPR-compliant websites using traditional analytics like Google Analytics only see data from roughly one-third of their European visitors.

CCPA uses an opt-out model. You can track visitors by default, but you must provide a clear “Do Not Sell or Share My Personal Information” link. Users who click it must be honored immediately. However, the majority of users never opt out, so your data collection is far less impacted.

This means the same website might handle tracking completely differently for EU and US visitors:

Scenario	EU Visitor (GDPR)	California Visitor (CCPA)
First visit	No tracking until consent given	Tracking starts immediately
Analytics data	Only from consenting ~31%	From all visitors (until opt-out)
Required UI element	Cookie consent banner	“Do Not Sell/Share” link in footer
Default state	Opted OUT	Opted IN

Who Actually Needs to Comply?

This is where many website owners get confused. Both laws have extraterritorial reach — they can apply to you even if you’re not based in the EU or California.

You Need GDPR Compliance If:

• You have any EU visitors and collect their data (even through analytics)
• You sell products or services to EU residents
• You monitor the behavior of people in the EU (including via website tracking)

There’s no revenue threshold. A one-person blog with Google Analytics that gets a few hundred EU visitors is technically subject to GDPR. In practice, enforcement focuses on larger violations, but the legal obligation exists for everyone.

You Need CCPA Compliance If:

• You do business in California AND meet one of the three thresholds (revenue, data volume, or data-derived income)
• You share personal information with third parties for cross-context behavioral advertising (even if you don’t technically “sell” it)

Importantly, the CPRA amendment expanded “selling” to include “sharing.” If your website sends visitor data to Google Analytics or Facebook — even without payment — that can qualify as “sharing” under CCPA. Therefore, more websites are covered than many owners realize.

How These Laws Affect Your Website Analytics

For most small business websites, the practical impact comes down to how you handle analytics and tracking.

If You Use Google Analytics

Google Analytics collects IP addresses, sets cookies, and sends data to Google’s servers — making it subject to both GDPR and CCPA:

• Under GDPR: You need explicit consent before Google Analytics loads. Without consent, you lose data on ~69% of EU visitors.
• Under CCPA: Sending data to Google may constitute “sharing” personal information. You need a “Do Not Sell/Share” link and must honor opt-out requests via Global Privacy Control (GPC).

Moreover, several European Data Protection Authorities (DPAs) have ruled that using Google Analytics violates GDPR entirely because data is transferred to the US. The noyb.eu complaints triggered enforcement actions across Europe. Austria, France, Italy, and Denmark have all issued decisions or guidance against Google Analytics.

If You Use Privacy-First Analytics

Privacy-first analytics tools that don’t use cookies, don’t collect IP addresses, and don’t share data with third parties largely sidestep both regulations:

• Under GDPR: No consent required because no personal data is processed
• Under CCPA: No “Do Not Sell/Share” link needed because no personal information is sold or shared

This is why I recommend privacy-first analytics for most small business websites. You get the metrics that actually matter — traffic sources, pageviews, top pages — without any compliance burden under either law.

Beyond GDPR and CCPA: Other Privacy Laws to Watch

The privacy landscape keeps expanding. Several US states have enacted their own privacy laws, and more are coming:

State	Law	Effective Date	Key Feature
Colorado	CPA	July 2023	Universal opt-out mechanism required
Connecticut	CTDPA	July 2023	Similar to CPA, consent for sensitive data
Virginia	VCDPA	January 2023	Opt-out for targeted ads and profiling
Utah	UCPA	December 2023	Business-friendly, higher thresholds
Texas	TDPSA	July 2024	No revenue threshold, broad scope
Oregon	OCPA	July 2024	Includes non-profit organizations
Montana	MCDPA	October 2024	Low threshold (50,000 consumers)

The trend is clear: more states are passing privacy laws, and they generally follow the CCPA’s opt-out model. Consequently, the patchwork is getting more complex — another reason why minimizing data collection is the simplest compliance strategy.

A Simple Compliance Checklist for Both Laws

If you want to comply with both GDPR and CCPA without hiring a team of lawyers, here’s a practical checklist:

For Both Laws:

1. Publish a clear privacy policy — Explain what data you collect, why, who you share it with, and how users can exercise their rights. GDPR requires this, and CCPA demands specific disclosures.
2. Provide a way to request data deletion — Both laws give users the right to have their data erased. Include a contact method in your privacy policy.
3. Minimize data collection — Only collect what you actually need. This is a GDPR principle and a practical way to reduce CCPA exposure.
4. Keep records — Document what data you collect, your legal basis (for GDPR), and how you handle requests.

For GDPR Specifically:

1. Implement cookie consent — Use a consent banner that blocks non-essential cookies until the user opts in
2. Enable data subject access requests — Have a process to respond within 30 days
3. Review data transfers — If you send data outside the EU (like to US-based tools), ensure adequate protections are in place

For CCPA Specifically:

1. Add a “Do Not Sell or Share” link — Place it in your website footer, clearly visible
2. Honor Global Privacy Control (GPC) — Browsers that send GPC signals must be treated as opt-out requests
3. Update your privacy policy — Include CCPA-specific disclosures: categories of data collected, purposes, categories of third parties

The Simplest Path: Comply with Both at Once

Here’s what I tell every small business owner who asks me about CCPA vs GDPR compliance:

The easiest way to comply with both laws is to stop collecting data that triggers them.

Specifically, this means:

1. Switch to cookie-free analytics — No cookies means no consent banner needed (GDPR) and no “sharing” of data (CCPA)
2. Remove unnecessary third-party scripts — Every Facebook Pixel, Google Ads tag, or social widget is a compliance liability under both laws
3. Keep only what you need — A simple analytics tool that shows you traffic sources, popular pages, and visitor counts covers 90% of what small businesses actually use

I’ve helped dozens of websites make this switch. In every case, the result was the same: simpler compliance, better data accuracy (because 100% of visitors are counted), and a cleaner user experience without popups and banners.

As I discussed in my analytics simplification guide, most small websites are overcomplicating their data collection. When you strip it back to what actually drives decisions, the privacy compliance question largely answers itself.

CCPA and GDPR are different laws with different mechanisms. However, the practical solution for most website owners is the same: collect less, track smarter, and respect your visitors’ privacy by default.