Contents
- 1 What Is GDPR?
- 2 What Is CCPA?
- 3 CCPA vs GDPR: Key Differences at a Glance
- 4 The Consent Model: The Biggest Practical Difference
- 5 Who Actually Needs to Comply?
- 6 How These Laws Affect Your Website Analytics
- 7 Beyond GDPR and CCPA: Other Privacy Laws to Watch
- 8 A Simple Compliance Checklist for Both Laws
- 9 The Simplest Path: Comply with Both at Once
Two privacy laws dominate the conversation for website owners: the EU’s GDPR and California’s CCPA. Both aim to protect user data, but they take fundamentally different approaches — and the differences matter for how you run your website.
If you have visitors from both Europe and the United States, you may need to comply with both. However, meeting one doesn’t automatically mean you’re covered for the other. I’ve seen plenty of small business owners assume their GDPR compliance extends to CCPA, only to discover gaps that could lead to fines.
This guide breaks down both laws in plain English, highlights the key differences that affect your website, and shows you the simplest path to compliance with both.
What Is GDPR?
The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data protection law, in effect since May 2018. It applies to any organization that processes personal data of EU residents — regardless of where the organization is based.
For website owners, GDPR means:
- Consent before tracking — You need explicit opt-in permission before setting analytics or marketing cookies
- Right to access and deletion — Users can request all data you hold about them, and ask you to delete it
- Data minimization — Only collect what you genuinely need
- Privacy by design — Build privacy into your systems from the start, not as an afterthought
- Breach notification — Report data breaches to authorities within 72 hours
GDPR defines “personal data” broadly. It includes IP addresses, cookie identifiers, device IDs, and even behavioral data — essentially anything that could identify a person, directly or indirectly. Consequently, most analytics tools fall under GDPR’s scope because they process at least some of this data.
As I explained in my GDPR compliance guide, the practical impact for most websites is straightforward: either get consent before tracking, or use tools that don’t collect personal data at all.
What Is CCPA?
The California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA) in 2023, is California’s landmark privacy law. It gives California residents specific rights over their personal information.
CCPA applies if your business meets any one of these thresholds:
- Annual gross revenue exceeding $25 million
- Buys, sells, or shares personal information of 100,000+ California consumers or households
- Derives 50% or more of annual revenue from selling or sharing personal information
For website owners, CCPA provides consumers with these rights:
- Right to know — What personal information you collect and why
- Right to delete — Request deletion of their personal information
- Right to opt out — Opt out of the sale or sharing of their data
- Right to non-discrimination — You can’t penalize users who exercise their rights
- Right to correct — Request correction of inaccurate personal information (added by CPRA)
A critical distinction: CCPA uses an opt-out model. You can collect and process data by default, as long as you provide a clear way for users to opt out. This is fundamentally different from GDPR’s opt-in requirement.
CCPA vs GDPR: Key Differences at a Glance
The differences between these two laws go deeper than most summaries suggest. Here’s a detailed comparison:
| Aspect | GDPR (EU) | CCPA/CPRA (California) |
|---|---|---|
| Consent model | Opt-in (explicit consent required) | Opt-out (collect by default, allow opt-out) |
| Who it applies to | Any org processing EU residents’ data | Businesses meeting revenue/data thresholds |
| Personal data scope | Very broad (includes IP, cookies, device IDs) | Broad (includes household data, inferences) |
| Cookies/tracking | Consent banner required before tracking | “Do Not Sell/Share” link required |
| Legal basis for processing | 6 legal bases (consent, contract, etc.) | No legal basis concept — focuses on rights |
| Data breach notification | 72 hours to report to authority | Must notify consumers “expeditiously” |
| Right to deletion | Yes (“right to erasure”) | Yes (with broader exceptions) |
| Data portability | Yes (machine-readable format) | Yes (added by CPRA) |
| DPO requirement | Required in certain cases | Not required |
| Max penalties | EUR 20M or 4% global revenue | $7,500 per intentional violation |
| Private right of action | Yes (through national courts) | Limited (data breaches only) |
| Enforcement body | National Data Protection Authorities | California Privacy Protection Agency (CPPA) |
The Consent Model: The Biggest Practical Difference
This is the difference that affects your website most directly.
GDPR requires opt-in consent. Before you can set any non-essential cookies or tracking scripts, you need the user to actively agree. This means a cookie consent banner that blocks tracking until the user clicks “Accept.” If they don’t consent, you can’t track them — period.
In practice, only about 31% of visitors accept cookie consent banners. As a result, GDPR-compliant websites using traditional analytics like Google Analytics only see data from roughly one-third of their European visitors.
CCPA uses an opt-out model. You can track visitors by default, but you must provide a clear “Do Not Sell or Share My Personal Information” link. Users who click it must be honored immediately. However, the majority of users never opt out, so your data collection is far less impacted.
This means the same website might handle tracking completely differently for EU and US visitors:
| Scenario | EU Visitor (GDPR) | California Visitor (CCPA) |
|---|---|---|
| First visit | No tracking until consent given | Tracking starts immediately |
| Analytics data | Only from consenting ~31% | From all visitors (until opt-out) |
| Required UI element | Cookie consent banner | “Do Not Sell/Share” link in footer |
| Default state | Opted OUT | Opted IN |
Who Actually Needs to Comply?
This is where many website owners get confused. Both laws have extraterritorial reach — they can apply to you even if you’re not based in the EU or California.
You Need GDPR Compliance If:
- You have any EU visitors and collect their data (even through analytics)
- You sell products or services to EU residents
- You monitor the behavior of people in the EU (including via website tracking)
There’s no revenue threshold. A one-person blog with Google Analytics that gets a few hundred EU visitors is technically subject to GDPR. In practice, enforcement focuses on larger violations, but the legal obligation exists for everyone.
You Need CCPA Compliance If:
- You do business in California AND meet one of the three thresholds (revenue, data volume, or data-derived income)
- You share personal information with third parties for cross-context behavioral advertising (even if you don’t technically “sell” it)
Importantly, the CPRA amendment expanded “selling” to include “sharing.” If your website sends visitor data to Google Analytics or Facebook — even without payment — that can qualify as “sharing” under CCPA. Therefore, more websites are covered than many owners realize.
How These Laws Affect Your Website Analytics
For most small business websites, the practical impact comes down to how you handle analytics and tracking.
If You Use Google Analytics
Google Analytics collects IP addresses, sets cookies, and sends data to Google’s servers — making it subject to both GDPR and CCPA:
- Under GDPR: You need explicit consent before Google Analytics loads. Without consent, you lose data on ~69% of EU visitors.
- Under CCPA: Sending data to Google may constitute “sharing” personal information. You need a “Do Not Sell/Share” link and must honor opt-out requests via Global Privacy Control (GPC).
Moreover, several European Data Protection Authorities (DPAs) have ruled that using Google Analytics violates GDPR entirely because data is transferred to the US. The noyb.eu complaints triggered enforcement actions across Europe. Austria, France, Italy, and Denmark have all issued decisions or guidance against Google Analytics.
If You Use Privacy-First Analytics
Privacy-first analytics tools that don’t use cookies, don’t collect IP addresses, and don’t share data with third parties largely sidestep both regulations:
- Under GDPR: No consent required because no personal data is processed
- Under CCPA: No “Do Not Sell/Share” link needed because no personal information is sold or shared
This is why I recommend privacy-first analytics for most small business websites. You get the metrics that actually matter — traffic sources, pageviews, top pages — without any compliance burden under either law.
Beyond GDPR and CCPA: Other Privacy Laws to Watch
The privacy landscape keeps expanding. Several US states have enacted their own privacy laws, and more are coming:
| State | Law | Effective Date | Key Feature |
|---|---|---|---|
| Colorado | CPA | July 2023 | Universal opt-out mechanism required |
| Connecticut | CTDPA | July 2023 | Similar to CPA, consent for sensitive data |
| Virginia | VCDPA | January 2023 | Opt-out for targeted ads and profiling |
| Utah | UCPA | December 2023 | Business-friendly, higher thresholds |
| Texas | TDPSA | July 2024 | No revenue threshold, broad scope |
| Oregon | OCPA | July 2024 | Includes non-profit organizations |
| Montana | MCDPA | October 2024 | Low threshold (50,000 consumers) |
The trend is clear: more states are passing privacy laws, and they generally follow the CCPA’s opt-out model. Consequently, the patchwork is getting more complex — another reason why minimizing data collection is the simplest compliance strategy.
A Simple Compliance Checklist for Both Laws
If you want to comply with both GDPR and CCPA without hiring a team of lawyers, here’s a practical checklist:
For Both Laws:
- Publish a clear privacy policy — Explain what data you collect, why, who you share it with, and how users can exercise their rights. GDPR requires this, and CCPA demands specific disclosures.
- Provide a way to request data deletion — Both laws give users the right to have their data erased. Include a contact method in your privacy policy.
- Minimize data collection — Only collect what you actually need. This is a GDPR principle and a practical way to reduce CCPA exposure.
- Keep records — Document what data you collect, your legal basis (for GDPR), and how you handle requests.
For GDPR Specifically:
- Implement cookie consent — Use a consent banner that blocks non-essential cookies until the user opts in
- Enable data subject access requests — Have a process to respond within 30 days
- Review data transfers — If you send data outside the EU (like to US-based tools), ensure adequate protections are in place
For CCPA Specifically:
- Add a “Do Not Sell or Share” link — Place it in your website footer, clearly visible
- Honor Global Privacy Control (GPC) — Browsers that send GPC signals must be treated as opt-out requests
- Update your privacy policy — Include CCPA-specific disclosures: categories of data collected, purposes, categories of third parties
The Simplest Path: Comply with Both at Once
Here’s what I tell every small business owner who asks me about CCPA vs GDPR compliance:
The easiest way to comply with both laws is to stop collecting data that triggers them.
Specifically, this means:
- Switch to cookie-free analytics — No cookies means no consent banner needed (GDPR) and no “sharing” of data (CCPA)
- Remove unnecessary third-party scripts — Every Facebook Pixel, Google Ads tag, or social widget is a compliance liability under both laws
- Keep only what you need — A simple analytics tool that shows you traffic sources, popular pages, and visitor counts covers 90% of what small businesses actually use
I’ve helped dozens of websites make this switch. In every case, the result was the same: simpler compliance, better data accuracy (because 100% of visitors are counted), and a cleaner user experience without popups and banners.
As I discussed in my analytics simplification guide, most small websites are overcomplicating their data collection. When you strip it back to what actually drives decisions, the privacy compliance question largely answers itself.
CCPA and GDPR are different laws with different mechanisms. However, the practical solution for most website owners is the same: collect less, track smarter, and respect your visitors’ privacy by default.
