CCPA vs GDPR, explained

Q: Which is stronger, CCPA or GDPR?

GDPR is broader in scope (covers every business, not just data-broker-shaped ones), has stronger consent requirements (opt-in by default vs CCPA's opt-out), and applies to anyone whose data EU-based businesses process. CCPA is more recently-developed and has stronger enforcement infrastructure in California specifically (the CPPA agency, the DROP universal-deletion mechanism). For a California resident's data-broker problem, CCPA + the Delete Act is arguably the more usable framework. For an EU resident, GDPR remains the broader and stronger right.

In short

GDPR is the EU's general-purpose privacy law (2018). Covers ~500 million Europeans plus, in some cases, anyone whose data is processed by an EU-based business.
CCPA + CPRA + the Delete Act is California's framework (2020-2024). Covers 39 million Californians, with the strongest US-state enforcement infrastructure (the CPPA agency, the DROP one-stop deletion mechanism).
Most US residents only get CCPA-style rights (and only if their state has passed one). Most EU residents get the full GDPR. There's overlap but not equivalence.

6 min read Last reviewed May 2026 Free scan available

Two laws, two regions, one general idea

Both laws answer the same basic question: what rights do people have over their own personal data once a business holds it? They answer it differently because they emerged from different legal traditions.

GDPR (General Data Protection Regulation, in force May 2018) is the EU's general-purpose privacy law. It applies to every business that processes EU-resident personal data, replaces 28 different national laws, and is enforced by national Data Protection Authorities with fines up to 4% of global annual revenue.

CCPA (California Consumer Privacy Act, in force January 2020), expanded by CPRA (2023) and SB 362 (the Delete Act, 2024), is California's consumer-data law. It applies to most businesses doing business in California above certain thresholds, gives California residents a similar but narrower set of rights, and is enforced by the California Privacy Protection Agency (CPPA) with fines up to $7,500 per intentional violation.

Side-by-side comparison

	GDPR	CCPA + CPRA + Delete Act
Region	EU + EEA + UK (UK has its own derivative)	California (other US states have similar)
Population covered	~500 million	~39 million
Effective	May 2018	Jan 2020 (CCPA), Jan 2023 (CPRA), 2024 (Delete Act)
Consent model	Opt-in for most processing	Opt-out (must be offered)
Right to access	Yes (Art. 15)	Yes (§1798.110)
Right to delete / erasure	Yes (Art. 17 — "right to be forgotten")	Yes (§1798.105)
Right to correct	Yes (Art. 16)	Yes (§1798.106, added by CPRA)
Right to portability	Yes (Art. 20)	Yes (§1798.130)
Right to object to processing	Yes (Art. 21)	Yes for sale/sharing/profiling (§1798.120, §1798.121)
One-stop deletion	No (file individually with each controller)	Yes (DROP, via the Delete Act)
Response timeline	1 month, extendable	45 days, extendable
Enforcement agency	National DPAs (Ireland's DPC enforces most US tech)	California Privacy Protection Agency (CPPA)
Maximum fines	€20M or 4% of global revenue (whichever is higher)	$7,500 per intentional violation
Private right of action	Yes (compensation for damages)	Limited (only for certain data-breach claims)

Which one is "stronger"?

It depends what you mean by stronger.

GDPR is broader. It covers all data processing, not just data-broker-shaped businesses. It uses opt-in as the default consent model. Its fines can reach 4% of a global tech company's revenue (real-world examples exceeding $1 billion). It applies to anyone whose data EU-based businesses process, sometimes including non-EU residents.

CCPA + Delete Act is more operationally usable for the data-broker problem specifically. The DROP one-stop deletion mechanism is the only such thing in the world. The CPPA has dedicated enforcement bandwidth focused on consumer-data issues. The framework is younger but iterating fast.

For an EU resident dealing with a global tech platform, GDPR is the more powerful right by a comfortable margin. For a California resident dealing with the US data-broker ecosystem, the combined CCPA + CPRA + Delete Act framework is arguably more usable because DROP exists.

Both laws give you the right to delete. Both make you file the request. Delist files them automatically across 100+ brokers.

Run my free exposure scan →

Which one applies to you

Quick decision tree for US residents:

California resident, US data broker. CCPA + CPRA + Delete Act applies. Use DROP for one-stop deletion. See the California state page.
Texas / Colorado / Virginia / Connecticut / Utah / etc. resident, US data broker. Your state's CCPA-analog applies. Texas example; check our state pages for others.
US resident in a state with no comprehensive privacy law, US data broker. CCPA may still apply to you if the broker does business in California (most major brokers do). File a CCPA request anyway — most brokers honor it nationally because maintaining separate state-by-state flows is more expensive than just complying.
US resident, EU-based business. GDPR may apply because the business is processing your data. File a GDPR Art. 17 erasure request. Acxiom, LexisNexis, and Epsilon all have EU operations and respond to GDPR.
EU resident, any business processing your data. GDPR applies. File with your national Data Protection Authority if the business ignores you.

How data brokers actually handle each

Most large US data brokers offer both a CCPA opt-out page and a GDPR opt-out page. They look similar, but:

CCPA pages typically ask for less verification — name, email, maybe address. The CCPA's "verified consumer request" standard is light.
GDPR pages typically ask for more verification — sometimes including government ID. GDPR Article 12 lets controllers refuse manifestly unfounded or excessive requests, so they verify more carefully.
The 45-day CCPA response window and 1-month GDPR window are similar. Both are routinely missed by smaller brokers. Escalation paths differ.

Practical effect: a CCPA-cited request is usually faster than a GDPR-cited one for the same broker, even when the broker honors both. Lead with CCPA if you have California standing.

The 20-state patchwork problem

Roughly 20 US states have passed comprehensive privacy laws by 2026. The good news: most US residents now have some version of the CCPA-style rights. The bad news: every state's law is slightly different. Different definitions, different thresholds, different cure periods, different fines. Compliance is harder and harder for brokers to track, and consumers in different states get materially different rights.

A federal US privacy law would solve the patchwork. There have been multiple attempted bills (the most-discussed in 2024-2025 being the American Privacy Rights Act). None have passed. The patchwork continues.

Frequently asked questions

Can a US resident use GDPR to delete their data?

Sometimes. GDPR technically applies to EU and UK residents, but it also applies to data about anyone (regardless of residency) being processed by an EU-based company. If a US data broker has an EU office or subsidiary, you may have a GDPR-based claim regardless of where you live. Most US-only data brokers won't honor GDPR from US residents, but the major multinationals (Acxiom, LexisNexis Risk Solutions, Epsilon) will.

Which is stronger, CCPA or GDPR?

GDPR is broader in scope and has stronger consent requirements (opt-in by default vs CCPA's opt-out). CCPA + Delete Act has stronger operational infrastructure for the data-broker problem (the DROP universal-deletion mechanism). For an EU resident, GDPR is the broader right. For a Californian dealing with US brokers, the CCPA framework is more usable.

What is the "right to be forgotten"?

A right under GDPR Article 17 that lets EU residents demand erasure of their personal data, subject to exceptions. The phrase is more commonly used about search-engine de-indexing — the 2014 EU case (Google Spain v. AEPD) established the right to have outdated search results removed from Google. The US has no direct federal equivalent. See our definition.

Do California residents get GDPR rights automatically?

Not automatically. California residents get CCPA rights. They get GDPR rights only when the company processing their data is established in the EU, or the company is processing their data in connection with offering goods/services in the EU. Most US-only operations only owe US residents CCPA, not GDPR.

What other US states have laws like California's?

As of 2026, roughly 20 US states have passed comprehensive consumer privacy laws. The most active are Texas (TDPSA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Virginia (VCDPA). The structure is similar across these laws — right to access, delete, correct, opt out — but California remains the only one with a dedicated enforcement agency and a DROP universal-deletion mechanism.