If your website serves visitors from both the European Union and California, you're potentially subject to two of the world's most significant privacy laws: the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as amended by the CPRA. Here's what you need to know about both, and how to handle them efficiently.
The Core Philosophical Difference
GDPR takes an opt-in approach: you cannot use non-essential cookies until the user explicitly consents. No consent = no cookies.
CCPA/CPRA takes an opt-out approach: you can use cookies and process data by default, but you must give users the right to opt out of the "sale or sharing" of their personal information and allow them to limit the use of "sensitive personal information".
Key Differences at a Glance
| Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Jurisdiction | EU/EEA residents | California residents |
| Consent model | Opt-in required | Opt-out (for sale/share) |
| Who it applies to | Any org processing EU data | For-profit businesses meeting thresholds |
| Cookie banner required | Yes โ before non-essential cookies load | No โ but "Do Not Sell or Share" link required |
| Right to delete | Yes | Yes |
| Right to know/access | Yes | Yes |
| Fines | Up to 4% of global turnover | Up to $7,500 per intentional violation |
What Your Banner Needs to Show
For EU visitors (GDPR):
- Banner before any non-essential cookies load
- Clear Accept and Reject options
- Granular category control
- Stored consent record with timestamp
For California visitors (CCPA):
- "Do Not Sell or Share My Personal Information" link in your footer or banner
- Honoring Global Privacy Control (GPC) signals
- Privacy policy disclosing categories of data collected and shared
Running Both with One Platform
The good news: a properly configured GDPR-compliant banner typically exceeds CCPA requirements. If you've already given users granular opt-in/opt-out controls for analytics and marketing cookies, you've effectively given California users more control than the law requires.
The main CCPA-specific addition is the "Do Not Sell or Share" link โ which can be added to your banner's footer text or as a persistent link in your website footer, pointing to your preference management page.