> For the complete documentation index, see [llms.txt](https://docs.assenteo.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.assenteo.com/key-legislation/gdpr-vs.-ccpa.md).
# GDPR vs. CCPA
### Contents
* [Key differences](#key-differences)
* [Comparison table](#comparison-table)
### Key differences
* The [GDPR](/key-legislation/the-gdpr.md) also **applies to individuals** who process data, whereas the [CCPA](/key-legislation/ccpa.md) only applies to for-profit businesses.
* The [GDPR](/key-legislation/the-gdpr.md) is **stricter** and has far greater penalties for non-compliance
* The [GDPR](/key-legislation/the-gdpr.md) **requires consumers to consent** to their personal data being used **at the time**, whereas the [CCPA](/key-legislation/ccpa.md) informs consumers how their personal data has been used for business purposes retroactively.
### Comparison table
| | GDPR | CCPA |
| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Primary regulator** | European Data Protection Board (EDPB) | California Privacy Protection Agency (CPPA) |
| **Data subjects** | EU residents | California Residents |
| **Who must comply?** | Any business or individual handling the data of EU residents.
The business may be incorporated outside the EU.
| For-profit businesses trading in California which either:
- Have gross annual revenue in excess of $25 million; OR
- Buy, sell, or share the PI of 100,000 or more California residents/ households; OR
- Derive 50% or more of their annual revenue from selling California residents’ PI.
The business may be incorporated outside California.
|
| **How is ‘personal data’/ ‘personal information’ defined?** | Personal data:
“Any information relating to an identified or identifiable natural person (‘data subject’)” (GDPR)
| Personal information:
“Information that identifies, relates to, or could reasonably be linked with you or your household.” (CCPA)
It does not include publicly available information.
|
| **How is ‘sensitive’ personal data/ information’ defined?** | Full list in legislation
Includes genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership.
| Full list in legislation.
Includes certain government identifiers (such as social security numbers)’ and contents of mail, email, and text messages.
|
| **Approach to consent** | Opt-in system | Opt-out system |
| **Penalties** | Up to €20 million or 4% of global annual turnover | Up to $2,500 per violation; and $7,500 per ‘intentional’ violation.
private rights of action for consumers with damages $100-$750 per incident
|
| **Enforcement agencies** | National data protection authorities (DPAs) in each EU member state | California Privacy Protection Agency (CPPA) and California Attorney General (CAG) |
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.assenteo.com/key-legislation/gdpr-vs.-ccpa.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.