Need a privacy policy? Generate one for free in 60 seconds →

Generate Free
← Back to Blog

GDPR vs CCPA: What Developers Actually Need to Know (2026)

·9 min read

You're building an app or website, and you've heard about GDPR and CCPA. But what's the difference? Do you need to comply with both? Can you write one privacy policy that covers both? This guide gives developers a practical, no-jargon comparison of GDPR vs CCPA — what they are, who they apply to, and how to comply.

GDPR vs CCPA: Quick Comparison

Feature GDPR (EU) CCPA (California)
Who it applies to Any company processing EU residents' data California businesses meeting thresholds ($25M revenue, 100K+ users, or 50%+ revenue from data sales)
Scope Broad: applies to any processing of personal data Narrower: applies to "businesses" meeting size/revenue thresholds
Consent requirement Yes — opt-in consent required before processing No — opt-out model (users can opt out, but consent not required upfront)
User rights 8 rights: access, rectification, erasure, restriction, portability, objection, automated decision-making, withdraw consent 4 rights: know, delete, opt-out, non-discrimination
Privacy policy required? Yes, for all Yes, for covered businesses
Cookie consent Yes — banner with opt-in required No specific cookie law (but disclosure required)
Data breach notification Within 72 hours to regulator; prompt to affected users No specific CCPA breach notification law (separate California breach law applies)
Penalties Up to €20M or 4% of global revenue $2,500 per unintentional violation, $7,500 per intentional violation
Enforcement EU member state data protection authorities California Attorney General and (since 2023) California Privacy Protection Agency

What Is GDPR?

The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law, effective May 25, 2018. It applies to:

  • Any company established in the EU (regardless of where data processing happens)
  • Any company offering goods/services to EU residents (even if you're outside the EU)
  • Any company monitoring behavior of EU residents (e.g., tracking, profiling)

In other words: If your app or website is accessible in Europe, GDPR likely applies — even if you're a solo developer in the US, India, or anywhere else.

Key GDPR Principles for Developers

  • Lawful basis required: You need a legal reason to process data (consent, contract, legitimate interest, etc.)
  • Data minimization: Only collect what you need
  • Purpose limitation: Use data only for the purposes you disclosed
  • User rights: Users can request access, correction, deletion, portability, etc.
  • Security: Implement appropriate technical and organizational measures
  • Accountability: You must document compliance (privacy policies, data processing records)

What Is CCPA?

The California Consumer Privacy Act (CCPA), effective January 1, 2020, is California's data privacy law. It applies to for-profit businesses that:

  • Have annual gross revenue of $25M+, OR
  • Buy, sell, or share personal information of 100,000+ California consumers or households per year, OR
  • Derive 50%+ of annual revenue from selling consumers' personal information

In other words: If you're a small indie developer or early-stage startup, CCPA likely doesn't apply to you (yet). But if you meet the thresholds, you must comply if you have California users.

Key CCPA Requirements for Developers

  • "Do Not Sell My Personal Information": Must provide an opt-out link if you sell or share user data
  • Right to know: Users can request what data you collect and how you use it
  • Right to delete: Users can request deletion of their data (with exceptions)
  • Non-discrimination: You can't penalize users for exercising their rights (e.g., charging more, offering worse service)
  • Privacy policy disclosure: Must disclose categories of data collected, sources, purposes, and third parties

GDPR vs CCPA: Key Differences

1. Who Is Covered?

GDPR: Applies to everyone processing EU residents' data. No revenue or size threshold. Even a one-person blog needs to comply if it uses cookies and has EU visitors.

CCPA: Only applies to businesses meeting the $25M revenue / 100K+ users / 50%+ data-sales-revenue thresholds. Small apps and side projects usually don't qualify.

2. Consent: Opt-In vs Opt-Out

GDPR: Opt-in model. You need affirmative consent before processing personal data (especially for cookies, marketing, profiling). Pre-ticked boxes and "by continuing, you agree" are not valid consent.

CCPA: Opt-out model. You can collect and use data by default, but users must be able to opt out (especially for data sales). You don't need upfront consent.

What this means for developers: If you have EU users, you need a cookie banner with opt-in. If you only have California users, a "Do Not Sell" link is enough.

3. User Rights

GDPR: 8 comprehensive rights:

  1. Right to access — Request a copy of their data
  2. Right to rectification — Correct inaccurate data
  3. Right to erasure ("right to be forgotten") — Request deletion
  4. Right to restrict processing — Limit how data is used
  5. Right to data portability — Receive data in machine-readable format
  6. Right to object — Object to certain processing (e.g., marketing)
  7. Rights related to automated decision-making — Opt out of profiling
  8. Right to withdraw consent — Revoke previously given consent

CCPA: 4 core rights:

  1. Right to know — What data is collected, how it's used, who it's shared with
  2. Right to delete — Request deletion of personal information
  3. Right to opt-out — Opt out of the "sale" of personal information
  4. Right to non-discrimination — Not be penalized for exercising rights

What this means for developers: GDPR requires more granular controls (e.g., data portability, restriction). CCPA is simpler but still requires a deletion mechanism and opt-out for data sales.

4. "Sale" of Data

GDPR: Doesn't use the term "sale." Instead, focuses on "processing" and "sharing" data. Third-party sharing requires disclosure and (usually) consent.

CCPA: Defines "sale" broadly — it includes sharing data with third parties for any valuable consideration, not just money. This means:

  • Sharing data with ad networks → sale
  • Sharing data with analytics providers (if they use it for their purposes) → sale
  • Using Facebook Pixel or Google Analytics → may be considered a sale

If you "sell" data under CCPA, you must provide a "Do Not Sell My Personal Information" link.

5. Cookies

GDPR (+ ePrivacy Directive): Requires opt-in cookie consent. Non-essential cookies (analytics, marketing) cannot be set until the user consents. "By continuing, you agree" banners are non-compliant.

CCPA: No specific cookie law. You must disclose cookie usage in your privacy policy, but you don't need an opt-in banner.

What this means for developers: If you have EU users, you need a cookie consent banner (e.g., Cookiebot, OneTrust). If you only have California users, you don't.

6. Penalties

GDPR:

  • Up to €20 million or 4% of global annual revenue, whichever is higher
  • Lower fines (€10M / 2%) for less serious violations
  • Enforced by EU member state data protection authorities
  • Penalties are per violation, not per user

CCPA:

  • $2,500 per unintentional violation
  • $7,500 per intentional violation
  • Enforced by California Attorney General and California Privacy Protection Agency
  • Penalties can add up quickly (e.g., if you fail to honor 10,000 deletion requests, that's $25M in fines)

Reality check: Most small developers won't face fines unless they egregiously ignore user requests or suffer a data breach. But non-compliance is risky if you grow.

Do I Need to Comply with Both?

It depends on your users:

  • EU users? → You need GDPR compliance
  • California users + you meet CCPA thresholds? → You need CCPA compliance
  • Global users? → You likely need both

Most apps and websites should assume they need both — unless you're geofencing or explicitly blocking certain regions.

Can I Write One Privacy Policy for Both?

Yes. Most developers write a single privacy policy that covers GDPR, CCPA, and other regulations. Here's how:

Structure Your Policy to Cover Both

  1. Introduction — Who you are, what this policy covers
  2. Data We Collect — List all data types (meets both GDPR and CCPA disclosure requirements)
  3. How We Use Data — Purposes and legal basis (GDPR requires legal basis; CCPA requires purpose disclosure)
  4. Third-Party Sharing — List all third parties, link to their privacy policies
  5. Data Retention — How long you keep data (GDPR requirement; good practice for CCPA)
  6. Your Rights — Cover all GDPR rights + CCPA rights. If you meet GDPR's stricter standards, you're covered for CCPA.
  7. Cookies — Disclose cookie usage (required by both)
  8. Security — How you protect data
  9. Updates — How you notify users of changes
  10. Contact — How to reach you

Key Sections for Both

For GDPR compliance, include:

  • Legal basis for processing (consent, contract, legitimate interest, etc.)
  • All 8 user rights with instructions on how to exercise them
  • Data retention periods
  • International data transfers (if data leaves the EU)
  • Right to lodge a complaint with a supervisory authority

For CCPA compliance, include:

  • Categories of personal information collected in the past 12 months
  • Sources of data
  • "Do Not Sell My Personal Information" link (if you sell data)
  • Right to know, delete, opt-out, and non-discrimination
  • How to submit requests (email, form, toll-free number)

Use a Generator to Save Time

Writing a policy that covers both GDPR and CCPA from scratch takes hours. PrivacyPage generates a unified policy that covers both — just answer a few questions about your app or website, and it produces a compliant document in 60 seconds.

FAQ

I'm a solo developer in the US with a small app. Do I really need to comply with GDPR?

If your app is available in Europe (e.g., on the App Store or Play Store with global availability), technically yes. GDPR applies based on where your users are, not where you are. Practically, most small developers comply by having a privacy policy, using cookie consent, and honoring user requests.

Do I need a "Do Not Sell" link if I don't sell data?

If you don't sell data under CCPA's definition, you don't need the link. But be careful: sharing data with ad networks, analytics providers, or social media pixels may count as a "sale" under CCPA. When in doubt, include the link.

Can I just block EU users to avoid GDPR?

Technically, yes — if you geofence your app/website and explicitly block EU IP addresses. But this is impractical for most apps (you're cutting off 450M+ potential users). It's easier to comply.

What if I'm not sure if I meet CCPA thresholds?

If you're under $25M revenue, under 100K California users/households per year, and don't derive 50%+ revenue from data sales, CCPA likely doesn't apply. But you should still have a privacy policy (required by app stores and good practice). If you grow, you'll need to comply.

Do I need a lawyer to write my privacy policy?

Not necessarily. Most small developers use generated policies (like PrivacyPage) that cover GDPR and CCPA. If you handle sensitive data (health, finance, children), or if you're raising funding / facing legal issues, get a lawyer to review it.

Generate Your GDPR + CCPA Compliant Privacy Policy

Stop stressing about compliance. PrivacyPage generates a unified privacy policy that covers GDPR, CCPA, and other regulations — free preview, no signup, one-time payment of $9.99.

Generate your privacy policy now →

Generate your privacy policy in 60 seconds

Professional, legally compliant documents for your app — free to preview.

Generate Now →

Related Articles

8 min read

App Store Rejected for Privacy Policy? How to Fix It Fast

9 min read

Do I Need a Privacy Policy for My App in India? (Complete Guide 2026)