If your business operates in both the US and UK — or serves customers in both countries — you need to understand both the CCPA and the GDPR. While they share the same goal of protecting personal data, they differ significantly in scope, requirements, and enforcement. Here's a clear comparison.
At a glance
| Feature | CCPA / CPRA (US) | UK GDPR |
|---|---|---|
| Jurisdiction | California (US) | United Kingdom |
| Who it protects | California consumers | UK residents |
| Who must comply | Businesses meeting thresholds | Any organisation processing UK data |
| Legal basis required? | No — opt-out model | Yes — opt-in model |
| Consent for cookies | Opt-out sufficient | Opt-in required |
| Max fine | $7,500 per violation | £17.5 million or 4% of turnover |
| Enforced by | California AG / CPPA | ICO |
| Privacy Policy required? | Yes | Yes |
| DPA required? | Service provider agreements | Article 28 DPA |
Key difference 1: Opt-out vs opt-in
This is the most fundamental difference between the two laws.
CCPA (opt-out model): Businesses can collect and use personal data by default. Consumers have the right to opt out of the "sale" or "sharing" of their data. You must provide a clear "Do Not Sell or Share My Personal Information" mechanism, but you don't need consent before processing.
UK GDPR (opt-in model): Businesses must have a lawful basis before processing personal data. For marketing, cookies, and many other activities, this means obtaining explicit, informed consent in advance. Pre-ticked boxes and assumed consent are not valid.
✅ Practical impact: Under CCPA, your cookie consent banner can say "We use cookies. Opt out here." Under UK GDPR, it must say "Can we use cookies?" and wait for an active yes before setting analytics cookies.
Key difference 2: Who must comply
CCPA: Only applies to for-profit businesses that meet at least one threshold — $25M+ revenue, 100,000+ consumers' data, or 50%+ revenue from selling data. Small businesses below these thresholds are technically exempt.
UK GDPR: Applies to any organisation — regardless of size, revenue, or location — that processes personal data of UK residents. A one-person freelancer with a UK client list must comply.
Key difference 3: Legal basis for processing
CCPA: No requirement to identify a legal basis before processing personal data. The law is built around disclosure and opt-out rights, not prior justification.
UK GDPR: You must identify and document a lawful basis for every processing activity before you start. The six bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. You must disclose your lawful basis in your Privacy Policy.
Key difference 4: Consumer / data subject rights
CCPA rights:
- Right to know what data is collected
- Right to delete personal information
- Right to correct inaccurate information (added by CPRA)
- Right to opt out of sale or sharing
- Right to limit use of sensitive personal information
- Right to non-discrimination
UK GDPR rights:
- Right of access (Subject Access Request)
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making
Key difference 5: Penalties
CCPA / CPRA: $2,500 per unintentional violation, $7,500 per intentional violation. Private right of action for data breaches: $100–$750 per consumer per incident. Relatively modest compared to GDPR.
UK GDPR: Up to £17.5 million or 4% of global annual turnover — whichever is higher. The ICO also has powers to issue enforcement notices requiring businesses to stop processing data.
Do both laws apply to my business?
If your business serves both US and UK customers, both laws likely apply. This means your Privacy Policy must cover:
- CCPA disclosures and opt-out mechanisms for US visitors
- UK GDPR disclosures including lawful basis for UK visitors
- Cookie consent that satisfies both frameworks
The good news is that a well-written Privacy Policy can cover both jurisdictions. DataShark generates separate, tailored documents for US (CCPA) and UK (GDPR) compliance — or you can get both as part of separate bundles.
The bottom line
CCPA is a disclosure and opt-out framework. UK GDPR is a permission-first framework. If you operate in both markets, you need to satisfy both. Start with a compliant Privacy Policy for each jurisdiction — DataShark generates personalised documents from $19 (US) or £19 (UK).
Ready to generate your GDPR policy?
Answer a few questions about your business and get a personalised, legally-structured document in minutes.
Start free — from £29 →