Two Laws, Two Audiences, One Policy
GDPR and CCPA are the world's most influential data privacy laws. GDPR covers users in the European Union. CCPA covers residents of California. If your website serves both — which describes most English-language websites — your privacy policy needs to satisfy both.
The good news: a policy written to meet GDPR standards will generally satisfy CCPA as well, since GDPR is the stricter of the two.
GDPR: What It Requires
The General Data Protection Regulation took effect in May 2018. It applies to any organization that processes personal data of EU residents, regardless of where the organization is located.
Your privacy policy must include:
- The identity and contact details of the data controller (you)
- The types of personal data collected
- The purposes and legal bases for processing (consent, contract, legitimate interest, legal obligation, vital interest, or public task)
- Whether data is transferred outside the EU and what safeguards are in place
- Retention periods for each category of data
- User rights: access, rectification, erasure (right to be forgotten), restriction, portability, and objection
- The right to withdraw consent at any time
- The right to lodge a complaint with a supervisory authority
- Whether automated decision-making or profiling takes place
GDPR also requires that you have a lawful basis documented for every processing activity. Consent must be freely given, specific, informed, and unambiguous — pre-ticked boxes do not count.
Penalties for serious GDPR violations can reach €20 million or 4% of global annual turnover, whichever is higher.
CCPA: What It Requires
The California Consumer Privacy Act took effect in January 2020. It applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:
- Annual gross revenue over $25 million
- Buy, sell, or receive personal information of 100,000 or more consumers or households annually
- Derive 50% or more of annual revenue from selling personal information
Your privacy policy must include:
- Categories of personal information collected in the past 12 months
- Categories of sources from which personal information is collected
- The business or commercial purpose for collecting the information
- Categories of third parties with whom you share information
- A description of consumer rights: the right to know, the right to delete, the right to opt-out of sale, and the right to non-discrimination
- How consumers can submit requests (a "Do Not Sell My Personal Information" link if you sell data)
- Contact information for submitting requests
The CPRA (California Privacy Rights Act), which amended CCPA in 2023, added the right to correct inaccurate personal information and created a new category for sensitive personal information.
Key Differences Between the Two
The biggest practical difference is the concept of consent. GDPR requires explicit opt-in consent for most data processing. CCPA uses an opt-out model — you can process data by default, but must honor requests to stop.
GDPR covers all natural persons in the EU. CCPA only applies to California residents and has business size thresholds. A small website may not be technically required to comply with CCPA but may still be required to comply with GDPR if it has any EU visitors.
Writing a Policy That Covers Both
Rather than writing separate sections, structure your policy around the data itself — what you collect, why, and how — and then include a combined rights section that lists all user rights under both laws. Include contact details for submitting requests and note the date the policy was last updated.
TermsDock's Privacy Policy Generator handles both GDPR and CCPA requirements automatically. Enter your details and receive a policy structured to cover both frameworks without needing to understand the technical requirements of each.