GDPR is broader and stricter: it applies to any organization with EU users regardless of size, requires explicit opt-in consent, mandates 72-hour breach notification, and carries fines up to 4% of global revenue. CCPA is narrower: it only applies to for-profit businesses exceeding $25 million in revenue (or meeting other thresholds), defaults to opt-out rather than opt-in, and imposes penalties of $2,500-$7,500 per violation. For developers, implementing GDPR compliance first covers most CCPA requirements – the key additions for CCPA are the “Do Not Sell” opt-out mechanism and the 45-day response window for data requests.
Scope and Applicability
GDPR applies to any organization processing personal data of EU residents, regardless of where the organization is located. The threshold is straightforward: if you have users in the EU, GDPR likely applies to you. The regulation defines personal data broadly, covering anything that can identify an individual directly or indirectly.
CCPA applies to for-profit businesses that meet one of three thresholds: annual gross revenue exceeding $25 million, buy or sell personal information of 100,000 or more consumers, or derive 50% or more of annual revenue from selling personal information. This means many small businesses and startups may not need to comply unless they hit these marks.
For developers, this means your application’s compliance obligations depend on your user base geography and your company’s scale. A startup with EU users must implement GDPR compliance from day one, while a US-only service might only need CCPA compliance if it meets the thresholds.
Data Subject Rights
Both regulations grant individuals rights over their personal data, but the specifics differ significantly.
GDPR Rights
GDPR provides six primary rights: the right to access, rectification, erasure, restriction of processing, data portability, and objection. Users can request their data in a commonly used electronic format, and you must respond within one month. Organizations can extend this to two months for complex requests, but you must inform the user within one month.
CCPA Rights
CCPA provides four rights: the right to know, delete, opt-out of sale, and non-discrimination. The right to know allows users to request categories and specific pieces of personal information collected. You must respond within 45 days, which cannot be extended.
Here’s how you might implement a data subject request handler:
# Example: Handling GDPR/CCPA data requests
from dataclasses import dataclass
from enum import Enum
from typing import Optional
import json
class Regulation(Enum):
GDPR = "gdpr"
CCPA = "ccpa"
@dataclass
class DataRequest:
request_type: str # access, deletion, portability, etc.
user_id: str
regulation: Regulation
request_date: str
class PrivacyRequestHandler:
def __init__(self, user_repository, data_processor):
self.user_repo = user_repository
self.processor = data_processor
def handle_request(self, request: DataRequest) -> dict:
if request.regulation == Regulation.GDPR:
return self._handle_gdpr_request(request)
elif request.regulation == Regulation.CCPA:
return self._handle_ccpa_request(request)
def _handle_gdpr_request(self, request: DataRequest) -> dict:
user_data = self.user_repo.get_user_data(request.user_id)
if request.request_type == "access":
return {
"data": user_data,
"format": "json",
"categories": self._categorize_data(user_data),
"purposes": self._get_processing_purposes(request.user_id),
"recipients": self._get_data_recipients(request.user_id),
"retention": self._get_retention_periods(request.user_id),
"rights": ["access", "rectification", "erasure",
"restriction", "portability", "objection"]
}
elif request.request_type == "deletion":
# GDPR requires erasure unless exceptions apply
self.user_repo.delete_user_data(request.user_id)
self._notify_processors(request.user_id, "deletion")
return {"status": "completed", "deletion_date": "2026-03-15"}
elif request.request_type == "portability":
return {
"data": user_data,
"format": "json",
"schema": "http://json-schema.org/draft-07/schema#"
}
def _handle_ccpa_request(self, request: DataRequest) -> dict:
user_data = self.user_repo.get_user_data(request.user_id)
if request.request_type == "know":
return {
"categories_collected": self._categorize_data(user_data),
"specific_pieces": self._extract_pii(user_data),
"sources": self._get_data_sources(request.user_id),
"business_purpose": self._get_business_purposes(),
"third_party_categories": self._get_third_party_categories()
}
elif request.request_type == "delete":
# CCPA allows exceptions for legal obligations
self.user_repo.mark_for_deletion(request.user_id)
return {"status": "completed", "deletion_date": "2026-03-15"}
elif request.request_type == "opt_out":
self.user_repo.set_sale_flag(request.user_id, False)
return {"status": "opt_out_registered"}
Consent Requirements
GDPR requires explicit consent for most processing activities. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consents are invalid. You must make it as easy to withdraw consent as to give it.
CCPA does not require consent for collecting or using personal information. Instead, it focuses on the right to opt-out of sale. However, if you process sensitive personal information under CPRA (California Privacy Rights Act), you may need consent.
// Example: Consent management implementation
class ConsentManager {
constructor(regulation) {
this.regulation = regulation;
this.consents = new Map();
}
// GDPR consent requires granular control
gdprConsent(userId, purposes) {
const consentRecord = {
timestamp: new Date().toISOString(),
purposes: purposes, // marketing, analytics, personalization, etc.
granular: {
essential: true,
marketing: purposes.includes('marketing'),
analytics: purposes.includes('analytics'),
personalization: purposes.includes('personalization')
},
source: 'cookie_banner',
proof: this.generate_consent_proof()
};
this.consents.set(userId, consentRecord);
return consentRecord;
}
// CCPA focuses on opt-out of sale
ccpaOptOut(userId) {
return {
user_id: userId,
opt_out_date: new Date().toISOString(),
sale_flag: false,
categories_included: this.get_sale_categories()
};
}
checkConsent(userId, purpose) {
const consent = this.consents.get(userId);
if (!consent) return false;
if (this.regulation === 'gdpr') {
return consent.granular[purpose] === true;
}
return true; // CCPA defaults to allowed until opt-out
}
}
Data Breach Notification
GDPR requires notification within 72 hours of becoming aware of a breach that likely results in risk to individuals’ rights and freedoms. If the breach is likely to result in high risk, you must also communicate it to affected individuals without undue delay.
CCPA requires notification “in the most expedient time possible” but does not specify a fixed timeframe. California law requires notification if the breach involves SSN, driver’s license number, or financial information.
Enforcement and Penalties
GDPR penalties can reach €20 million or 4% of annual global turnover, whichever is higher. Enforcement is by Data Protection Authorities in each EU member state.
CCPA penalties are $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Attorney General. There’s no private right of action for most violations, though users can sue for data breaches involving unencrypted or unredacted personal information.
Implementation Checklist
For developers building applications that must comply with both regulations, here’s a practical checklist:
-
Document all personal data you collect, where it flows, and how it’s processed. This is the foundation for responding to access requests.
-
Build automated workflows for handling data subject requests. Users should be able to submit requests without creating an account if possible.
-
Set up a consent management platform or build custom consent tracking. Store consent proofs for GDPR compliance.
-
Collect only what you need. Review your data models and remove unnecessary fields.
-
Define how long you keep each data type and set up automated cleanup.
-
Review all third-party services that process user data. Ensure data processing agreements are in place.
-
Document your breach notification procedures and test them regularly.
Practical Takeaways
For most developers, implementing GDPR compliance covers most CCPA requirements. The key differences to remember are the 72-hour breach notification for GDPR, the specific opt-out mechanism for CCPA sales, and the different response timeframes for data requests.
Build your systems with privacy by design principles: collect less data, retain it for shorter periods, and make it easy to delete. These practices satisfy both regulations and reduce your compliance burden.
The regulatory landscape continues evolving. Several US states have passed their own privacy laws, and the EU continues to refine GDPR through guidance and Schrems II implications. Stay current with your legal counsel and adjust your implementations as requirements change.
Related Reading
- Bitwarden Vault Export Backup Guide: Complete Technical.
- VPN Warrant Canary: What It Means and Why It Matters
- Best VPN for Linux Desktop: A Developer Guide
Built by theluckystrike — More at zovo.one