GDPR vs CCPA: Key Differences for Cookie Consent

GDPR requires prior opt-in consent before cookies load; CCPA requires a Do Not Sell link and opt-out. Compare scope, fines, and cookie banner rules for both laws.


by Billal Hossain • 1 July 2026


The GDPR requires prior opt-in consent before any non-essential cookie fires. It applies to any organization handling EU or EEA resident data, with no business-size threshold. The CCPA instead requires notice and an opt-out mechanism. It applies only to California residents and only to businesses that meet specific size thresholds.

Both laws shape what your cookie banner must do and when. This page compares consent, scope, covered data, consumer rights, and penalties, then shows how one region-aware banner can cover both.

GDPR vs CCPA: What Is the Core Difference for Cookie Consent?

The GDPR requires explicit, prior opt-in consent before placing any non-essential cookie on a visitor's device. The CCPA does not require prior consent for most cookies. It requires a clear "Do Not Sell or Share My Personal Information" link and honoring opt-out requests when received. Under the GDPR, your cookie banner must block non-essential cookies until the visitor accepts. Under the CCPA, cookies can fire by default, but you must make opting out easy.

The ePrivacy Directive (Art. 5(3)) supplies the specific cookie-consent rule; the GDPR (Art. 7) supplies the consent standard. Together they mean: no non-essential cookie fires until a visitor actively opts in. The CCPA, as amended by the CPRA, runs the opposite direction: it starts with collection allowed and ends when the consumer says stop. Source: gdpr.eu/cookies and oag.ca.gov/privacy/ccpa.

What Is the GDPR?

The GDPR (General Data Protection Regulation) is an EU regulation that took effect on May 25, 2018. It governs how any organization processes the personal data of people located in the EU or EEA. For cookies, it sets a prior opt-in consent standard: no non-essential cookie loads until the visitor affirmatively says yes. For a fuller background on what the GDPR is, see our explainer on what the GDPR is.

Core Principles of the GDPR

The GDPR rests on six legal bases for processing personal data (Art. 6): consent, contract, legal obligation, vital interests, public task, and legitimate interests. For non-essential cookies, consent is the only usable legal basis.

Consent under the GDPR must meet four conditions (Art. 7):

  • Freely given: no pre-ticked boxes or bundled consent
  • Specific: separate consent for each cookie category
  • Informed: clear explanation of what each category does
  • Unambiguous: a clear affirmative action, not silence or inaction

Data subjects also hold rights to access, rectification, erasure, restriction, portability, and objection.

How the GDPR Works for Cookies

The GDPR (via the ePrivacy Directive Art. 5(3)) requires you to receive consent before placing any non-essential cookie. Your banner must block those cookies until the visitor accepts. Pre-ticked acceptance boxes are invalid. Withdrawal must be as easy as giving consent: if you use a one-click accept button, a one-click withdraw must exist too.

Strictly necessary cookies (session cookies, authentication, shopping cart) are exempt. Analytics, advertising, personalization, and social cookies all require prior opt-in. For the full technical list of what a GDPR cookie banner must do, see the full GDPR cookie consent rules. Source: gdpr.eu/cookies.

Who the GDPR Applies To

The GDPR applies to any organization worldwide that offers goods or services to, or monitors the behavior of, people located in the EU or EEA. There is no revenue threshold and no company-size floor. A US startup with no EU office still falls under GDPR if it targets or tracks EU visitors.

Limits of the GDPR

The GDPR does not apply to processing of data from people outside the EU or EEA (where that processing is not EU-directed). It does not require a cookie banner if your site uses only strictly necessary cookies. Strictly necessary cookies never require consent under the GDPR or ePrivacy Directive. The law does not govern non-personal, fully anonymized data.

What Is the CCPA (and CPRA)?

The California Consumer Privacy Act (CCPA) is a California state law that took effect January 1, 2020. The California Privacy Rights Act (CPRA), approved by voters in November 2020 and effective January 1, 2023, amended the CCPA. The CPRA is not a separate law: it is an amendment that strengthened and expanded the CCPA. Both regulators refer to the law simply as "the CCPA." The CCPA gives California consumers opt-out and disclosure rights over personal information collected about them. Source: cppa.ca.gov/faq.html and oag.ca.gov/privacy/ccpa.

Core Principles of the CCPA

The CCPA rests on transparency, consumer control, and the right to opt out, not on prior consent to collect. It grants four original rights.

  • Right to know what personal information is collected about you and how it is used
  • Right to delete personal information (with exceptions)
  • Right to opt out of the sale or sharing of your personal information
  • Right to non-discrimination for exercising these rights

The CPRA (2023) added two more rights. These are the right to correct inaccurate personal information and the right to limit the use of sensitive personal information.

How the CCPA Works for Cookies

Cookies that identify, relate to, or can reasonably be linked to a consumer or household are personal information under the CCPA. That includes device IDs, IP addresses, and browsing history. But the CCPA does not require prior consent to use them. You can load cookies by default.

What the CCPA does require:

  • A notice at collection (before or at the point data is collected), listing categories of personal information collected and the purpose
  • A clear "Do Not Sell or Share My Personal Information" link on your website if you sell or share personal information
  • Honoring the Global Privacy Control (GPC) signal as a valid opt-out request: if a visitor uses a GPC-enabled browser, you must treat it as a formal opt-out

One common misconception is that the CCPA requires opt-in cookie consent like the GDPR. It does not. Cookies fire by default under CCPA; opt-out is the mechanism. The exception is minors: selling the personal information of consumers known to be under 16 requires affirmative opt-in. Source: oag.ca.gov/privacy/ccpa.

Who the CCPA Applies To

The CCPA applies to for-profit businesses operating in California that meet at least one threshold below. These are the 2025 operative figures from the California Privacy Protection Agency.

  • Annual gross revenue exceeding $26.625 million (CPI-adjusted from the original $25 million statutory figure)
  • Buy, sell, receive, or share the personal information of 100,000 or more California consumers or households per year
  • Derive 50% or more of annual revenue from selling California consumers' personal information

Source: cppa.ca.gov/faq.html.

Limits of the CCPA

The CCPA covers California residents only. Visitors from other US states or other countries have no rights under the CCPA. Businesses below all three thresholds have no CCPA obligation. Nonprofit organizations and government agencies are not covered. For non-sensitive data, the law requires opt-out rights, not prior consent; there is no pre-collection consent requirement for most cookies.

GDPR vs CCPA: Side-by-Side Comparison

Here is how the two laws line up across the dimensions that matter most for cookie consent.

DimensionGDPRCCPA (as amended by CPRA)
JurisdictionEU and EEACalifornia, USA
Effective dateMay 25, 2018Jan 1, 2020; CPRA Jan 1, 2023
Who is protectedAnyone located in the EU or EEACalifornia residents and households
Who must complyAny organization processing EU/EEA resident data; no size thresholdFor-profit businesses meeting at least one size threshold
Consent modelOpt-in, prior consent required before non-essential cookiesOpt-out; cookies may fire by default; notice + Do Not Sell link required
Cookie consent requirementBanner required; block non-essential cookies until consentNo banner required; Do Not Sell or Share link required if selling/sharing PI
Legal basis requiredYes, one of six legal bases; consent is standard for non-essential cookiesNo general legal basis requirement for collection
Honor GPC signalNot specified in GDPR or ePrivacy DirectiveYes, legally required under CCPA/CPRA
Max penaltyUp to EUR 20 million or 4% of global annual turnover (Art. 83(5))Up to $7,500 per intentional violation; $750 per consumer per breach
EnforcementNational data protection authorities (DPAs) in each EU/EEA member stateCalifornia Privacy Protection Agency (CPPA); California Attorney General

Note: Requirements, consent model, and GPC honoring are the primary factors that differentiate what your banner must do under each law.

Opt-in vs Opt-out: The Consent Model That Defines Each Law

The single defining difference between GDPR and CCPA for cookie consent is the direction of the consent default. Under the GDPR, no non-essential cookie fires until the visitor actively says yes. Under the CCPA, cookies fire by default and the consumer must actively request a stop. This one inversion determines whether your banner blocks cookies first or simply presents an opt-out link.

GDPR: Prior Opt-in Consent

Under the GDPR (via the ePrivacy Directive), your banner must prevent non-essential cookies from loading until the visitor takes a positive action. The key mechanics:

  • Non-essential cookies are blocked before consent is given
  • A pre-ticked "accept" box is not valid consent
  • The visitor must be able to reject non-essential cookies as easily as accepting them
  • Consent must be granular: one checkbox per cookie category is standard
  • Withdrawal must be a one-step action (a floating revisit button handles this)
  • Strictly necessary cookies are exempt and fire immediately

Analytics cookies (Google Analytics, for example) are not strictly necessary. They require GDPR opt-in.

CCPA: Notice and Opt-out

Under the CCPA, the baseline rule is the opposite: cookies may fire. Your obligations are:

  • Provide a notice at collection before or at the point personal information is collected
  • Display a "Do Not Sell or Share My Personal Information" link if you sell or share personal information
  • Honor the GPC signal: if a visitor's browser signals GPC, treat it as a valid opt-out request immediately
  • Obtain explicit opt-in before selling the personal information of consumers known to be under 16

There is no requirement to block cookies before loading. The question is whether you let consumers opt out easily, not whether you got permission first.

Which Model Applies to You

The consent model you need depends on where your visitors are located.

  • Your site receives EU or EEA visitors: GDPR opt-in applies to those visitors.
  • Your site receives California consumers and you meet the CCPA thresholds: CCPA opt-out applies.
  • Your site receives both EU/EEA visitors and California consumers: you need both models running simultaneously, switched by visitor region.
  • Your site is US-only, below all CCPA thresholds, and uses only strictly necessary cookies: neither law requires a banner.

Scope and Territorial Reach: Who Has to Comply?

The GDPR applies to any organization worldwide that processes EU/EEA resident data, with no revenue threshold. The CCPA applies only to California residents and only bites businesses that cross at least one size threshold. A site that serves only US visitors may have no GDPR obligation at all.

GDPR Scope

The GDPR is extraterritorial. Any organization, wherever it is based, that offers goods or services to EU/EEA residents or monitors their behavior falls under the regulation. There is no minimum revenue, employee count, or data volume threshold. A solo developer building a free tool for EU users still owes GDPR compliance.

CCPA Scope

The CCPA covers only California residents (not tourists, not visitors from other states). Coverage is further limited to for-profit businesses doing business in California that meet at least one of three thresholds:

  • Annual gross revenue over $26.625 million (CPI-adjusted, 2025)
  • Buy, sell, receive, or share PI of 100,000 or more California consumers or households
  • 50% or more of annual revenue from selling California consumers' PI

Source: cppa.ca.gov/faq.html.

Nonprofit organizations, government agencies, and businesses below all three thresholds have no CCPA obligation.

Which Law Applies to You

A US-only small business below all CCPA thresholds and using only strictly necessary cookies owes no banner under either law. A global SaaS business with EU/EEA users owes GDPR compliance regardless of size. A California-based e-commerce store over the revenue threshold owes CCPA compliance. A business in both situations owes both.

Personal Data and Consumer Rights Compared

Both laws cover cookies and device identifiers, but their definitions and the rights they grant differ. The GDPR covers any information on an identifiable natural person. The CCPA covers information that identifies, relates to, or could reasonably be linked to a California consumer or household.

What Data Each Law Covers

The GDPR defines personal data as any information relating to an identified or identifiable natural person. Online identifiers including IP addresses, cookie IDs, and device IDs are explicitly included by Recital 30 and Art. 4(1).

The CCPA defines personal information as data that identifies, relates to, or can reasonably be linked with a California consumer or household. The statute explicitly includes several categories.

  • Internet and electronic network activity (browsing history, interaction with websites and ads)
  • Geolocation data, device identifiers, IP addresses
  • Commercial information, sensory data, and inferences

The CPRA added a subcategory of sensitive personal information with stricter controls. It covers:

  • Social security numbers and financial account credentials
  • Precise geolocation and health data
  • Racial or ethnic origin, religious beliefs, sexual orientation, and union membership
  • Genetic and biometric identifiers, and the contents of communications

Source: oag.ca.gov/privacy/ccpa.

What Rights Each Law Grants

The two laws overlap on access and deletion but diverge on portability, opt-out, and sensitive-data limits. This table maps each right across both regimes:

RightGDPRCCPA (as amended by CPRA)
Right to access / knowYes (Art. 15)Yes
Right to delete / erasureYes (Art. 17)Yes (with exceptions)
Right to correctYes (Art. 16)Yes (added by CPRA, 2023)
Right to data portabilityYes (Art. 20)No equivalent
Right to opt out of sale/sharingNo direct equivalentYes (core CCPA right)
Right to restrict processingYes (Art. 18)No direct equivalent
Right to limit sensitive PI useNo direct equivalentYes (added by CPRA, 2023)
Right to non-discriminationImplicit in fairness principlesExplicit CCPA right

Penalties and Enforcement Compared

GDPR fines can reach EUR 20 million or 4% of global annual turnover for consent violations. CCPA penalties run up to $7,500 per intentional violation, with a private right of action limited to data breaches. Both regulators can investigate proactively; neither requires a victim complaint to open a case.

GDPR Penalties

The GDPR uses a two-tier fine structure under Art. 83, sourced verbatim from gdpr-info.eu/art-83-gdpr.

  • Tier 1 (Art. 83(4)): up to EUR 10 million or 2% of global annual turnover, whichever is higher. It applies to controller and processor obligations (Art. 8, 11, 25 to 39, 42, 43).
  • Tier 2 (Art. 83(5)): up to EUR 20 million or 4% of global annual turnover, whichever is higher. It applies to the basic principles for processing, including conditions for consent (Art. 5, 6, 7, 9), data subject rights (Art. 12 to 22), and third-country transfers.

Cookie consent violations fall under Tier 2, the higher fine tier, because they involve Art. 5, 6, and 7 (conditions for consent). Fines are not automatic maximums: regulators weigh 11 factors including gravity, intent, cooperation, and past violations.

National data protection authorities (DPAs) in each EU/EEA member state enforce the GDPR. Fines are issued by the DPA of the country where the affected residents are located or where the business has its EU establishment.

CCPA Penalties

The California Privacy Protection Agency (CPPA) enforces the CCPA/CPRA. The California Attorney General may also bring enforcement actions. Penalties per cppa.ca.gov/faq.html:

  • Up to $2,500 per unintentional violation
  • Up to $7,500 per intentional violation
  • Up to $7,500 per violation involving a minor

The private right of action under CCPA is narrow: it covers data breaches only. Individuals can sue for $100 to $750 per consumer per incident, or actual damages if higher. Most CCPA violations (non-banner, non-breach) can only be pursued by the CPPA or the AG. Source: oag.ca.gov/privacy/ccpa.

Which Is Riskier for You

In absolute fine size, GDPR exposure is larger. A 4% global turnover fine for a mid-sized company can dwarf CCPA per-violation amounts. CCPA risk compounds differently. The private right of action for breaches ($750 per consumer per incident) can scale fast on a large breach with many California consumers. Neither risk is trivial. Both justify a functioning consent setup.

Can One Cookie Banner Comply with Both GDPR and CCPA?

Yes, one banner can comply with both laws through region-based consent switching. EU and EEA visitors see an opt-in (prior-blocking) experience. California visitors see an opt-out (notice plus Do Not Sell) experience. A single JavaScript install with geolocation-based template selection handles both without two separate banners.

Region-based consent works in five steps.

  1. When a visitor lands, the banner detects their location using their IP address or browser locale.
  2. EU/EEA visitors get the GDPR template: non-essential cookies are blocked; a consent banner appears; cookies load only after acceptance.
  3. California visitors (with a business that meets CCPA thresholds) get the CCPA template: cookies fire by default; a notice appears with a Do Not Sell or Share My Personal Information link and a dismiss/close button.
  4. Visitors outside both jurisdictions get a lighter notice or no banner, depending on your configuration.
  5. Google Consent Mode v2 receives the correct consent signals in both cases, preserving analytics and advertising measurement.

This dual-mode setup keeps one install, one consent log, and one policy document. It still presents the legally correct experience to each visitor by region.

How to Comply with GDPR and CCPA Cookie Consent

Meeting both laws from one install requires these steps, in order:

  1. Audit and scan your site for all cookies, trackers, scripts, and iframes. Know what fires and when.
  2. Classify cookies by category: strictly necessary, analytics, advertising, personalization, social, and unclassified. Strictly necessary cookies need no consent under either law.
  3. Configure a region-based banner with two templates: an opt-in template for EU/EEA visitors (GDPR) and an opt-out template for California visitors (CCPA).
  4. Enable cookie auto-blocking on the GDPR template: no non-essential cookie or script fires until the EU/EEA visitor consents.
  5. Add a "Do Not Sell or Share My Personal Information" link for the CCPA template. Honor opt-out requests when received. Note: GPC signal detection is a separate technical requirement (see the Consently section below for its current status).
  6. Publish a cookie policy and privacy policy covering both laws. Update them when your cookie list changes.
  7. Log consent records for GDPR audit purposes. GDPR requires you to prove a visitor consented; keep timestamped records with the banner version shown.

For a full step-by-step checklist, see how to make your website GDPR compliant. GDPR and CCPA are two of the most impactful regulations, but other data privacy laws such as PIPEDA, LGPD, and POPIA follow similar frameworks.

How Consently Supports Both GDPR and CCPA Cookie Consent

Consently handles both consent models from one platform using region-based templates and Google Consent Mode v2. Install one script, configure your GDPR and CCPA templates, and Consently shows each visitor the correct banner for their location. It is a consent management platform built for this dual-jurisdiction reality. It supports all GDPR-mandated features and the CCPA opt-out mechanics, with one honest limitation noted below.

Consently for GDPR (Opt-in)

Consently's GDPR opt-in template enforces prior consent before non-essential cookies load.

  • Cookie and tracker scanning detects every non-essential cookie, script, and iframe on your site
  • Cookie auto-blocking prevents non-essential cookies and scripts from firing until the visitor accepts
  • The banner presents granular category-level consent (analytics, advertising, personalization)
  • Pre-ticked boxes are not used; the banner requires an affirmative action
  • A floating revisit button lets visitors withdraw consent at any time (one-click, per GDPR Art. 7)
  • Consent logs record every visitor's choice with a timestamp, banner version, and consent state, exportable for DPA audit requests

Google Consent Mode v2 integration passes the correct consent signals to Google Analytics and Google Ads when visitors accept or reject.

Consently for CCPA (Opt-out)

Consently's CCPA/US opt-out template handles the notice-and-opt-out model.

  • Cookies fire by default for California visitors under this template
  • A notice at collection is displayed, with the banner's dismiss/close button as the standard interaction
  • A "Do Not Sell or Share My Personal Information" opt-out link is included in the banner and can be added to your footer
  • Automatic geotargeting (country-code-based script loading) routes California visitors to the CCPA template and EU/EEA visitors to the GDPR template from the same install

Honest limitation on GPC: The CCPA/CPRA requires covered businesses to honor the Global Privacy Control (GPC) signal as a valid opt-out request. Consently does not currently detect the GPC signal automatically. If your CCPA obligations include GPC honoring, you need to implement manual GPC detection alongside Consently's opt-out link. This is a confirmed gap in the current product, and you should verify its status on Consently's roadmap before deployment.

Start a free 14-day trial at Consently (no credit card required) to set up both GDPR and CCPA templates from one dashboard.

FAQs

Does the GDPR Require Cookie Consent?

Yes. The GDPR, applied together with the ePrivacy Directive (Art. 5(3)), requires prior opt-in consent before placing any non-essential cookie on a visitor's device. Strictly necessary cookies (session, authentication, shopping cart) are exempt and fire without consent. All analytics, advertising, personalization, and social cookies require consent. Source: gdpr.eu/cookies.

Does the CCPA Require Cookie Consent?

Not in the opt-in sense. The CCPA does not require a cookie consent banner or prior opt-in for most cookies. Businesses that sell or share personal information must provide a "Do Not Sell or Share My Personal Information" link. They must also honor the GPC signal as a valid opt-out. Cookies may load by default. The exception is consumers under 16: opt-in is required before selling their personal information. Source: oag.ca.gov/privacy/ccpa.

Is the CCPA the Same as the GDPR?

No. They differ in jurisdiction (EU/EEA vs California), consent model (opt-in vs opt-out), business thresholds (none vs revenue/data-volume tests), penalty structure, and enforcement body. The CPRA amended the CCPA in 2023; it is not a separate law. Source: cppa.ca.gov/faq.html.

Which Is Stricter, GDPR or CCPA?

The GDPR is generally stricter on cookies. It requires prior opt-in and a legal basis for every processing activity. It also carries higher maximum fines (up to EUR 20 million or 4% of global turnover for consent violations). The CCPA is an opt-out law with lower per-violation penalties, though its per-consumer breach damages can compound at scale. For a website operator who serves EU/EEA visitors, GDPR imposes the heavier burden on banner design.

Does the GDPR Apply to California?

Yes, if a California-based business processes the personal data of people located in the EU or EEA. The GDPR follows the data subject's location, not the company's. A California startup offering a service to EU users owes GDPR compliance regardless of where it is incorporated.

Can I Use the Same Cookie Banner for GDPR and CCPA?

Yes. A region-aware banner switches between an opt-in model for EU/EEA visitors and an opt-out model for California visitors, based on geolocation. One install handles both when your consent management platform supports region-based template selection.

What Tool Handles Both GDPR and CCPA Cookie Consent?

A consent management platform with region-based templates runs opt-in and opt-out from one install. It shows the GDPR banner to EU/EEA visitors and the CCPA opt-out notice to California visitors. Consently is one option. It includes both GDPR opt-in and CCPA opt-out templates with automatic geotargeting, Google Consent Mode v2, and a consent log. Pricing starts at $99 per year for one domain.

AUTHOR

Billal Hossain is a software engineer with hands-on experience building Consently from start to finish. His work gives him a practical understanding of consent management platforms, cookie consent, and how businesses can create more compliant, user-friendly websites.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.