The GDPR requires prior opt-in consent before any non-essential cookie fires. It applies to any organization handling EU or EEA resident data, with no business-size threshold. The CCPA instead requires notice and an opt-out mechanism. It applies only to California residents and only to businesses that meet specific size thresholds.
Both laws shape what your cookie banner must do and when. This page compares consent, scope, covered data, consumer rights, and penalties, then shows how one region-aware banner can cover both.
GDPR vs CCPA: What Is the Core Difference for Cookie Consent?
The GDPR requires explicit, prior opt-in consent before placing any non-essential cookie on a visitor's device. The CCPA does not require prior consent for most cookies. It requires a clear "Do Not Sell or Share My Personal Information" link and honoring opt-out requests when received. Under the GDPR, your cookie banner must block non-essential cookies until the visitor accepts. Under the CCPA, cookies can fire by default, but you must make opting out easy.
The ePrivacy Directive (Art. 5(3)) supplies the specific cookie-consent rule; the GDPR (Art. 7) supplies the consent standard. Together they mean: no non-essential cookie fires until a visitor actively opts in. The CCPA, as amended by the CPRA, runs the opposite direction: it starts with collection allowed and ends when the consumer says stop. Source: gdpr.eu/cookies and oag.ca.gov/privacy/ccpa.
What Is the GDPR?
The GDPR (General Data Protection Regulation) is an EU regulation that took effect on May 25, 2018. It governs how any organization processes the personal data of people located in the EU or EEA. For cookies, it sets a prior opt-in consent standard: no non-essential cookie loads until the visitor affirmatively says yes. For a fuller background on what the GDPR is, see our explainer on what the GDPR is.
Core Principles of the GDPR
The GDPR rests on six legal bases for processing personal data (Art. 6): consent, contract, legal obligation, vital interests, public task, and legitimate interests. For non-essential cookies, consent is the only usable legal basis.
Consent under the GDPR must meet four conditions (Art. 7):
- Freely given: no pre-ticked boxes or bundled consent
- Specific: separate consent for each cookie category
- Informed: clear explanation of what each category does
- Unambiguous: a clear affirmative action, not silence or inaction
Data subjects also hold rights to access, rectification, erasure, restriction, portability, and objection.
How the GDPR Works for Cookies
The GDPR (via the ePrivacy Directive Art. 5(3)) requires you to receive consent before placing any non-essential cookie. Your banner must block those cookies until the visitor accepts. Pre-ticked acceptance boxes are invalid. Withdrawal must be as easy as giving consent: if you use a one-click accept button, a one-click withdraw must exist too.
Strictly necessary cookies (session cookies, authentication, shopping cart) are exempt. Analytics, advertising, personalization, and social cookies all require prior opt-in. For the full technical list of what a GDPR cookie banner must do, see the full GDPR cookie consent rules. Source: gdpr.eu/cookies.
Who the GDPR Applies To
The GDPR applies to any organization worldwide that offers goods or services to, or monitors the behavior of, people located in the EU or EEA. There is no revenue threshold and no company-size floor. A US startup with no EU office still falls under GDPR if it targets or tracks EU visitors.
Limits of the GDPR
The GDPR does not apply to processing of data from people outside the EU or EEA (where that processing is not EU-directed). It does not require a cookie banner if your site uses only strictly necessary cookies. Strictly necessary cookies never require consent under the GDPR or ePrivacy Directive. The law does not govern non-personal, fully anonymized data.
What Is the CCPA (and CPRA)?
The California Consumer Privacy Act (CCPA) is a California state law that took effect January 1, 2020. The California Privacy Rights Act (CPRA), approved by voters in November 2020 and effective January 1, 2023, amended the CCPA. The CPRA is not a separate law: it is an amendment that strengthened and expanded the CCPA. Both regulators refer to the law simply as "the CCPA." The CCPA gives California consumers opt-out and disclosure rights over personal information collected about them. Source: cppa.ca.gov/faq.html and oag.ca.gov/privacy/ccpa.
Core Principles of the CCPA
The CCPA rests on transparency, consumer control, and the right to opt out, not on prior consent to collect. It grants four original rights.
- Right to know what personal information is collected about you and how it is used
- Right to delete personal information (with exceptions)
- Right to opt out of the sale or sharing of your personal information
- Right to non-discrimination for exercising these rights
The CPRA (2023) added two more rights. These are the right to correct inaccurate personal information and the right to limit the use of sensitive personal information.
How the CCPA Works for Cookies
Cookies that identify, relate to, or can reasonably be linked to a consumer or household are personal information under the CCPA. That includes device IDs, IP addresses, and browsing history. But the CCPA does not require prior consent to use them. You can load cookies by default.
What the CCPA does require:
- A notice at collection (before or at the point data is collected), listing categories of personal information collected and the purpose
- A clear "Do Not Sell or Share My Personal Information" link on your website if you sell or share personal information
- Honoring the Global Privacy Control (GPC) signal as a valid opt-out request: if a visitor uses a GPC-enabled browser, you must treat it as a formal opt-out
One common misconception is that the CCPA requires opt-in cookie consent like the GDPR. It does not. Cookies fire by default under CCPA; opt-out is the mechanism. The exception is minors: selling the personal information of consumers known to be under 16 requires affirmative opt-in. Source: oag.ca.gov/privacy/ccpa.
Who the CCPA Applies To
The CCPA applies to for-profit businesses operating in California that meet at least one threshold below. These are the 2025 operative figures from the California Privacy Protection Agency.
- Annual gross revenue exceeding $26.625 million (CPI-adjusted from the original $25 million statutory figure)
- Buy, sell, receive, or share the personal information of 100,000 or more California consumers or households per year
- Derive 50% or more of annual revenue from selling California consumers' personal information
Source: cppa.ca.gov/faq.html.
Limits of the CCPA
The CCPA covers California residents only. Visitors from other US states or other countries have no rights under the CCPA. Businesses below all three thresholds have no CCPA obligation. Nonprofit organizations and government agencies are not covered. For non-sensitive data, the law requires opt-out rights, not prior consent; there is no pre-collection consent requirement for most cookies.
GDPR vs CCPA: Side-by-Side Comparison
Here is how the two laws line up across the dimensions that matter most for cookie consent.
| Dimension | GDPR | CCPA (as amended by CPRA) |
|---|---|---|
| Jurisdiction | EU and EEA | California, USA |
| Effective date | May 25, 2018 | Jan 1, 2020; CPRA Jan 1, 2023 |
| Who is protected | Anyone located in the EU or EEA | California residents and households |
| Who must comply | Any organization processing EU/EEA resident data; no size threshold | For-profit businesses meeting at least one size threshold |
| Consent model | Opt-in, prior consent required before non-essential cookies | Opt-out; cookies may fire by default; notice + Do Not Sell link required |
| Cookie consent requirement | Banner required; block non-essential cookies until consent | No banner required; Do Not Sell or Share link required if selling/sharing PI |
| Legal basis required | Yes, one of six legal bases; consent is standard for non-essential cookies | No general legal basis requirement for collection |
| Honor GPC signal | Not specified in GDPR or ePrivacy Directive | Yes, legally required under CCPA/CPRA |
| Max penalty | Up to EUR 20 million or 4% of global annual turnover (Art. 83(5)) | Up to $7,500 per intentional violation; $750 per consumer per breach |
| Enforcement | National data protection authorities (DPAs) in each EU/EEA member state | California Privacy Protection Agency (CPPA); California Attorney General |
Note: Requirements, consent model, and GPC honoring are the primary factors that differentiate what your banner must do under each law.
Opt-in vs Opt-out: The Consent Model That Defines Each Law
The single defining difference between GDPR and CCPA for cookie consent is the direction of the consent default. Under the GDPR, no non-essential cookie fires until the visitor actively says yes. Under the CCPA, cookies fire by default and the consumer must actively request a stop. This one inversion determines whether your banner blocks cookies first or simply presents an opt-out link.
GDPR: Prior Opt-in Consent
Under the GDPR (via the ePrivacy Directive), your banner must prevent non-essential cookies from loading until the visitor takes a positive action. The key mechanics:
- Non-essential cookies are blocked before consent is given
- A pre-ticked "accept" box is not valid consent
- The visitor must be able to reject non-essential cookies as easily as accepting them
- Consent must be granular: one checkbox per cookie category is standard
- Withdrawal must be a one-step action (a floating revisit button handles this)
- Strictly necessary cookies are exempt and fire immediately
Analytics cookies (Google Analytics, for example) are not strictly necessary. They require GDPR opt-in.
CCPA: Notice and Opt-out
Under the CCPA, the baseline rule is the opposite: cookies may fire. Your obligations are:
- Provide a notice at collection before or at the point personal information is collected
- Display a "Do Not Sell or Share My Personal Information" link if you sell or share personal information
- Honor the GPC signal: if a visitor's browser signals GPC, treat it as a valid opt-out request immediately
- Obtain explicit opt-in before selling the personal information of consumers known to be under 16
There is no requirement to block cookies before loading. The question is whether you let consumers opt out easily, not whether you got permission first.
Which Model Applies to You
The consent model you need depends on where your visitors are located.
- Your site receives EU or EEA visitors: GDPR opt-in applies to those visitors.
- Your site receives California consumers and you meet the CCPA thresholds: CCPA opt-out applies.
- Your site receives both EU/EEA visitors and California consumers: you need both models running simultaneously, switched by visitor region.
- Your site is US-only, below all CCPA thresholds, and uses only strictly necessary cookies: neither law requires a banner.
Scope and Territorial Reach: Who Has to Comply?
The GDPR applies to any organization worldwide that processes EU/EEA resident data, with no revenue threshold. The CCPA applies only to California residents and only bites businesses that cross at least one size threshold. A site that serves only US visitors may have no GDPR obligation at all.
GDPR Scope
The GDPR is extraterritorial. Any organization, wherever it is based, that offers goods or services to EU/EEA residents or monitors their behavior falls under the regulation. There is no minimum revenue, employee count, or data volume threshold. A solo developer building a free tool for EU users still owes GDPR compliance.
CCPA Scope
The CCPA covers only California residents (not tourists, not visitors from other states). Coverage is further limited to for-profit businesses doing business in California that meet at least one of three thresholds:
- Annual gross revenue over $26.625 million (CPI-adjusted, 2025)
- Buy, sell, receive, or share PI of 100,000 or more California consumers or households
- 50% or more of annual revenue from selling California consumers' PI
Source: cppa.ca.gov/faq.html.
Nonprofit organizations, government agencies, and businesses below all three thresholds have no CCPA obligation.
Which Law Applies to You
A US-only small business below all CCPA thresholds and using only strictly necessary cookies owes no banner under either law. A global SaaS business with EU/EEA users owes GDPR compliance regardless of size. A California-based e-commerce store over the revenue threshold owes CCPA compliance. A business in both situations owes both.
Personal Data and Consumer Rights Compared
Both laws cover cookies and device identifiers, but their definitions and the rights they grant differ. The GDPR covers any information on an identifiable natural person. The CCPA covers information that identifies, relates to, or could reasonably be linked to a California consumer or household.
What Data Each Law Covers
The GDPR defines personal data as any information relating to an identified or identifiable natural person. Online identifiers including IP addresses, cookie IDs, and device IDs are explicitly included by Recital 30 and Art. 4(1).
The CCPA defines personal information as data that identifies, relates to, or can reasonably be linked with a California consumer or household. The statute explicitly includes several categories.
- Internet and electronic network activity (browsing history, interaction with websites and ads)
- Geolocation data, device identifiers, IP addresses
- Commercial information, sensory data, and inferences
The CPRA added a subcategory of sensitive personal information with stricter controls. It covers:
- Social security numbers and financial account credentials
- Precise geolocation and health data
- Racial or ethnic origin, religious beliefs, sexual orientation, and union membership
- Genetic and biometric identifiers, and the contents of communications
Source: oag.ca.gov/privacy/ccpa.
What Rights Each Law Grants
The two laws overlap on access and deletion but diverge on portability, opt-out, and sensitive-data limits. This table maps each right across both regimes:
| Right | GDPR | CCPA (as amended by CPRA) |
|---|---|---|
| Right to access / know | Yes (Art. 15) | Yes |
| Right to delete / erasure | Yes (Art. 17) | Yes (with exceptions) |
| Right to correct | Yes (Art. 16) | Yes (added by CPRA, 2023) |
| Right to data portability | Yes (Art. 20) | No equivalent |
| Right to opt out of sale/sharing | No direct equivalent | Yes (core CCPA right) |
| Right to restrict processing | Yes (Art. 18) | No direct equivalent |
| Right to limit sensitive PI use | No direct equivalent | Yes (added by CPRA, 2023) |
| Right to non-discrimination | Implicit in fairness principles | Explicit CCPA right |
Penalties and Enforcement Compared
GDPR fines can reach EUR 20 million or 4% of global annual turnover for consent violations. CCPA penalties run up to $7,500 per intentional violation, with a private right of action limited to data breaches. Both regulators can investigate proactively; neither requires a victim complaint to open a case.
GDPR Penalties
The GDPR uses a two-tier fine structure under Art. 83, sourced verbatim from gdpr-info.eu/art-83-gdpr.
- Tier 1 (Art. 83(4)): up to EUR 10 million or 2% of global annual turnover, whichever is higher. It applies to controller and processor obligations (Art. 8, 11, 25 to 39, 42, 43).
- Tier 2 (Art. 83(5)): up to EUR 20 million or 4% of global annual turnover, whichever is higher. It applies to the basic principles for processing, including conditions for consent (Art. 5, 6, 7, 9), data subject rights (Art. 12 to 22), and third-country transfers.
Cookie consent violations fall under Tier 2, the higher fine tier, because they involve Art. 5, 6, and 7 (conditions for consent). Fines are not automatic maximums: regulators weigh 11 factors including gravity, intent, cooperation, and past violations.
National data protection authorities (DPAs) in each EU/EEA member state enforce the GDPR. Fines are issued by the DPA of the country where the affected residents are located or where the business has its EU establishment.
CCPA Penalties
The California Privacy Protection Agency (CPPA) enforces the CCPA/CPRA. The California Attorney General may also bring enforcement actions. Penalties per cppa.ca.gov/faq.html:
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation
- Up to $7,500 per violation involving a minor
The private right of action under CCPA is narrow: it covers data breaches only. Individuals can sue for $100 to $750 per consumer per incident, or actual damages if higher. Most CCPA violations (non-banner, non-breach) can only be pursued by the CPPA or the AG. Source: oag.ca.gov/privacy/ccpa.
Which Is Riskier for You
In absolute fine size, GDPR exposure is larger. A 4% global turnover fine for a mid-sized company can dwarf CCPA per-violation amounts. CCPA risk compounds differently. The private right of action for breaches ($750 per consumer per incident) can scale fast on a large breach with many California consumers. Neither risk is trivial. Both justify a functioning consent setup.
Can One Cookie Banner Comply with Both GDPR and CCPA?
Yes, one banner can comply with both laws through region-based consent switching. EU and EEA visitors see an opt-in (prior-blocking) experience. California visitors see an opt-out (notice plus Do Not Sell) experience. A single JavaScript install with geolocation-based template selection handles both without two separate banners.
Region-based consent works in five steps.
- When a visitor lands, the banner detects their location using their IP address or browser locale.
- EU/EEA visitors get the GDPR template: non-essential cookies are blocked; a consent banner appears; cookies load only after acceptance.
- California visitors (with a business that meets CCPA thresholds) get the CCPA template: cookies fire by default; a notice appears with a Do Not Sell or Share My Personal Information link and a dismiss/close button.
- Visitors outside both jurisdictions get a lighter notice or no banner, depending on your configuration.
- Google Consent Mode v2 receives the correct consent signals in both cases, preserving analytics and advertising measurement.
This dual-mode setup keeps one install, one consent log, and one policy document. It still presents the legally correct experience to each visitor by region.
How to Comply with GDPR and CCPA Cookie Consent
Meeting both laws from one install requires these steps, in order:
- Audit and scan your site for all cookies, trackers, scripts, and iframes. Know what fires and when.
- Classify cookies by category: strictly necessary, analytics, advertising, personalization, social, and unclassified. Strictly necessary cookies need no consent under either law.
- Configure a region-based banner with two templates: an opt-in template for EU/EEA visitors (GDPR) and an opt-out template for California visitors (CCPA).
- Enable cookie auto-blocking on the GDPR template: no non-essential cookie or script fires until the EU/EEA visitor consents.
- Add a "Do Not Sell or Share My Personal Information" link for the CCPA template. Honor opt-out requests when received. Note: GPC signal detection is a separate technical requirement (see the Consently section below for its current status).
- Publish a cookie policy and privacy policy covering both laws. Update them when your cookie list changes.
- Log consent records for GDPR audit purposes. GDPR requires you to prove a visitor consented; keep timestamped records with the banner version shown.
For a full step-by-step checklist, see how to make your website GDPR compliant. GDPR and CCPA are two of the most impactful regulations, but other data privacy laws such as PIPEDA, LGPD, and POPIA follow similar frameworks.
How Consently Supports Both GDPR and CCPA Cookie Consent
Consently handles both consent models from one platform using region-based templates and Google Consent Mode v2. Install one script, configure your GDPR and CCPA templates, and Consently shows each visitor the correct banner for their location. It is a consent management platform built for this dual-jurisdiction reality. It supports all GDPR-mandated features and the CCPA opt-out mechanics, with one honest limitation noted below.
Consently for GDPR (Opt-in)
Consently's GDPR opt-in template enforces prior consent before non-essential cookies load.
- Cookie and tracker scanning detects every non-essential cookie, script, and iframe on your site
- Cookie auto-blocking prevents non-essential cookies and scripts from firing until the visitor accepts
- The banner presents granular category-level consent (analytics, advertising, personalization)
- Pre-ticked boxes are not used; the banner requires an affirmative action
- A floating revisit button lets visitors withdraw consent at any time (one-click, per GDPR Art. 7)
- Consent logs record every visitor's choice with a timestamp, banner version, and consent state, exportable for DPA audit requests
Google Consent Mode v2 integration passes the correct consent signals to Google Analytics and Google Ads when visitors accept or reject.
Consently for CCPA (Opt-out)
Consently's CCPA/US opt-out template handles the notice-and-opt-out model.
- Cookies fire by default for California visitors under this template
- A notice at collection is displayed, with the banner's dismiss/close button as the standard interaction
- A "Do Not Sell or Share My Personal Information" opt-out link is included in the banner and can be added to your footer
- Automatic geotargeting (country-code-based script loading) routes California visitors to the CCPA template and EU/EEA visitors to the GDPR template from the same install
Honest limitation on GPC: The CCPA/CPRA requires covered businesses to honor the Global Privacy Control (GPC) signal as a valid opt-out request. Consently does not currently detect the GPC signal automatically. If your CCPA obligations include GPC honoring, you need to implement manual GPC detection alongside Consently's opt-out link. This is a confirmed gap in the current product, and you should verify its status on Consently's roadmap before deployment.
Start a free 14-day trial at Consently (no credit card required) to set up both GDPR and CCPA templates from one dashboard.
FAQs
Does the GDPR Require Cookie Consent?
Yes. The GDPR, applied together with the ePrivacy Directive (Art. 5(3)), requires prior opt-in consent before placing any non-essential cookie on a visitor's device. Strictly necessary cookies (session, authentication, shopping cart) are exempt and fire without consent. All analytics, advertising, personalization, and social cookies require consent. Source: gdpr.eu/cookies.
Does the CCPA Require Cookie Consent?
Not in the opt-in sense. The CCPA does not require a cookie consent banner or prior opt-in for most cookies. Businesses that sell or share personal information must provide a "Do Not Sell or Share My Personal Information" link. They must also honor the GPC signal as a valid opt-out. Cookies may load by default. The exception is consumers under 16: opt-in is required before selling their personal information. Source: oag.ca.gov/privacy/ccpa.
Is the CCPA the Same as the GDPR?
No. They differ in jurisdiction (EU/EEA vs California), consent model (opt-in vs opt-out), business thresholds (none vs revenue/data-volume tests), penalty structure, and enforcement body. The CPRA amended the CCPA in 2023; it is not a separate law. Source: cppa.ca.gov/faq.html.
Which Is Stricter, GDPR or CCPA?
The GDPR is generally stricter on cookies. It requires prior opt-in and a legal basis for every processing activity. It also carries higher maximum fines (up to EUR 20 million or 4% of global turnover for consent violations). The CCPA is an opt-out law with lower per-violation penalties, though its per-consumer breach damages can compound at scale. For a website operator who serves EU/EEA visitors, GDPR imposes the heavier burden on banner design.
Does the GDPR Apply to California?
Yes, if a California-based business processes the personal data of people located in the EU or EEA. The GDPR follows the data subject's location, not the company's. A California startup offering a service to EU users owes GDPR compliance regardless of where it is incorporated.
Can I Use the Same Cookie Banner for GDPR and CCPA?
Yes. A region-aware banner switches between an opt-in model for EU/EEA visitors and an opt-out model for California visitors, based on geolocation. One install handles both when your consent management platform supports region-based template selection.
What Tool Handles Both GDPR and CCPA Cookie Consent?
A consent management platform with region-based templates runs opt-in and opt-out from one install. It shows the GDPR banner to EU/EEA visitors and the CCPA opt-out notice to California visitors. Consently is one option. It includes both GDPR opt-in and CCPA opt-out templates with automatic geotargeting, Google Consent Mode v2, and a consent log. Pricing starts at $99 per year for one domain.

