GDPRCCPAprivacydata protectioncompliance

GDPR vs. CCPA: What Every Website Owner Needs to Know in 2025

GDPR and CCPA impose strict rules on how websites collect and use personal data. Learn what each law requires, how to check your compliance, and what penalties you face if you get it wrong.

By ComplixAI Team··5 min read

GDPR and CCPA: Two Laws, One Problem

If your website collects any information from users — an email address, an IP address, a cookie ID — you are processing personal data. Two major privacy laws govern how you do this: GDPR (General Data Protection Regulation, EU) and CCPA/CPRA (California Consumer Privacy Act and its 2023 amendments). Both carry significant penalties for non-compliance, and both have been actively enforced.

The confusing part: they apply to different populations, have different requirements, and use different definitions. Getting compliance right means understanding both.

What GDPR Requires

GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is located. "Personal data" is defined broadly — it includes names, email addresses, IP addresses, cookie identifiers, and any information that can identify or be linked to a natural person.

The six lawful bases for processing: Consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most marketing activities — email lists, retargeting ads, analytics — consent is the required basis.

What valid consent looks like under GDPR:

  • Freely given (not bundled with terms acceptance)
  • Specific (separate consent for analytics vs. advertising)
  • Informed (users know what they're consenting to)
  • Unambiguous (an active action — a checkbox, not pre-ticked)
  • Withdrawable at any time, as easily as it was given

Common GDPR failures on websites:

  1. Google Analytics loading before the user accepts the cookie banner
  2. Pre-ticked consent checkboxes on sign-up forms
  3. Privacy policies that don't list all third parties receiving data
  4. No mechanism for users to request data deletion (right to erasure)
  5. Absence of a Data Processing Agreement with third-party processors

What CCPA/CPRA Requires

The CCPA gives California residents specific rights over their personal information: the right to know what data is collected, the right to delete it, and the right to opt out of its "sale" or "sharing." The CPRA (effective 2023) added the right to correct inaccurate data and created stricter rules for sensitive personal information.

The opt-out requirement: If your business "sells" or "shares" personal data — including sharing with ad networks for targeted advertising — you must display a "Do Not Sell or Share My Personal Information" link, typically in the footer.

Key difference from GDPR: CCPA is opt-out (users can stop data sharing after the fact). GDPR is opt-in (you need consent before processing). This means a GDPR-compliant consent banner does not automatically make you CCPA compliant.

The Cookie Consent Banner Problem

Most websites implement cookie consent banners that look compliant but aren't. Common failures:

  • Firing analytics before consent: Google Analytics (GA4), Meta Pixel, and LinkedIn Insight Tag all load on page load by default. If any of these fire before the user clicks "Accept," you have a GDPR violation.
  • No "Reject All" option: Regulators (especially in France and Germany) have made clear that a valid "Reject" option must be as prominent as the "Accept" button. A banner with an easy "Accept All" and a hidden "Manage Preferences" is non-compliant.
  • Not remembering the choice: Users should not be asked for consent on every page visit or after clearing only local storage. Consent choices must be persisted.

How to Check Your GDPR and CCPA Compliance

ComplixAI scans your live site for:

  • Third-party trackers — which scripts load and whether they fire before consent
  • Privacy Policy quality — does it name all data processors and describe user rights?
  • Cookie banner presence and implementation
  • Opt-out mechanisms for CCPA-covered businesses
  • Form consent language — marketing opt-ins, pre-checked boxes

Run a free GDPR & CCPA compliance check →

Penalties at a Glance

Law Maximum fine Notable enforcement
GDPR €20M or 4% of global revenue Meta: €1.2B; Amazon: €746M
CCPA/CPRA $7,500 per intentional violation Sephora: $1.2M settlement
CalOPPA $2,500 per violation Civil enforcement by CA AG

Small businesses are not immune. The California AG has pursued companies of all sizes, and GDPR supervisory authorities have issued fines to mid-size companies for basic failures like firing analytics without consent.

Five Things to Fix This Week

  1. Audit which scripts fire before consent — Use your browser's Network tab and a cookie scanner to find trackers loading without permission
  2. Add a compliant cookie consent management platform — Cookiebot, Osano, or a similar tool can handle the consent lifecycle correctly
  3. Update your Privacy Policy — It must list every third-party processor by name and describe each user right
  4. Add a "Do Not Sell" link if you share data with ad networks — even if you're not sure whether it counts as a "sale," the link is cheap protection
  5. Run a ComplixAI scan to get a complete picture of what's exposed

Start your free privacy compliance scan →

Check Your Website Now — It's Free

Scan for the issues described in this article in under 3 minutes.

Run a Free Scan →

Frequently Asked Questions

Does GDPR apply to my US-based website?

Yes, if you have any visitors from the European Union, GDPR applies to you regardless of where your business is located. The law is triggered by processing data of EU residents, not by where the company is incorporated. Any website with Google Analytics installed and EU traffic is processing personal data under GDPR.

What is the CCPA and who does it apply to?

The California Consumer Privacy Act applies to for-profit businesses that: (1) have annual gross revenue over $25 million, (2) buy, sell, or share the personal data of 100,000+ consumers/households per year, or (3) derive 50%+ of annual revenue from selling personal data. The CPRA (2023 amendment) expanded and strengthened these rights.

Do I need a cookie consent banner?

Under GDPR, you need prior consent before setting non-essential cookies (analytics, advertising, personalization). A cookie banner that loads cookies before the user clicks 'Accept' is non-compliant. Under CCPA/CPRA, you need a 'Do Not Sell or Share My Personal Information' opt-out link if you sell or share data. These are different requirements — many sites need both.

What are the GDPR fines for websites?

GDPR fines are tiered. Tier 1 violations (inadequate data processing, failure to report breaches) carry fines up to €10 million or 2% of global annual turnover. Tier 2 violations (processing without consent, violating data subject rights) carry fines up to €20 million or 4% of global annual turnover. The Irish DPC fined Meta €1.2 billion in 2023 for unlawful data transfers.

How do I check my website's GDPR compliance for free?

ComplixAI's privacy check scans your site for: third-party trackers loaded before consent, presence and quality of your privacy policy, cookie consent banner implementation, and whether you have data processing disclosures. The Pro plan includes a full GDPR/CCPA audit with actionable fixes for each issue found.