Cookiewise
Features Pricing Documentation About Contact
Log In Start Free Trial
← Back to Blog
Compliance 12 min read

CCPA vs GDPR: Key Differences for Cookie Compliance

Two of the world's most influential privacy laws - but they approach cookies very differently. Here's what you need to know.

CW
Cookiewise Team
Published Feb 15, 2025

If your website serves visitors in both Europe and California, you're subject to two different privacy frameworks - each with its own approach to cookies and tracking. Understanding the differences is essential to avoiding costly compliance mistakes.

At a Glance: GDPR vs CCPA

GDPR (EU) CCPA (California)
Consent Model Opt-in (must consent before tracking) Opt-out (can track until user opts out)
Who It Applies To Any business processing EU residents' data Businesses meeting revenue/data thresholds serving CA residents
Cookie Banner Required? Yes - before any non-essential cookies Not strictly, but "Do Not Sell" link required
Right to Delete Yes (Right to Erasure) Yes
Maximum Fines €20M or 4% global revenue $7,500 per intentional violation
Private Right of Action Limited Yes (for data breaches)

The Fundamental Difference: Opt-In vs Opt-Out

This is the single biggest distinction. GDPR operates on an opt-in model - you cannot place analytics or marketing cookies until the user explicitly agrees. CCPA uses an opt-out model - you can track by default, but must provide a clear mechanism for users to say "stop selling my data."

In practice, if you serve both EU and California users, you should default to the stricter GDPR approach. It satisfies both regulations simultaneously.

What CCPA Requires for Cookies

"Do Not Sell My Personal Information" link

Must be prominently displayed in the footer of every page.

Privacy policy disclosure

Detail what personal information you collect, including via cookies, and the purposes.

Honour opt-out requests

When a user opts out, stop sharing their data with third parties within 15 business days.

No discrimination

You cannot provide a different level of service to users who exercise their privacy rights.

The CPRA Update (2023)

The California Privacy Rights Act (CPRA) amended and expanded CCPA in 2023, adding:

  • A new category: "sharing" personal information (not just "selling")
  • Requirements for sensitive personal information protections
  • A dedicated enforcement agency: the California Privacy Protection Agency (CPPA)
  • New rights including correction and limiting use of sensitive data

Practical Recommendations

The "comply with both" checklist

  1. 1Use an opt-in consent banner by default (satisfies GDPR)
  2. 2Include a "Do Not Sell" link in your footer (satisfies CCPA)
  3. 3Provide granular category controls (both regulations prefer it)
  4. 4Maintain consent records with timestamps
  5. 5Regularly scan and audit your cookies
  6. 6Update your privacy policy and cookie policy annually

Comply with GDPR and CCPA simultaneously

Cookiewise adapts to your visitors' jurisdiction automatically.

Start Free Trial