Your website attracts visitors from both Europe and California. One regime requires opt-in consent before any tracking cookies fire. The other allows tracking by default but requires you to honour opt-out requests and disclose data sales. Getting either wrong carries significant penalties -- and implementing both simultaneously is where most companies stumble.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and the EU's General Data Protection Regulation (GDPR) represent the two most consequential privacy frameworks affecting how websites handle cookies and tracking technologies. They share common goals -- protecting consumer privacy -- but their approaches differ in fundamental ways that directly impact your technical implementation.
The Core Philosophical Difference: Opt-In vs Opt-Out
The single most important distinction between GDPR and CCPA is the default state of consent.
GDPR: Opt-In by Default
Under GDPR (and the ePrivacy Directive), the default is no tracking. Non-essential cookies and tracking technologies cannot be activated until a user explicitly opts in. This means:
- Analytics cookies must not fire until the user clicks "Accept"
- Marketing pixels remain blocked until specific consent is granted
- Pre-consent cookie tracking is a clear violation with potential fines
- Silence or continued browsing does not constitute consent
CCPA/CPRA: Opt-Out by Default
Under CCPA, the default is tracking is permitted. Businesses can set cookies and collect data from the moment a user visits the site, provided they:
- Disclose the collection in their privacy policy
- Provide a "Do Not Sell or Share My Personal Information" link
- Honour opt-out requests promptly
- Do not discriminate against consumers who opt out
This fundamental difference means that the same website behaviour -- loading Google Analytics on page load without consent -- is potentially compliant under CCPA but a clear violation under GDPR.
Why This Matters for Implementation
If you serve both EU and California audiences, you cannot pick one approach. You need:
- Geo-detection: Determine whether the visitor is in the EU, California, or another jurisdiction
- Conditional behaviour: Apply opt-in logic for EU visitors and opt-out logic for California visitors
- Separate consent flows: Different banner designs and mechanisms for each regime
- Unified data management: A consistent backend for handling consent records and data subject requests
Detailed Comparison: Cookie Requirements
What Counts as a "Cookie" or Tracking Technology
| Aspect | GDPR/ePrivacy | CCPA/CPRA |
|---|---|---|
| Browser cookies | Covered | Covered |
| Local storage | Covered | Covered (if personal information) |
| Fingerprinting | Covered | Covered (if used for cross-context behavioural advertising) |
| Pixels/beacons | Covered | Covered (if collecting personal information) |
| Server-side tracking | Covered (if processing personal data) | Covered (if collecting personal information) |
Both laws have broad scope, but GDPR's ePrivacy component specifically targets the act of storing or accessing information on a device -- making it technology-neutral and comprehensive.
Consent Requirements
| Requirement | GDPR | CCPA/CPRA |
|---|---|---|
| Default state | Opt-in (no tracking without consent) | Opt-out (tracking allowed, must honour opt-out) |
| Consent mechanism | Consent banner with affirmative action | "Do Not Sell or Share" link |
| Granularity | Categories (analytics, marketing, etc.) | Binary for "sale/sharing"; categories encouraged |
| Consent withdrawal | Must be as easy as giving consent | Must honour opt-out; no discrimination |
| Sensitive data | Explicit consent required | Opt-in consent required under CPRA |
| Children's data | Under 16: parental consent (member states can lower to 13) | Under 16: opt-in consent; under 13: parental consent |
What Qualifies as "Sale" or "Sharing" Under CCPA
CCPA's "sale" concept is broader than most people expect. Under CCPA, a "sale" includes:
- Selling personal information for money
- Sharing personal information for cross-context behavioural advertising (added by CPRA)
- Making personal information available to third parties for their own commercial purposes
This means that common cookie-based activities may constitute a "sale" or "sharing":
- Google Analytics with data sharing enabled: Google can use the data for its own purposes
- Facebook Pixel: Sends data to Meta for advertising profiling
- Third-party cookies: Most third-party advertising cookies involve data sharing
- Embedded social media widgets: May transmit visitor data to social platforms
If any of your cookies facilitate these data flows, CCPA requires you to disclose this and provide an opt-out mechanism.
The "Do Not Sell or Share" Requirement
CCPA requires a prominent "Do Not Sell or Share My Personal Information" link on your website. After CPRA amendments, this obligation applies to both:
- Sale: Personal information exchanged for monetary consideration
- Sharing: Personal information disclosed to third parties for cross-context behavioural advertising
Implementation Requirements
- The link must be on your homepage and in your privacy policy
- Clicking the link must present a clear mechanism to opt out
- You must process the opt-out within 15 business days
- You cannot require an account to opt out
- You must respect the opt-out for at least 12 months before re-requesting consent
Global Privacy Control (GPC)
Global Privacy Control is a browser-based signal (similar to the old "Do Not Track") that California law recognises as a valid opt-out request. Under CPRA regulations:
- Businesses must honour GPC signals as a valid opt-out of sale/sharing
- GPC applies automatically without requiring the user to visit your "Do Not Sell" page
- If a user has GPC enabled, their data must not be sold or shared from the first page load
This has significant technical implications. Your website must:
- Detect the
Sec-GPC: 1HTTP header ornavigator.globalPrivacyControlJavaScript property - Suppress advertising and data-sharing cookies for GPC-enabled visitors
- Treat GPC as equivalent to a "Do Not Sell or Share" request
Multi-Region Compliance: Building for Both
The Unified Approach
Rather than building separate systems for each regulation, many companies adopt a "highest common denominator" approach:
Pros:
- Simpler to implement and maintain
- Future-proofs against new regulations
- Demonstrates good faith compliance effort
Cons:
- May reduce analytics data from US visitors (unnecessary opt-in)
- Higher consent banner fatigue for non-EU visitors
- May not meet the specific requirements of either law perfectly
The Geo-Segmented Approach
A more precise strategy uses geo-detection to serve different consent experiences:
For EU visitors:
- Full opt-in consent banner with granular categories
- All non-essential cookies blocked by default
- Consent stored and auditable
For California visitors:
- Notice at collection (can be in the privacy policy)
- "Do Not Sell or Share" link in the footer
- GPC signal detection and honouring
- Opt-in consent for sensitive personal information
For other US states:
- Varies by state law (Virginia, Colorado, Connecticut, and others have their own requirements)
- Generally closer to CCPA's opt-out model
- Check each state's specific cookie requirements
For unregulated jurisdictions:
- Still advisable to provide notice and choice
- Reduces risk as new laws are enacted
- Builds consumer trust
Technical Implementation
Your Consent Management Platform (CMP) needs to support geo-segmented consent flows. Key requirements:
- IP-based geo-detection: Determine visitor location with reasonable accuracy
- Rule-based consent logic: Apply different default states per jurisdiction
- GPC detection: Read the GPC signal and apply it to CCPA logic
- Unified consent storage: Record consent decisions consistently across regimes
- Tag management integration: Work with your tag manager to block/allow scripts per consent state
Most major CMPs (Cookiebot, OneTrust, CookieYes) support geo-segmented consent. But having a CMP configured for multi-region does not guarantee compliance -- you need to verify that cookies actually behave differently based on the detected region.
Cookie Categories: GDPR vs CCPA Mapping
Mapping cookie categories across both frameworks helps clarify your obligations:
| Cookie Category | GDPR Treatment | CCPA Treatment |
|---|---|---|
| Strictly necessary (session, auth, CSRF) | Exempt from consent | No restrictions |
| Functional (language, preferences) | Consent required | Generally permitted; disclose in policy |
| Analytics (GA4, Amplitude) | Consent required | Permitted; may constitute "sharing" if third-party |
| Marketing (ad pixels, retargeting) | Consent required | Permitted but likely constitutes "sale/sharing"; opt-out required |
| Social media (embedded widgets) | Consent required | Permitted but may constitute "sharing"; opt-out required |
The practical upshot: under GDPR, you need affirmative consent for everything except strictly necessary cookies. Under CCPA, you need to identify which cookies involve "selling" or "sharing" data and provide opt-out mechanisms for those.
E-Commerce Considerations
Online stores face particular challenges managing cookies across both frameworks. If your e-commerce site serves both EU and US customers:
- Shopping cart cookies are "strictly necessary" under both frameworks
- Conversion tracking (Google Ads, Facebook CAPI) requires consent under GDPR and constitutes "sharing" under CCPA
- Personalisation cookies (recommended products) require GDPR consent and should be disclosed under CCPA
- Payment processor cookies from providers like Stripe are generally "strictly necessary"
- Abandoned cart tracking requires consent under GDPR and may constitute "sale/sharing" under CCPA
Enforcement Differences
| Aspect | GDPR | CCPA/CPRA |
|---|---|---|
| Enforcer | National DPAs (27 in the EU) | California Attorney General; California Privacy Protection Agency (CPPA) |
| Maximum fine | EUR 20M or 4% global turnover | USD 2,500/violation (USD 7,500 for intentional violations) |
| Private right of action | Limited to data breaches in some member states | Yes, for data breaches; not for cookie violations specifically |
| Enforcement trend | Increasing fines, automated detection | Increasing enforcement sweeps, focus on large-scale data collection |
| Cure period | No automatic cure period | 30-day cure period eliminated under CPRA |
GDPR fines are individually larger, but CCPA penalties can accumulate rapidly because each affected consumer constitutes a separate violation. A website with 100,000 California visitors and a systematic cookie violation could face USD 250 million in theoretical penalties (100,000 x USD 2,500).
Google Consent Mode v2 and Dual Compliance
Google Consent Mode v2 provides a framework for managing Google tags across different consent regimes. When properly configured:
- For EU visitors: Consent Mode suppresses Google tags until consent is granted, then enables them with appropriate parameters
- For California visitors: Consent Mode can operate in "denied" state when a user opts out via "Do Not Sell" or GPC
- Cookieless pings: Consent Mode sends anonymised, cookieless pings even without consent (for modelling), which still raises questions under strict EU interpretations
Consent Mode is helpful but not sufficient on its own. It only covers Google products -- you still need a comprehensive approach for all other tracking technologies.
Compliance Checklist: Covering Both GDPR and CCPA
GDPR Requirements
- Consent banner blocks all non-essential cookies before user action
- Granular consent categories (analytics, marketing, functional)
- Equally prominent accept and reject options
- Consent withdrawal mechanism accessible at all times
- Consent records stored and auditable
- Cookie policy with complete disclosure
CCPA/CPRA Requirements
- "Do Not Sell or Share My Personal Information" link on homepage
- Privacy policy discloses categories of personal information collected
- Opt-out mechanism processes requests within 15 business days
- GPC signal detected and honoured as valid opt-out
- No discrimination against consumers who opt out
- Opt-in consent for sensitive personal information
- Data deletion and correction request mechanisms
Multi-Region Technical Requirements
- Geo-detection determines visitor jurisdiction
- CMP applies correct consent model per region
- Tag manager respects jurisdiction-specific consent states
- Consent records identify which framework applied
- Regular scanning verifies cookies behave correctly per region
Scan for Multi-Region Compliance
Managing cookies across GDPR and CCPA is complex, and the consequences of getting it wrong are growing. The first step is understanding your current state: which cookies fire, when they fire, and whether your consent mechanisms are actually working.
Run a multi-region compliance scan →
See your Gretel Score and get a detailed breakdown of every cookie and tracking script on your site. Identify pre-consent violations that affect your GDPR compliance and data-sharing activities that trigger CCPA obligations -- all in a single scan.
