CCPA vs GDPR: the real differences for cookies

TL;DR

The GDPR and the CCPA are the two major regulatory frameworks governing cookie management on websites, but they work in fundamentally different ways. The GDPR (Europe) requires explicit consent before setting any non-essential cookie (opt-in). The CCPA/CPRA (California) allows cookies to be set by default, but requires an opt-out mechanism for the sale or sharing of personal data. A website targeting users in both regions must manage both sets of rules simultaneously, which requires a CMP capable of differentiating rules by geolocation.

Why this comparison matters

The GDPR starts from the principle that nothing should be collected without prior agreement. The CCPA starts from the principle that collection is allowed, but the user must be able to object. This distinction has direct consequences on your cookie banner configuration, script blocking, and CMP architecture.

GDPR and CCPA: two frameworks, two philosophies

The GDPR in brief

The GDPR has been in force since May 2018 in the European Union. It defines personal data broadly: IP addresses, cookie identifiers, browsing data. Any non-essential cookie requires prior consent that is freely given, informed, specific, and unambiguous. This is the opt-in model.

The CCPA/CPRA in brief

The CCPA has been in force since January 2020, strengthened by the CPRA since January 2023. It applies to businesses exceeding certain thresholds ($25M revenue, 100,000 residents, or 50% revenue from data sales). The CCPA follows an opt-out model: cookies can be set as soon as the page loads, but users must be able to object through a Do Not Sell or Share link and the GPC signal.

The concrete differences for cookies

Under the GDPR, if your site loads Google Analytics or an advertising pixel before the user clicks Accept, you are in violation. Under the CCPA, those scripts can load immediately, but the user must be able to prevent the sale or sharing of their data through an accessible opt-out.

What this means in practice for your website

If you target Europe only

Block all non-essential scripts before consent. Your cookie banner must offer a granular choice with a Reject button as visible as the Accept button. Consent proof must be stored.

If you target California only

You can load tracking scripts as soon as the page loads. Display a Do Not Sell or Share link accessible from all pages. Your site must honor the GPC signal.

If you target both regions

Your CMP must detect visitor location and apply the corresponding rules. When choosing a CMP that handles both regulations, verify it supports geolocation, GPC, and Consent Mode v2.

Which cookies are affected by each regulation

The two regulations do not target exactly the same types of cookies. Strictly necessary cookies are exempt in both cases. Analytics cookies require opt-in under the GDPR. Advertising cookies are covered by both regulations.

Common mistakes (and how to avoid them)

Applying the same rules everywhere. Applying GDPR rules to all visitors reduces consent rates in California. Applying CCPA rules to all visitors is not GDPR compliant.

Ignoring the GPC signal. The CCPA/CPRA requires honoring Global Privacy Control. In 2025, Tractor Supply was fined $1.35 million, in part for not honoring GPC.

Confusing Do Not Sell with Reject All. The CCPA's Do Not Sell link targets data sale and sharing with third parties specifically, not all cookies.

Forgetting Consent Mode v2. If you use Google Analytics and target the EEA, Consent Mode v2 has been mandatory since March 2024. This is separate from CCPA requirements.

Neglecting documentation. The GDPR requires comprehensive documentation. The CCPA requires an up-to-date privacy policy and a notice at collection. Both require annual updates.

How to configure your CMP for both regulations

Geolocation to identify visitor location. Adapted banner per region. Conditional script blocking. Consent proof storage. Use a cookie scanner to verify your CMP configuration works correctly.

CCPA + GDPR cookie compliance checklist

1. Identify where your visitors are located and which regulations apply.
2. Configure your CMP with differentiated rules by geolocation.
3. Block non-essential scripts before consent for European visitors.
4. Display a Do Not Sell or Share link for Californian visitors.
5. Configure GPC signal compliance.
6. Store consent proof for EU visitors.
7. Update your privacy policy with both GDPR and CCPA disclosures.
8. Configure Consent Mode v2 for EEA visitors.
9. Scan your site to verify blocking and opt-out work correctly.
10. Plan an annual review of your CMP configuration.

FAQ

What is the main difference between the CCPA and the GDPR for cookies? The GDPR requires opt-in consent before setting non-essential cookies. The CCPA allows cookies by default but requires an opt-out mechanism if data is sold or shared.

Do I need a cookie banner for the CCPA? The CCPA does not require a cookie banner in the GDPR sense. It requires a Do Not Sell or Share link accessible on all pages, and GPC compliance.

Does the CCPA apply to my European website? The CCPA applies if your site collects data from California residents and your business exceeds one of three thresholds ($25M revenue, 100,000 residents, or 50% revenue from data sales).

Can I apply GDPR rules to all visitors to simplify? Yes, this is technically compliant. However, it reduces consent rates in California and may impact marketing data. The best approach is to adapt rules by region.

What penalties do I face for CCPA non-compliance? The CCPA provides for fines of $2,663 to $7,988 per violation, cumulative per affected user. Sephora paid $1.2 million in 2022, Tractor Supply paid $1.35 million in 2025.

Does Google Consent Mode v2 cover the CCPA? Consent Mode v2 is designed for the GDPR and the DMA, not the CCPA. For CCPA compliance, configure GPC and the Do Not Sell mechanism separately in your CMP.

Conclusion and next step

The GDPR and the CCPA impose different obligations: opt-in in Europe, opt-out in California. A site receiving traffic from both regions must manage both sets of rules. Start with a scan of your site to identify all active cookies and trackers.