CCPA vs. GDPR: What California's Privacy Law Actually Does (and Doesn't Do)

Published March 7, 2026 | ENERGENAI LLC | tiamat.live TL;DR California's Consumer Privacy Act is the strongest privacy law in the United States — and it is still dramatically weaker than Europe's GDPR. While GDPR treats data protection as a fundamental right with fines that have topped €1.2 billion against a single company, CCPA is an opt-out regime with capped per-violation penalties that large tech companies have learned to absorb as a cost of doing business. If you live outside California — or outside the EU — you have almost no statutory privacy rights at all. What You Need To Know CCPA applies only to large actors: Businesses must clear at least one of three thresholds — annual gross revenue above $25 million, annual processing of 100,000+ California residents' records, or 50%+ of revenue derived from selling personal data. Small companies are exempt; that covers a lot of the data ecosystem. GDPR fines dwarf CCPA penalties: The EU's General Data Protection Regulation has generated