CCPA vs. GDPR: What Ecommerce Businesses Need to Know

CCPA and GDPR get discussed in the same breath because both govern personal data, but they start from different triggers, use different concepts, and grant different rights. For an ecommerce business the practical task is working out which one applies, then writing a privacy policy that speaks to both without contradicting itself.

The GDPR has applied since May 25, 2018, and it begins with territorial scope, asking whether the business is established in the European Union, offers goods or services to people there, or monitors their behavior there. The CCPA begins with California coverage instead, reaching a for-profit business that does business in California and clears at least one threshold, such as $25 million in annual gross revenue or processing the personal information of 100,000 California consumers or households, so a company with a modest EU customer base can owe a GDPR answer and no California one, while a large California retailer can have a serious CCPA problem without ever targeting Europe.

The concepts behind the drafting differ as much as the triggers do, because GDPR work turns on controller and processor roles, a lawful basis for each use, data subject rights, and international transfers, while CCPA work turns on categories of personal information, the purposes for collecting it, sale and sharing, sensitive personal information, opt out rights, and notice content. A sentence that fits one framework can be vague or simply wrong under the other, so a policy that flattens both into generic language serves neither.

The rights overlap in theme but diverge in operation, because GDPR rights run through lawful basis, objection, restriction, portability, and transfer disclosures, while CCPA rights center on knowing, deleting, correcting, opting out of sale or sharing, limiting the use of sensitive personal information, and not being penalized for exercising any of them. That difference shows up in forms, notices, verification steps, and vendor mapping behind the page, so the policy states which rights exist while the business builds the process that delivers them.

Advertising and analytics raise the questions each framework cares about most. Under the GDPR the hard part is lawful basis, consent, and behavioral monitoring, while under the CCPA it is whether ad-tech counts as a sale or a sharing, whether an opt out link is required, and whether preference signals are honored, so the same pixels, retargeting tools, and audience building can produce two different analyses on the same page. One privacy policy can carry both, but only when the draft is structured and the underlying data flow is documented, because the lazy fix, a line that says the business complies with all applicable privacy laws, tells a reader nothing about which rights exist, which notices apply, or how the business has organized its compliance.