EbookNews

GDPR and CCPA: What Businesses Need to Know

By November 17, 2025 No Comments

If you used the internet at all in the last ten years, you almost certainly noticed the appearance of “cookie banners;” popups on websites across the internet asking for your permission to use tracking cookies. Website owners, managers, and businesses might’ve also received unsettling messages about liability and compliance with rules like CCPA and GDPR. What’s going on here? What do businesses need to know about GDPR, CCPA, tracking, cookies, and the law? Let’s dive in.

Note that this blog post is not legal advice. Consult a legal expert if you have concerns about liability and legal implications on your website. 

GDPR and CCPA: What Businesses Need to Know About Tracking, Cookies, and the Law

First, what are GDPR and CCPA, and what do they have to do with cookies and tracking? Likely, you’ve heard of the European Union’s General Data Protection Regulation (GDPR) and the state of California’s California Consumer Privacy Act (CCPA). However, you might not know what they entail, or how they differ. And you might not know what this means for your business or your website.

Previously, we discussed what GDPR and CCPA mean for users. We also discussed the important aspects of each rule, and protections and rights they confer to users. In this blog post, we’ll again discuss what these rules mean, and specifically what they mean for businesses.

What is the GDPR?

The General Data Protection Regulation (GDPR) are the laws regulating data tracking of personal information in Europe. These rules, passed in 2016 and effective in 2018, restrict the amount and type of data that businesses can collect about users online.

GDPR applies to nearly any website that may be visited by a resident of the European Union. It’s important for businesses to know what GDPR entails and requires, regardless of their location. GDPR has also been a framework for other countries and US states making their own data tracking regulations, so understanding GDPR will help you understand many other regulations, too.

What is CCPA?

The California Consumer Privacy Act (CCPA) is a set of laws regulating data tracking specifically in the US state of California.  Passed in 2018 and effective in 2020, this law represents the first serious attempt at protecting general users’ privacy and regulating data collection in the United States. This law was updated in 2022 with the California Privacy Rights Act (CPRA), and these are sometimes used interchangeably. For this blog post, we’ll use CCPA to encompass both laws.

CCPA is similar to GDPR in many ways, but there are also some important differences, which we’ll discuss. Furthermore, CCPA makes several exceptions and has limitations that GDPR does not. CCPA was made to protect California residents’ privacy, and this law applies to some business websites which may be visited by a resident of California.

Other US states have also made laws protecting their residents’ data and privacy online. All of these are very similar to CCPA. In most cases, compliance with CCPA means compliance with other state laws.

Why Now?

You may have noticed that these regulations came into effect several years ago, in 2018 and 2020. So, why are we talking about them now? It can take some time to see how these laws are actually enforced and what type of response businesses and governments have. Cases move through court systems, laws are updated and amended, and all of this can give us an outline for expectations and best practices. Some elements of the legislation are still evolving, but enough time has passed to show, in general, the best practices for businesses and implications for users.

For Businesses: What Does CCPA and GDPR Mean for My Website?

cookie banner

This is one example of a cookie banner required under GDPR.

We’ve previously discussed the overall implications of CCPA and GDPR for users, but let’s take a closer look at what this means for businesses. If you’ve received unsettling messages about noncompliance with either CCPA or GDPR, you probably, understandably, have concerns. You’re probably wondering whether these laws apply to you, and what you might have to do to make your website compliant. Let’s dive in.

Do CCPA and GDPR Apply to My Business Website?

Do CCPA and GDPR even apply to your website? This is the question that most business owners ask themselves first. The answer is simple in some cases, and a bit more complicated in others.

Who Does GDPR Apply To?

As previously mentioned, GDPR applies to all websites that gather information about residents of the European Union and European Economic Area. If you use tools like Google Analytics, Meta Pixel, or similar tracking tools, this means your website is collecting data about its visitors. If your website is open to the general internet, as the vast majority of websites are, this means you are collecting information about all users, including residents of the EU who visit your site. This means the GDPR applies to you.

According to the actual law, GDPR applies to all websites except:

  • Personal or household activities
  • Law enforcement
  • National security

There is an important caveat to this. GDPR violations are enforced by the EU entity relevant to the business’s European activities. For example, the international headquarters of Meta (including Facebook, Instagram, WhatsApp, and others) is in Ireland, so Meta’s many GDPR violations have been prosecuted by the Data Privacy Commission (DPC) of Ireland. If you do not have a business entity registered in the EU and you do not do significant business in the EU, it’s likely to be difficult and unnecessary for any entity to prosecute, unless your use of EU residents’ data results in significant damages.

So, even though GDPR applies to all business websites, it’s unlikely to be relevant to you unless you do significant business in Europe. However, keep in mind that this should not be taken as legal advice, and it’s important to check with a legal expert before making business decisions on this topic.

Who Does CCPA Apply To?

CCPA includes a few more limitations than GDPR. CCPA regulations apply to businesses that process and store personal information of California residents. As previously mentioned, if you use platforms like Google Analytics, Meta Pixel, or similar services, and your website is open to the general internet for anyone to find, you’re likely processing data of California residents. Even if you’re not, about 20 other states have enacted legislation similar to California’s. It’s likely that other states will follow.

CCPA and legislation from similar states make some important exceptions. In general, these state regulations include only business websites that meet at least one of the following:

  • Have a gross annual revenue of over $25 million;
  • Buy, sell, or share the personal information of 100,000 or more California (or applicable state) residents or households; or
  • Derive 50% or more of their annual revenue from selling California (or applicable state) residents’ personal information.

These exceptions are put into place to prevent undue strain on small and emerging businesses. However, if you are close to these thresholds in any state, you should take note of CCPA regulations and the others like it.

What Does GDPR and CCPA Compliance Mean?

Besides the different exceptions and businesses each regulation affects, there are a few other important differences between GDPR and CCPA.

What Does GDPR Require?

Spar privacy policy and cookie banner under GDPR

This is one part of the European grocery chain Spar’s detailed privacy policy and cookie usage policy. These are more common in the EU because of GDPR.

If GDPR compliance is a concern for your business, there are a few things you should know. GDPR regulations are generally more strict than CCPA. GDPR regulations limit data collection and sharing more than CCPA. The mechanism used in GDPR protects and informs users more effectively than CCPA. In general, if your website is GDPR compliant, it will also be CCPA compliant.

In simple terms, the GDPR requires that businesses be transparent about the type and amount of user data that they acquire, process, store, and share, and requires consent from users before doing so. It also limits how long, and in what way this data can be stored. Finally, if there is a data breach, it stipulates that businesses must inform users and relevant regulatory authorities in a timely manner.

In general, GDPR requires the following:

  • Legitimate Data Collection and Consent: Any data collected by a website about users must meet at least one of the following criteria: the user consents knowingly to giving their data, the data is required to fulfill the services promised, or the data is necessary for legal, contractual, or safety reasons.
  • Transparency: Users must be notified of all of the following regarding their personal information: what data is collected, what this data is used for, how long the data is retained, and who the data is shared with.
  • Data Minimization: Data must be stored for a limited time, not indefinitely. Data should only be stored for as long as it’s needed to fulfill a business purpose.
  • Security: Businesses must take reasonable measures to encrypt, pseudonymize, or otherwise protect their data from bad actors. If a data breach occurs, users and regulatory authorities must be notified in a timely manner.
  • Right to be Forgotten: If a user wishes, they can request that their data be edited or deleted at any time, and a business must honor this request.

This is not an exhaustive list of GDPR stipulations, but it’s likely the most important for most businesses. These aspects of GDPR require that businesses of all types take care, and obtain users’ consent as they’re gathering data about them. The GDPR sends a message clearly: users’ privacy deserves protection, and businesses cannot take or use personal information about a user without their informed consent.

This may seem complicated, but it doesn’t have to be. Compliance with GDPR can be as simple as changing a few tools. We’ll discuss this in more detail in a few moments.

What Does CCPA Require?

CCPA is similar to GDPR in several ways, but it also has a few important differences. The mechanism it uses is particularly important.

What does CCPA require?

  • Transparency: Users must be informed about the following regarding their personal data; what data is collected about them, how that data is used, who it is shared with, how long the data is retained.
  • Data minimization: Businesses should collect personal information only for the purpose described, and keep that information only insofar as it serves that purpose.
  • Right to Deletion: Users must be able to request, at any time, that any and all information about them be deleted, and businesses must honor this request. The California Delete Act, signed in 2023, expands this, with the intention to make it easier for users to request data deletion.
  • Right to Opt-Out: Users must be able to request that businesses not track, process, store, share, or sell their personal info, or stop doing so. Businesses must honor this request.

This is also not an exhaustive list, but highlights the important aspects of the law that would be relevant to most businesses. It’s also important to note that regulations like HIPAA and the Gramm-Leach-Bliley Act (GLBA) supersede CCPA. That means that data concerning a user’s health must meet HIPAA regulations first and foremost, and data concerning a user’s finances must meet GLBA regulations first and foremost.

CCPA vs GDPR: What are the Differences?

CCPA compliance vs GDPR compliance

Earlier in the blog post, we showed an example of a Conde Nast site, Pitchfork’s, cookie banner, showing how tracking cookies are used, which is required by GDPR. However, their site shows no such notification to American visitors. Instead, Americans have only an opt-out option hidden in the privacy policy. This is a common practice for many sites.

There are a few important differences here. Note that CCPA requires that users be able to opt-out of data collection, while GDPR requires that they, if they choose, opt-in, with informed consent. This essentially means that CCPA is reactive—users must opt-out of data collection, and make a request to do so—while GDPR is pro-active—before businesses can collect data about a user, they have to get informed consent. This is a key reason why GDPR provides more user protection and has been more effective than CCPA.

This also means that compliance with CCPA is easier than compliance with GDPR. While businesses serving EU residents use cookie banners and must acquire consent before tracking users’ data, businesses compliant with CCPA must merely inform users of the data collected about them, and provide a way to opt-out.

For Businesses: How to Make Your Website Compliant with GDPR and CCPA

Now that we have a good understanding of what GDPR and CCPA are, what they mean, and what they require, how can you make your website compliant? There are several ways to go about this. We’ll highlight a few of the most popular and most flexible.

Cookie-Less Tracking

Cookie-less tracking tools are a flexible and user-friendly way to comply with CCPA and GDPR rules. This method puts user safety and privacy at the forefront, while sacrificing little in the way of online advertising or data.

How Does Cookie-Less Tracking Work?

Cookie-less tracking tools provide data to businesses about users without using tracking cookies. This means that data is not tied to any singular user, and the data cannot be hacked, reverse-engineered, or manipulated to extract insights about any singular user. Businesses can still see important metrics about their site, such as how much traffic they’re getting—either to the site as a whole or to a particular page or part of the site—data on important keywords, data about marketing campaigns and advertisements, and much more.

What Limitations Does Cookie-Less Tracking Have?

Cookie-less tracking does put some limitations on businesses. For example, it prevents businesses from running remarketing campaigns. These campaigns are tracked to a particular person using cookies, and will show ads to them based on actions they’ve previously taken, such as searching a particular phrase, visiting a particular website, or following an account on social media, among other things. It also makes it more difficult to target ads based on some demographic information.

How to Use Cookie-Less Tracking Tools for GDPR and CCPA Compliance

Cookie-less tracking also means using alternative tools to common platforms like Google Analytics, Meta Pixel, and others. These tools are not GDPR compliant and are not, by themselves, CCPA compliant. Instead, business owners and webmasters have made the switch to cookie-less tracking tools like Fathom Analytics, Matomo, or Piwik, among others.

In general, here’s how to use cookie-less tracking tools for GDPR and CCPA compliance. Remember, these are the general steps; you should consult with a legal expert to ensure compliance.

  • Make the switch to a cookie-less tracking platform, like Fathom Analytics, Matomo, Piwiki, or others.
  • Delete data stored on platforms using tracking cookies, like Google Analytics.
  • Update your privacy policy to show that your site uses cookie-less tracking and does not track, store, or sell users’ personal information at any time. For GDPR compliance specifically, provide this in a clear notice on your website.

Cookie Banners and Privacy Policies

Food and Wine privacy policy

A detailed cookie policy, like this one from Food & Wine, is one way to be compliant with GDPR, CCPA, and similar rules.

You probably remember seeing banners or pop-ups on websites asking your permission to use cookies. However, users in the US might have recently noticed less of these. That’s because of the previously mentioned difference between GDPR and CCPA: opt-in consent vs opt-out requests, respectively. Many businesses are using different mechanisms depending on where their users are located.

Different Practices in Different Areas

Many businesses have updated their websites to show cookie banners to EU residents, and get their permission before tracking their data. However, these same businesses only show updated privacy policies and (often hidden) opt-out request buttons to those in the US. These businesses continue to track information of US residents, and have made no discernable changes to their data processing policies. When users make a data deletion request or opt-out of tracking, it’s unclear if this results in any response.

Hiding Opt-Out Requests

People Inc, like most major media companies, puts their tracking information and opt-out options in their privacy policy, hidden at the bottom of their site.

Hiding opt-out requests, and burying data usage and storage information in privacy policies that are difficult to access or make sense of, are not complying with CCPA. However, this may come down to yet-unresolved case law, and many businesses may see the value of tracking, selling, and using personal information as outweighing the risk of a CCPA violation. Moreover, big businesses may see the CCPA regulatory authorities—namely, the California government, or the applicable state government—as simply lacking the resources to take them to court and hold them accountable. In any case, it seems that CCPA compliance has not been adequately enforced to create real change for user privacy in the US.

How to use cookie banners and privacy policies for GDPR compliance:

  • You must use a banner that states that you track user information using cookies, and users must be able to refuse these cookies.
  • It must be clear on your website—usually in the privacy policy or a similar area—what data you collect about users, how this data is used, who it is shared with, and how long it is stored.
  • Any data collected about a user must be deleted if a user requests it.

How to use cookie banners and privacy policies for CCPA compliance:

  • A banner on your site should clearly state that you use cookies and users can opt-out of this data collection.
  • Users can request that their data be deleted at any time, and this request must be honored.
  • If you sell users’ data, you must clearly state this, and give users a clear and available option to refuse the sale of their data.
  • In your privacy policy or a similar area, you should state what data you collect about users, how this data is used, who it is shared with, and how long it’s stored.

Keep in mind that these lists are not exhaustive. For example, it’s also the business’s responsibility to protect user information from bad actors, delete information at regular intervals, and conduct other data housekeeping measures.

Other Ways to Make Your Site CCPA and GDPR Compliant

Cookie-less tracking tools and cookie banners are not the only way to make your site CCPA and GDPR compliant, though they are two of the most common. Many businesses have chosen to use a combination of strategies and enact different strategies, showing different banners and notifications to different users based on their IP address location. Others might choose not to use tracking of any type, and might instead rely on social media, localized SEO, traditional advertising or another method to drive traffic. Many businesses choose to outsource this aspect of their website to a third party.

There are many ways to comply with GDPR, CCPA and similar legislation. Which is best for your site will depend on what type of tools and tracking you use, what you use data for, and how you best use your website. Considering GDPR and CCPA carefully and choosing a tracking strategy that puts your customers first will help you build stronger relationships while also protecting you from liability.

Executive's Guide to Web Development

80 pages of topics and tips to navigate your way to a better website.

Get the Guide »