Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

GDPR vs CCPA vs ePrivacy: which law applies to your website

A comparison of the three major privacy frameworks — who they cover, what they require, and what happens if you get it wrong.

If you run a website that serves visitors from more than one country, you’re probably subject to multiple privacy laws. Here’s a plain-language breakdown of the three that matter most.

GDPR (General Data Protection Regulation)

Who it covers: any organization that processes personal data of people in the EU/EEA, regardless of where the organization is based. The GDPR guide covers the mechanics in depth.

Key requirements:

  • Consent must be explicit, informed, and freely given
  • Pre-ticked boxes are not valid consent
  • Users must be able to withdraw consent as easily as they gave it
  • Data breach notification within 72 hours
  • Right to access, rectify, and delete personal data

Penalties: up to €20 million or 4% of global annual turnover, whichever is higher.

Who it covers: anyone who stores or accesses information on a user’s device in the EU/EEA. The ePrivacy Directive is what turns “GDPR consent” into an actual cookie-banner requirement.

Key requirements:

  • Consent required before setting non-essential cookies
  • Cookie walls (forcing consent to access a site) are generally not valid
  • Users must be informed about what cookies do before they consent

The ePrivacy Directive is being replaced by the ePrivacy Regulation, which will align more closely with GDPR. Timeline: unclear, but the current directive remains in force.

CCPA/CPRA (California)

Who it covers: for-profit businesses that collect California residents’ personal data and meet one of: $25M+ revenue, data on 100K+ consumers, or 50%+ revenue from selling data. The CCPA guide has the full threshold breakdown.

Key requirements:

  • Right to know what data is collected
  • Right to delete personal data
  • Right to opt out of the sale or sharing of personal data
  • “Do Not Sell or Share My Personal Information” link must be visible
  • Global Privacy Control (GPC) must be honored

Penalties: $2,500 per unintentional violation, $7,500 per intentional violation. There’s no cap; these are per-violation amounts.

Other US state laws

As of 2026, at least 15 US states have comprehensive privacy laws: California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Florida, Delaware, New Jersey, and New Hampshire. Each has its own thresholds and requirements.

The practical approach: comply with the strictest one (California) and you’re mostly covered for the rest.

Which one applies to you?

You have visitors from…These laws apply
EU/EEA/UKGDPR + ePrivacy Directive
California (and you meet thresholds)CCPA/CPRA
Other US states with lawsTheir respective state laws
CanadaPIPEDA (federal) + provincial laws
BrazilLGPD
JapanAPPI
AustraliaPrivacy Act 1988

The practical takeaway

If you have EU visitors: you need a consent banner with granular opt-in. If you have California visitors and meet the thresholds: you need a “Do Not Sell” mechanism. If you have both: you need both.

How Zest handles it

Zest defaults to the stricter GDPR consent mode, so the same script that satisfies the EU also covers California’s opt-out requirements and the ePrivacy cookie-banner rule. Geo-detection lets it serve a lighter opt-out experience in the US and full granular consent in the EU, which means one banner handles all three regimes without you maintaining three separate configurations. GPC signals are honored everywhere, so a single California-style “Do Not Sell” path also satisfies the universal opt-out language creeping into other state laws.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.