GDPR vs CCPA vs ePrivacy: which law applies to your website
A comparison of the three major privacy frameworks — who they cover, what they require, and what happens if you get it wrong.
If you run a website that serves visitors from more than one country, you’re probably subject to multiple privacy laws. Here’s a plain-language breakdown of the three that matter most.
GDPR (General Data Protection Regulation)
Who it covers: any organization that processes personal data of people in the EU/EEA, regardless of where the organization is based. The GDPR guide covers the mechanics in depth.
Key requirements:
- Consent must be explicit, informed, and freely given
- Pre-ticked boxes are not valid consent
- Users must be able to withdraw consent as easily as they gave it
- Data breach notification within 72 hours
- Right to access, rectify, and delete personal data
Penalties: up to €20 million or 4% of global annual turnover, whichever is higher.
ePrivacy Directive (Cookie Law)
Who it covers: anyone who stores or accesses information on a user’s device in the EU/EEA. The ePrivacy Directive is what turns “GDPR consent” into an actual cookie-banner requirement.
Key requirements:
- Consent required before setting non-essential cookies
- Cookie walls (forcing consent to access a site) are generally not valid
- Users must be informed about what cookies do before they consent
The ePrivacy Directive is being replaced by the ePrivacy Regulation, which will align more closely with GDPR. Timeline: unclear, but the current directive remains in force.
CCPA/CPRA (California)
Who it covers: for-profit businesses that collect California residents’ personal data and meet one of: $25M+ revenue, data on 100K+ consumers, or 50%+ revenue from selling data. The CCPA guide has the full threshold breakdown.
Key requirements:
- Right to know what data is collected
- Right to delete personal data
- Right to opt out of the sale or sharing of personal data
- “Do Not Sell or Share My Personal Information” link must be visible
- Global Privacy Control (GPC) must be honored
Penalties: $2,500 per unintentional violation, $7,500 per intentional violation. There’s no cap; these are per-violation amounts.
Other US state laws
As of 2026, at least 15 US states have comprehensive privacy laws: California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Florida, Delaware, New Jersey, and New Hampshire. Each has its own thresholds and requirements.
The practical approach: comply with the strictest one (California) and you’re mostly covered for the rest.
Which one applies to you?
| You have visitors from… | These laws apply |
|---|---|
| EU/EEA/UK | GDPR + ePrivacy Directive |
| California (and you meet thresholds) | CCPA/CPRA |
| Other US states with laws | Their respective state laws |
| Canada | PIPEDA (federal) + provincial laws |
| Brazil | LGPD |
| Japan | APPI |
| Australia | Privacy Act 1988 |
The practical takeaway
If you have EU visitors: you need a consent banner with granular opt-in. If you have California visitors and meet the thresholds: you need a “Do Not Sell” mechanism. If you have both: you need both.
How Zest handles it
Zest defaults to the stricter GDPR consent mode, so the same script that satisfies the EU also covers California’s opt-out requirements and the ePrivacy cookie-banner rule. Geo-detection lets it serve a lighter opt-out experience in the US and full granular consent in the EU, which means one banner handles all three regimes without you maintaining three separate configurations. GPC signals are honored everywhere, so a single California-style “Do Not Sell” path also satisfies the universal opt-out language creeping into other state laws.