Compare Privacy Regulations
Compare GDPR, CCPA, and PIPEDA side-by-side to understand their key differences and similarities.
Need inspiration from other industries? Explore Eclipse Journey - Eclipse travel planning companion to see how teams document regulatory differences in practice.
EU
GDPR
Jurisdiction: European Union
Effective: May 25, 2018
Applies to: All EU residents
CA
CCPA
Jurisdiction: California, USA
Effective: January 1, 2020
Applies to: California residents
CA
PIPEDA
Jurisdiction: Canada
Effective: April 13, 2000
Applies to: Canadian residents
| Feature | GDPR | CCPA | PIPEDA |
|---|---|---|---|
| Geographic Scope | EU residents worldwide | California residents only | Canadian residents |
| Consent Required | β Explicit opt-in required | β οΈ Opt-out for data sales | β Meaningful consent required |
| Right to Access | β Yes | β Yes | β Yes |
| Right to Deletion | β "Right to erasure" | β Yes, with exceptions | β Yes, when appropriate |
| Data Portability | β Yes | β No | β οΈ Limited |
| Breach Notification | 72 hours to authority | Private right of action | As soon as possible |
| DPO/Privacy Officer | β Required for some | β Not required | β οΈ Recommended |
| Maximum Fine | β¬20M or 4% revenue | $7,500 per violation | $100K per violation |
| Age of Consent | 16 years (13-16 by member state) | 16 years | 13 years (provincial laws vary) |
| Cross-Border Transfers | Strict requirements | No specific requirements | Adequate protection required |
GDPR Highlights
- β’Strictest consent rules: Requires explicit, granular consent
- β’Data Protection Officer: Required for large-scale data processing
- β’Privacy by design: Mandates privacy considerations in system design
- β’Largest fines: Up to β¬20M or 4% of global revenue
CCPA Highlights
- β’Opt-out model: Allows data collection unless user opts out
- β’"Do Not Sell" requirement: Must provide clear opt-out link
- β’No DPO required: Simpler organizational structure
- β’Revenue thresholds: Only applies to larger businesses
PIPEDA Highlights
- β’Oldest framework: In effect since 2000, most mature
- β’Reasonable purposes: Focuses on legitimate business needs
- β’Provincial variations: Some provinces have their own laws
- β’Less prescriptive: More flexible interpretation
Which Regulation Applies to Your Business?
You Need GDPR If:
- β You target EU residents
- β You have EU customers/users
- β You monitor EU behavior
You Need CCPA If:
- β You do business in California
- β You meet revenue/data thresholds
- β You collect CA resident data
You Need PIPEDA If:
- β You operate in Canada
- β You have Canadian customers
- β You cross provincial borders
Need Compliant Privacy Policies?
Generate GDPR, CCPA, and PIPEDA-compliant privacy policies with our easy-to-use generator.
Generate Privacy Policy