For many organisations operating in the US and Europe, CCPA and GDPR are simultaneously in scope. The instinct is often to run two privacy programmes — one for each — staffed by different people, with different documentation, different processes, and different vocabulary. This is expensive and produces inconsistencies that auditors and regulators eventually find. The better approach is a single privacy operating model that satisfies both.
What the Two Regimes Actually Demand
Both regimes require organisations to know what personal data they hold, why they hold it, and how it flows. Both grant data subjects rights to access, deletion, and (in different formulations) correction. Both require disclosures to data subjects at the point of collection. Both impose obligations on relationships with service providers or processors. Both expect security measures appropriate to the risk.
The differences are real but narrower than commonly assumed. GDPR requires a lawful basis for processing; CCPA does not, but does grant a right to opt out of sale or sharing of personal data. GDPR has an explicit data minimisation principle and stricter consent requirements. CCPA introduces "sensitive personal information" as a category with distinct rules. Cross-border transfer rules differ substantially. Penalties differ. The supervisory authority structures differ.
The Single Operating Model
A unified privacy operating model rests on shared infrastructure: one Record of Processing Activities (covering both GDPR Article 30 and CCPA accountability requirements), one set of data subject rights workflows that handle both GDPR rights and CCPA rights with branching for jurisdiction-specific requirements, one privacy notice template that is regionally adapted, one vendor management programme that satisfies both processor and service provider obligations, one breach response process that triggers either regulator notification path.
A common stumbling point: GDPR has a 72-hour breach notification window for the supervisory authority; CCPA does not require notification to a supervisory authority but does have specific consumer notification triggers. Build the breach response runbook around the stricter requirement (72 hours) and apply it to both regimes — it satisfies GDPR and exceeds CCPA, and your incident response team only learns one process.
Where the Two Regimes Genuinely Diverge
- Lawful basis (GDPR) vs no basis requirement (CCPA) — handle in the data inventory, not in operations
- Consent quality (GDPR strict) vs notice-and-opt-out (CCPA) — keep two consent flows where it matters
- Sensitive personal information (CCPA new category) vs special categories (GDPR Article 9) — different scope, different rules
- Cross-border transfers (GDPR adequacy and SCCs) — apply the GDPR-strict treatment globally
- Sale and sharing (CCPA-specific) — needs explicit handling; opt-out signals (GPC) are now compulsory
When to Adopt ISO 27701
For organisations already running ISO 27001, ISO 27701 provides a structured framework that addresses most of what both CCPA and GDPR demand. The certification does not satisfy the regulations — neither regulation recognises it as a substitute — but the implementation work overlaps substantially with what compliance requires. If you are building privacy infrastructure from scratch, using ISO 27701 as the operating framework is faster than rebuilding equivalent structures from the regulatory texts.
The privacy programme that holds up under both regimes is not the one that copies each regulation literally into operating procedures. It is the one that captures the underlying privacy principles in shared infrastructure and uses jurisdiction-specific branching where the regulations actually differ. That model also extends gracefully to the next regulation that arrives — and several are arriving.