US vs EU Data Privacy Laws: A Complete Comparison for 2026

Data privacy regulation is one of the fastest-moving areas of law in the world. For businesses operating across the Atlantic, the challenge is stark: the EU and US take fundamentally different approaches to protecting personal data. Understanding these differences is not optional — it is a compliance requirement.

This guide provides a comprehensive comparison of US and EU data privacy laws as they stand in 2026, covering GDPR, CCPA/CPRA, the growing patchwork of US state laws, and practical guidance for businesses operating in both markets.

The EU Approach: GDPR

The General Data Protection Regulation (GDPR) has been the global benchmark for data privacy since it took effect in May 2018. It establishes a unified, comprehensive framework for personal data protection across all 27 EU member states plus the EEA countries. You can track the latest EU regulatory developments on our EU regulatory updates page.

Core Principles

GDPR is built on seven foundational principles:

1. Lawfulness, fairness, and transparency: Data must be processed lawfully, with clear communication to individuals about how their data is used
2. Purpose limitation: Data can only be collected for specified, explicit, and legitimate purposes
3. Data minimization: Only data that is necessary for the stated purpose should be collected
4. Accuracy: Personal data must be kept accurate and up to date
5. Storage limitation: Data should not be kept longer than necessary
6. Integrity and confidentiality: Data must be protected against unauthorized access, loss, or destruction
7. Accountability: Organizations must demonstrate compliance with all principles

Legal Bases for Processing

Unlike US law, GDPR requires organizations to have a legal basis before processing any personal data. The six legal bases are:

• Consent: The individual has given clear, informed, and freely given consent
• Contract: Processing is necessary for a contract with the individual
• Legal obligation: Processing is required by law
• Vital interests: Processing is necessary to protect someone's life
• Public task: Processing is necessary for a task in the public interest
• Legitimate interests: Processing is necessary for the organization's legitimate interests, balanced against the individual's rights

Consent under GDPR must be opt-in — explicit, informed, and freely given. Pre-ticked boxes and bundled consent are not valid. This is one of the sharpest contrasts with US law.

Individual Rights

GDPR grants individuals extensive rights over their personal data:

• Right of access: Obtain a copy of all personal data held about you
• Right to rectification: Correct inaccurate personal data
• Right to erasure ("right to be forgotten"): Request deletion of personal data
• Right to restrict processing: Limit how data is used
• Right to data portability: Receive data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests or direct marketing
• Rights related to automated decision-making: Not be subject to decisions based solely on automated processing that significantly affect you

Enforcement

GDPR is enforced by Data Protection Authorities (DPAs) in each EU member state, coordinated by the European Data Protection Board (EDPB). Penalties are severe:

• Up to 20 million EUR or 4% of global annual turnover for the most serious violations
• Up to 10 million EUR or 2% of global annual turnover for lesser violations

Since 2018, cumulative GDPR fines have exceeded 4 billion EUR. Major penalties have been levied against technology companies, telecoms, and financial institutions. The regulation applies to any organization processing the data of individuals in the EU, regardless of where the organization is based.

The US Approach: A Patchwork of Laws

The United States has no single, comprehensive federal data privacy law equivalent to GDPR. Instead, privacy is regulated through a combination of sector-specific federal laws and a rapidly growing collection of state privacy statutes. Follow the latest US federal regulatory changes on our US law updates page.

Federal Privacy Laws

US federal privacy law is sector-specific:

• HIPAA (Health Insurance Portability and Accountability Act): Protects health information held by covered entities and their business associates
• GLBA (Gramm-Leach-Bliley Act): Requires financial institutions to explain their data-sharing practices and protect sensitive data
• COPPA (Children's Online Privacy Protection Act): Regulates the collection of personal information from children under 13
• FERPA (Family Educational Rights and Privacy Act): Protects the privacy of student education records
• FTC Act: The Federal Trade Commission uses its authority over unfair or deceptive practices to bring enforcement actions against companies that violate their own privacy policies or engage in unreasonable data practices

As of 2026, there is still no comprehensive federal privacy bill signed into law, despite multiple legislative attempts. The American Privacy Rights Act (APRA) advanced through committee in 2024 but did not pass. This leaves state law as the primary driver of US privacy regulation.

CCPA/CPRA (California)

California's Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most influential state privacy law in the US. It has been in full effect since July 2023 and is enforced by the California Privacy Protection Agency (CPPA).

Key provisions:

• Applies to for-profit businesses that meet revenue, data volume, or data sale thresholds
• Grants consumers the right to know what data is collected, the right to delete, the right to opt out of the sale or sharing of personal information, and the right to correct inaccurate data
• Introduces the concept of "sensitive personal information" with additional protections
• Requires businesses to honor browser-based opt-out signals (Global Privacy Control)
• Private right of action for data breaches (limited scope)
• Enforcement by the CPPA and the California Attorney General

Notable difference from GDPR: CCPA uses an opt-out model. Businesses can collect and process personal information by default, and consumers must actively opt out of data sales or sharing. GDPR, by contrast, generally requires opt-in consent before processing begins.

Other State Privacy Laws

As of early 2026, comprehensive privacy laws are in effect or taking effect in approximately 20 US states. Key examples include:

• Virginia (VCDPA): Effective January 2023
• Colorado (CPA): Effective July 2023
• Connecticut (CTDPA): Effective July 2023
• Utah (UCPA): Effective December 2023
• Texas (TDPSA): Effective July 2024
• Oregon (OCPA): Effective July 2024
• Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Kentucky, Rhode Island: Various effective dates through 2025-2026

While these laws share common elements — consumer rights, business obligations, opt-out mechanisms — they differ in thresholds, definitions, exemptions, enforcement mechanisms, and scope. This creates a compliance challenge for businesses operating across multiple states.

Key Differences: GDPR vs US Privacy Laws

Consent Model

| | GDPR | US (CCPA/State Laws) | |---|---|---| | Default | Opt-in: must obtain consent before most processing | Opt-out: can process by default, consumers must opt out | | Consent standard | Explicit, informed, freely given, specific | Varies; CCPA focuses on right to opt out of sale/sharing | | Children | Under 16 requires parental consent (member states can lower to 13) | Under 13 requires verifiable parental consent (COPPA); CCPA requires opt-in for under 16 |

Scope and Coverage

| | GDPR | US (CCPA/State Laws) | |---|---|---| | Geographic reach | Any entity processing EU residents' data | Varies by state; typically requires doing business in the state or meeting data thresholds | | Entity scope | Applies to all organizations (for-profit and non-profit) | Typically applies only to for-profit businesses meeting revenue or data volume thresholds | | Data covered | All personal data (any information relating to an identifiable person) | Varies; CCPA covers personal information linked to a consumer or household |

Individual Rights

Both frameworks grant individuals rights over their data, but the scope differs:

• Right to deletion: Available under both GDPR and CCPA, but GDPR's "right to be forgotten" is broader
• Right to access: Both frameworks provide this, but GDPR requires more detailed disclosure
• Right to portability: GDPR provides a robust portability right; CCPA's equivalent is more limited
• Right to object/opt out: GDPR's right to object covers all processing based on legitimate interests; CCPA's opt-out focuses on sale and sharing
• Automated decision-making: GDPR explicitly addresses rights related to automated decisions; most US state laws do not

Enforcement and Penalties

| | GDPR | US (CCPA/State Laws) | |---|---|---| | Enforcer | National DPAs + EDPB coordination | State attorneys general + dedicated agencies (CPPA in California) | | Maximum fine | 20M EUR or 4% global turnover | Varies; CCPA: $2,500 per violation, $7,500 per intentional violation | | Private right of action | Generally no (except for data breaches in some member states) | CCPA: limited private right of action for data breaches |

Data Transfers

GDPR restricts the transfer of personal data outside the EU unless the destination country provides "adequate" data protection or appropriate safeguards are in place. The EU-US Data Privacy Framework, adopted in July 2023, provides a mechanism for certified US organizations to receive EU personal data. However, its long-term stability remains uncertain — the two prior frameworks (Safe Harbor and Privacy Shield) were both invalidated by the Court of Justice of the EU.

US state privacy laws generally do not restrict cross-border data transfers.

2026 Updates and Trends

EU Developments

• GDPR enforcement intensification: DPAs across Europe are increasing enforcement activity, with larger fines and more frequent actions against smaller companies (not just tech giants)
• AI Act intersection: The EU AI Act creates overlapping obligations with GDPR for AI systems that process personal data, particularly around automated decision-making, profiling, and biometric data
• ePrivacy Regulation: Still pending, this regulation will update rules on electronic communications privacy, cookies, and direct marketing — complementing GDPR
• Data Act: The EU Data Act, which started applying in September 2025, creates new rules for data access and sharing that interact with GDPR obligations

US Developments

• State law proliferation: New state privacy laws continue to take effect, increasing compliance complexity
• Federal legislation: While a comprehensive federal privacy law remains elusive, sector-specific proposals around AI, children's privacy, and health data continue to advance
• FTC enforcement: The FTC is using its existing authority more aggressively, bringing enforcement actions around data minimization, deceptive privacy practices, and children's data
• Global Privacy Control: More states are requiring businesses to honor universal opt-out signals, making browser-based privacy controls a practical compliance requirement

Practical Guidance for Businesses

If You Operate in Both Markets

1. Default to the higher standard. In most cases, building to GDPR standards will satisfy US state law requirements. The reverse is not true — CCPA compliance alone does not meet GDPR obligations.

2. Implement consent management. Deploy a consent management platform that handles both GDPR opt-in consent and US opt-out requirements. Ensure it honors Global Privacy Control signals for US users and collects valid GDPR consent for EU users.

3. Map your data flows. Document what personal data you collect, where it is stored, how it flows between jurisdictions, and who has access. This is required under GDPR's accountability principle and is essential for managing cross-border compliance.

4. Maintain a unified rights request process. Build a single system for handling data subject rights requests (access, deletion, correction) that can fulfill the requirements of both GDPR and US state laws.

5. Address data transfers. If you transfer EU personal data to the US, ensure you have a valid transfer mechanism in place — whether through the EU-US Data Privacy Framework, Standard Contractual Clauses, or another approved safeguard.

6. Monitor state-by-state requirements. US state privacy laws differ in details that matter: exemption thresholds, sensitive data definitions, cure periods, and private right of action provisions. Track which states' laws apply to your business and where they diverge.

7. Prepare for AI-specific obligations. Both GDPR (through its provisions on automated decision-making) and new AI-specific regulations (the EU AI Act, proposed US state AI laws) create obligations around AI systems that process personal data. If you use AI in customer-facing decisions, start assessing these requirements now.

Common Compliance Mistakes

• Treating CCPA and GDPR as interchangeable. They are fundamentally different in structure and obligations. A compliance program built for one will have gaps under the other.
• Ignoring smaller US states. Many businesses focus on California and ignore other state laws. As more states enact privacy legislation, this approach creates growing risk.
• Relying on outdated data transfer mechanisms. The EU-US data transfer landscape has shifted multiple times. Verify that your transfer mechanisms are current.
• Failing to update privacy policies. Privacy policies must accurately reflect your data practices. As laws change, policies need to be updated — and actually followed.

How Legiseye Helps

Tracking privacy regulation across the EU and 20+ US states is a full-time job. New laws take effect, existing laws are amended, enforcement guidance is published, and court decisions reshape requirements — all on an ongoing basis.

Legiseye monitors legislative activity across the US, EU, UK, and other jurisdictions in real time. For privacy and data protection teams, this means:

• Instant alerts when new privacy legislation is introduced, amended, or enacted
• AI-powered plain-language summaries that explain what changed and why it matters
• Multi-jurisdiction coverage from a single platform — no more checking dozens of sources
• Impact categorization to help you prioritize updates by relevance to your business

---

Related reading:

• EU AI Act 2026: What Every Business Needs to Know
• What Is Regulatory Compliance? The Complete Guide
• How to Track Legislation: A Guide for Compliance Teams

Stay ahead of data privacy regulation. Privacy laws are changing faster than ever. Track UK legislation, Germany regulatory changes, and France law updates alongside US and EU developments. Track legislative updates across the US and EU with Legiseye →