CPRA vs. GDPR : The notable similarities and differences

The CPRA mandates that organizations collect personal information only to the extent that it is relevant and limited to what is necessary to the purposes it is being collected, used, and shared.

Organizations that wish to use Personal Information differently than previously disclosed must notify consumers before proceeding with the data use.

Organizations must not retain PI for longer than is “reasonably necessary” for each disclosed purpose. At the time of collection, they must also disclose their retention periods for each category of PI—or, if that is not possible, the criteria used to determine the retention period.

Inspired by the GDPR, the CPRA has introduced a new sub-category of personal information called Sensitive Personal Information (SPI). SPI defines higher-risk, sensitive information about a person that could cause significant harm to the person if it were to be made public or fall into the wrong hands. Examples of SPI under CPRA include:

• Government-issued identifiers
• Financial account information
• Geolocation data
• Religious beliefs
• Genetic data
• Health information, and others

To learn more about CPRA, click here.

Also, organizations must limit their use of sensitive personal information to only that which is necessary to perform the services or provide the goods reasonably expected by an average consumer.

The CPRA also gives consumers the right to restrict organizations from using, disclosing, or sharing their sensitive personal information for specific secondary purposes to third parties.

Organizations that process consumer personal information which presents a significant risk to consumer privacy or security must perform regular risk assessments and annual Cyber-security Audits. Risk assessment and audit results must be submitted to the newly-created California Privacy Protection Agency (CPPA).

Effective Date: January 1, 2023.

The CPRA applies only to for-profit organizations that conduct organization in California and collect personal information from California residents and meet at least one of the following criteria:

• Gross annual revenue is greater than $25 million (January to January),
• Buys, sells, or shares the personal information of 100,000 or more California consumers or households,
• Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information.

The CPRA also applies to joint ventures, which are defined as follows: “joint venture or partnership composed of organizations in which each organization has at least a 40 percent interest.”

The CPRA allows consumers to make requests to access their PI, which is collected, sold, and covered by organizations. Consumers can request personal information collected by an organization for up to 12 months. While consumers’ can request personal information collected from before the 12 months, if the request requires disproportionate effort or is impossible to do so for the organization, the request can be denied. It is also important to note that if the request requires access to personal information collected beyond the 12 months, an organization is only liable to provide the PI collected after January 1, 2022.

Information required to be sent as part of an access request is:

• Categories of PI collected, disclosed for an organization purpose, sold, and shared about the consumer. 
• Categories of sources from where the PI is collected,
  
• The organization or commercial purposes for collecting, selling, or sharing the consumer’s PI,
  
• The categories of third parties with whom the organization discloses, sells, or shares the PI,
  
• Specific pieces of PI asked for by the consumer.

The CPRA prohibits selling the personal information of a person under the age of 16 without consent. Children aged 13 – 16 can provide consent. Parents must provide consent for children under 13. Specifically, the CPRA triples fines for violations involving children’s personal information under the age of 16.

The CPRA requires that organizations whose processing of Personal Information “presents a significant risk to consumers’ privacy or security” perform an annual cybersecurity audit.

New California Privacy Protection Agency (CPPA) is given full administrative power, authority, and jurisdiction to implement and enforce CPRA.

Under the CPRA, organizations can be fined $2,500 per unintentional violation and up to $7,500 per intentional violation. In addition, fines for all violations related to children’s personal information under the age of 16 are $7,500 per violation if the organization had actual knowledge that the personal information belonged to a minor.

Also, organizations do not have the 30-day cure period before being fined for violations. Instead, the CPRA gives this responsibility to the CPPA agency, which has the discretionary power to provide a period to cure.