Products

Data Command Center
View

Data+AI Security Teams

Data+AI Teams

Data Governance Teams

Data Privacy Teams

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

OWASP

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Home Knowledge Center Data Privacy Automation CPRA vs CCPA vs GDPR – What’s the Difference?

CPRA vs CCPA vs GDPR – What’s the Difference?

Download: CPRA & GDPR Decision-Making Guide

Published March 1, 2022 / Updated December 19, 2024

Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Senior Data Privacy Consultant at Securiti

FIP, CIPT, CIPM, CIPP/US

With nearly a year having passed since CPRA and two since CCPA, most consumers still don’t understand what sets these two pieces of legislation apart from GDPR and what’s similar. There are some key differences between the three, while the core principles remain intact. For a clearer understanding, read below:

GDPR The European Union (EU)'s General Data Protection Regulation (GDPR) is the most comprehensive regulation created dealing with consumer's data privacy. It is inevitable that all subsequent regulations on the subject in Europe and elsewhere would draw comparisons between the GDPR and CCPA/CPRA.
Rights of Customers	To begin with, the GDPR has an incredibly expansive list of rights that all consumers have. These include the right to be informed, right to erasure, the right to restrict data processing, the right to data rectification, the right to object to data portability, right to access, and the right to know if their information is being used for any sort of profiling among several other rights. Perhaps the biggest difference between GDPR and CCPA/CPRA is the opt-in vs. opt-out consent requirements. In other words, as per the GDPR, businesses need to have a lawful basis for processing any sort of customer data - and if the lawful basis is consent, then data subjects must opt-in to agree to the processing. On the other hand, in CCPA/CPRA, businesses are allowed to process consumer personal information for any purpose they want unless the consumer exercises their right to opt-out of having their personal information sold to or shared with third parties.
Scope	Firstly, entities covered under the GDPR include both for-profit and nonprofit entities - including government bodies - which process the personal data of data subjects within the EU. CCPA/CPRA only applies to for-profit businesses which conduct business in California and cater to at least 100,000 customers or households, have $26.625 million or more in gross revenues or make 50% or more of their gross revenue by sharing/selling consumers' personal information. The GDPR covers almost all forms of personal data while the CCPA/CPRA is specific about the exclusion of certain personal information from its scope such as medical information, clinical trials information, financial information covered under the Gramm-Leach-Bliley Act, and personal information covered under the Driver's Privacy Protection Act.
Enforcement Agency	Since coming into effect across the EU in May 2018, the Information Commissioner's Office (ICO) has been the primary enforcement body. In 2019, it was announced that despite the United Kingdom's decision to leave the EU, ICO would continue to enforce GDPR laws across the UK.
Penalties	Under GDPR, non-compliance and data breaches can result in fines as high as 20 million euros or 4% of the violating company's annual global turnover - whichever amount is higher. Under CCPA/CPRA unintentional violations can lead to administrative fines of $2,663 per violation and intentional violations can lead to fines of $7,988 per violation.

CCPA The CCPA legislation was a landmark for data privacy and protection when it was passed in 2018. For consumers in California, it was the first real piece of legislation that provided them the right to privacy they merited in the 21st century. However, in hindsight, a clear room for improvement can be seen. Especially after the CPRA was approved less than a year later.
Rights of Customers	Under CCPA, all California residents have the right to opt-out of third-party data sales, the right to be informed of data collection and rights, the right to have collected data disclosed, the right to have collected data deleted, and the right to equal services and prices without discrimination.
Scope	The CCPA only affects for-profit entities. It went to the length of describing what qualifies as a business with further expansion on that definition by the CPRA. Furthermore, while both the GDPR and CCPA regulations require businesses to inform users when their data is being collected, sold, or disclosed, the GDPR is significantly more thorough. The CCPA requires users to be informed how their data was used every 12-months, while the GDPR requires this to be done within one month. Additionally, the CCPA requires all third parties to inform users if they've obtained their information while the GDPR requires all of that plus the reason why their data was obtained in the first place.
Enforcement Agency	The CCPA is enforced by the California Office of the Attorney General (OAG). The Attorney General's office is responsible for prescribing appropriate fines and penalties for entities found in violation of CCPA rules.
Penalties	The CCPA only levies penalties after a breach occurs. Non-compliance does not result in any sort of fine at all. The penalties involved are as follows: $2,663 for violations $7,988 for intentional violations $107 - $799 in damages in civil court

CPRA The best way to describe CPRA would be that it can be considered a more comprehensive version of the CCPA. There are several key areas where it expands on the CCPA's provisions.
Rights of Customers	Under CPRA, all consumers in California have the right to limit a business's use and disclosure of sensitive information. Additionally, they maintain the right to direct the business to use such information when absolutely necessary. Other than that, all businesses have to provide a clearly visible banner on their website homepage titled “Limit the Use of My Sensitive Personal Information.” with a proper link to a page that would allow them to do so.
Scope	CPRA amended the criteria for what qualifies as a “Business”. While the CCPA described a business as an entity that buys, sells, or shares the personal information of 50,000 consumers, CPRA ups the threshold to 100,000. Moreover, the CPRA added the term, “sharing” to the CCPA's criteria of a business deriving 50% or more of its annual revenue from selling consumers' personal information. Other than that, the CPRA introduced an entirely new category of protected data: sensitive personal information (SPI). This provision is fairly similar to the GDPR's Article 9. As a result, consumers have a right to ask a business' website to limit the use of their sensitive personal information if they fall under CPRA regulations. Other provisions the CPRA has adopted from the GDPR include data minimization, purpose limitation, and storage limitation. Unlike the CCPA, these provisions are codified parts of the official CPRA regulation.
Enforcement Agency	The CPRA created an entirely new authority responsible for enforcing it. The CPRA will be enforced by the California Privacy Protection Agency (CPPA), with absolute investigative and enforcement powers.
Penalties	Same penalties as prescribed by the CCPA.

Conclusion

There are still certain aspects of the CPRA that won't come into effect until January 1, 2023. Most companies will spend 2021 and 2022 laying their infrastructural groundwork for CPRA compliance.

Seeing how their counterparts in the EU have dealt with the GDPR could be key in ensuring a smooth transition. With CPRA requiring businesses to structure their data collection in accordance with the new regulation, this is where Securiti could be just what you need.

As a leader in global privacy compliance software, Securiti harnesses the power of artificial intelligence and machine learning to provide businesses the ability to automate a significant portion of their compliance tasks. Through its AI-driven data discovery, DSR automation, documented accountability, and automation you can become CPRA compliant with a simple click of a button.

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

See a demo

At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.

Company

Resources

Terms

Get in touch

info@securiti.ai
Securiti, Inc.
3155 Olsen Drive
Suite 350
San Jose, CA 95117

Frost & Sullivan Most Innovative DSPM Leader

Products
Back
Secure Data+AI anywhere

Data Security Posture Management
Secure sensitive data everywhere from hybrid multicloud to SaaS

View

AI Security & Governance
Establish controls for safe adoption of AI technologies including GenAI

View

Security for AI Copilots in SaaS
Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

View

Data Access Intelligence & Governance
Monitor user access to data and enforce least privilege controls

View

Data Discovery & Classification
Discover shadow and cloud-native assets and accurately classify data

View

Compliance Management
Assess & improve compliance with security best practices frameworks

View

Breach Impact Analysis
Analyze breach impact & automate notifications to affected individuals

View

Data Flow Governance
Understand data lineage and secure real-time streaming data

View
Build safe enterprise AI systems

Safe Enterprise AI Copilots
Implement rule-aware AI copilots across your organization’s data anywhere

View

Data Vectorization and Ingestion
Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

View

Data Curation and Sanitization for AI
Transform raw, unstructured files into data ready for model training and tuning

View

Context-aware LLM Firewalls
Protect AI interactions with intelligent retrieval, response, and prompt firewalls

View

Unstructured Data Governance
Manage and govern unstructured data to enable its safe use with generative AI

View
Govern data for safe innovation

Data Discovery & Classification
Discover shadow and cloud-native assets and accurately classify data

View

Unstructured Data Governance
Manage unstructured data to enable safe use with generative AI

View

Data Access Governance
Monitor sensitive data access and prevent unauthorized use

View

AI Governance
Establish controls for safe adoption of AI technologies including GenAI

View

Data Catalog
Enable users to easily find, understand, trust and access the data they need

View

Data Lineage
Automatically track changes and transformations of data throughout its lifecycle

View

Data Quality
Conduct data quality checks and validation across various data types

View
Automate data privacy operations

Data Mapping Automation
Manage your entire data mapping lifecycle and automate RoPA reports

View

AI Governance
Comply with emerging AI regulations and ensure safe use of AI

View

Data Subject Request Automation
Automate entire DSR lifecycle from consumer request intake to secure report delivery

View

Assessment Automation
Automate your entire assessment lifecycle and demonstrate compliance

View

Consent Management
Manage your first-party and third-party consent lifecycle from scanning to reporting

View

Breach Management
Automate your incident management and optimize notifications to users & regulatory bodies

View

Privacy Center
Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

View

Compliance Management
Use automation to audit and improve compliance with global regulations and industry standards

View
Solutions
Back
GCP
View

AWS
View

Databricks
View

Snowflake
View

Azure
View

+ More
View
CDMC
View

EU AI Act
View

OWASP
Mitigate AI Security Risks with the Broadest Coverage of OWASP Top 10 for LLMs

View

NIST AI RMF
View

European Union GDPR
View

California's CPRA
View

Brazil's LGPD
View

Canada's PIPEDA
View

China's PIPL
View

+ More
View
Data+AI Builders
View

Data Security
View

Data Privacy
View

Data Governance
View

Marketing
View
Resources
- Blog
  
  View
- Collateral
  
  View
- Knowledge Center
  
  View
- Securiti Education
  
  View
- Webinars
  
  View
Company
- About Us
  
  View
- Partner Program
  
  View
- Contact Us
  
  View
- News Coverage
  
  View
- Press Releases
  
  View
- Careers
  
  View

Please enter a minimum of 3 characters to begin your search.

Videos

January 20, 2025

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

January 15, 2025

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

January 15, 2025

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

January 2, 2025

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

December 24, 2024

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

November 1, 2024

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

October 29, 2024

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

August 12, 2024

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...