Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

CPRA vs CCPA vs GDPR – What’s the Difference?

Download: CPRA & GDPR Decision-Making Guide
By Anas Baig | Reviewed By Omer Imran Malik
Published March 1, 2022

Listen to the content

When the European Union passed the General Data Protection Regulation (GDPR), it heralded a new age for data protection and privacy. Legislators across the world knew it was only a matter of time before their citizens started demanding something similar in scope and effectiveness. That is primarily the sentiment that led to first the California Consumer Privacy Act (CCPA) and then the California Privacy Rights Act (CPRA).

Get California Privacy Rights Act (CPRA) Readiness Assessment

Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.

For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.

With nearly a year having passed since CPRA and two since CCPA, most consumers still don’t understand what sets these two pieces of legislation apart from GDPR and what’s similar. There are some key differences between the three, while the core principles remain intact. For a clearer understanding, read below:

GDPR

The European Union (EU)'s General Data Protection Regulation (GDPR) is the most comprehensive regulation created dealing with consumer's data privacy. It is inevitable that all subsequent regulations on the subject in Europe and elsewhere would draw comparisons between the GDPR and CCPA/CPRA.

Rights of Customers

To begin with, the GDPR has an incredibly expansive list of rights that all consumers have. These include the right to be informed, right to erasure, the right to restrict data processing, the right to data rectification, the right to object to data portability, right to access, and the right to know if their information is being used for any sort of profiling among several other rights.

Perhaps the biggest difference between GDPR and CCPA/CPRA is the opt-in vs. opt-out consent requirements. In other words, as per the GDPR, businesses need to have a lawful basis for processing any sort of customer data - and if the lawful basis is consent, then data subjects must opt-in to agree to the processing. On the other hand, in CCPA/CPRA, businesses are allowed to process consumer personal information for any purpose they want unless the consumer exercises their right to opt-out of having their personal information sold to or shared with third parties.

Scope

Firstly, entities covered under the GDPR include both for-profit and nonprofit entities - including government bodies - which process the personal data of data subjects within the EU. CCPA/CPRA only applies to for-profit businesses which conduct business in California and cater to at least 100,000 customers or households, have $25 million or more in gross revenues or make 50% or more of their gross revenue by sharing/selling consumers' personal information.

The GDPR covers almost all forms of personal data while the CCPA/CPRA is specific about the exclusion of certain personal information from its scope such as medical information, clinical trials information, financial information covered under the Gramm-Leach-Bliley Act, and personal information covered under the Driver's Privacy Protection Act.

Enforcement Agency

Since coming into effect across the EU in May 2018, the Information Commissioner's Office (ICO) has been the primary enforcement body. In 2019, it was announced that despite the United Kingdom's decision to leave the EU, ICO would continue to enforce GDPR laws across the UK.

Penalties

Under GDPR, non-compliance and data breaches can result in fines as high as 20 million euros or 4% of the violating company's annual global turnover - whichever amount is higher.

Under CCPA/CPRA unintentional violations can lead to administrative fines of $2500 per violation and intentional violations can lead to fines of $7500 per violation.

CCPA

The CCPA legislation was a landmark for data privacy and protection when it was passed in 2018. For consumers in California, it was the first real piece of legislation that provided them the right to privacy they merited in the 21st century.

However, in hindsight, a clear room for improvement can be seen. Especially after the CPRA was approved less than a year later.

Rights of Customers

Under CCPA, all California residents have the right to opt-out of third-party data sales, the right to be informed of data collection and rights, the right to have collected data disclosed, the right to have collected data deleted, and the right to equal services and prices without discrimination.

Scope

The CCPA only affects for-profit entities. It went to the length of describing what qualifies as a business with further expansion on that definition by the CPRA.

Furthermore, while both the GDPR and CCPA regulations require businesses to inform users when their data is being collected, sold, or disclosed, the GDPR is significantly more thorough.

The CCPA requires users to be informed how their data was used every 12-months, while the GDPR requires this to be done within one month. Additionally, the CCPA requires all third parties to inform users if they've obtained their information while the GDPR requires all of that plus the reason why their data was obtained in the first place.

Enforcement Agency

The CCPA is enforced by the California Office of the Attorney General (OAG). The Attorney General's office is responsible for prescribing appropriate fines and penalties for entities found in violation of CCPA rules.

Penalties

The CCPA only levies penalties after a breach occurs. Non-compliance does not result in any sort of fine at all. The penalties involved are as follows:

  • $2,500 for violations
  • $7,500 for intentional violations
  • $100 - $750 in damages in civil court

CPRA

The best way to describe CPRA would be that it can be considered a more comprehensive version of the CCPA. There are several key areas where it expands on the CCPA's provisions.

Rights of Customers

Under CPRA, all consumers in California have the right to limit a business's use and disclosure of sensitive information. Additionally, they maintain the right to direct the business to use such information when absolutely necessary. Other than that, all businesses have to provide a clearly visible banner on their website homepage titled “Limit the Use of My Sensitive Personal Information.” with a proper link to a page that would allow them to do so.

Scope

CPRA amended the criteria for what qualifies as a “Business”. While the CCPA described a business as an entity that buys, sells, or shares the personal information of 50,000 consumers, CPRA ups the threshold to 100,000.

Moreover, the CPRA added the term, “sharing” to the CCPA's criteria of a business deriving 50% or more of its annual revenue from selling consumers' personal information.

Other than that, the CPRA introduced an entirely new category of protected data: sensitive personal information (SPI). This provision is fairly similar to the GDPR's Article 9. As a result, consumers have a right to ask a business' website to limit the use of their sensitive personal information if they fall under CPRA regulations.

Other provisions the CPRA has adopted from the GDPR include data minimization, purpose limitation, and storage limitation. Unlike the CCPA, these provisions are codified parts of the official CPRA regulation.

Enforcement Agency

The CPRA created an entirely new authority responsible for enforcing it. The CPRA will be enforced by the California Privacy Protection Agency (CPPA), with absolute investigative and enforcement powers.

Penalties

Same penalties as prescribed by the CCPA. An additional $7,500 fine in case the consumer privacy rights of a minor are violated. Businesses can avoid the fines if they address and rectify the issues within a 30-day period after being notified by the Attorney General.

Conclusion

There are still certain aspects of the CPRA that won't come into effect until January 1, 2023. Most companies will spend 2021 and 2022 laying their infrastructural groundwork for CPRA compliance.

Seeing how their counterparts in the EU have dealt with the GDPR could be key in ensuring a smooth transition. With CPRA requiring businesses to structure their data collection in accordance with the new regulation, this is where Securiti could be just what you need.

As a leader in global privacy compliance software, Securiti harnesses the power of artificial intelligence and machine learning to provide businesses the ability to automate a significant portion of their compliance tasks. Through its AI-driven data discovery, DSR automation, documented accountability, and automation you can become CPRA compliant with a simple click of a button.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

What's
New