CPRA vs CCPA vs GDPR: Key Changes & Differences

Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Managment

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

CCPA

View

CPRA

View

GDPR

View

Brazil’s LGPD

View

Thailand’s PDPA

View

China PIPL

View

PIPEDA

View

PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

When the European Union passed the General Data Protection Regulation (GDPR), it heralded a new age for data protection and privacy. Legislators across the world knew it was only a matter of time before their citizens started demanding something similar in scope and effectiveness. That is primarily the sentiment that led to first the California Consumer Privacy Act (CCPA) and then the California Privacy Rights Act (CPRA).

With nearly a year having passed since CPRA and two since CCPA, most consumers still don’t understand what sets these two pieces of legislation apart from GDPR and what’s similar. There are some key differences between the three, while the core principles remain intact. For a clearer understanding, read below:

GDPR The European Union (EU)'s General Data Protection Regulation (GDPR) is the most comprehensive regulation created dealing with consumer's data privacy. It is inevitable that all subsequent regulations on the subject in Europe and elsewhere would draw comparisons between the GDPR and CCPA/CPRA.
Rights of Customers	To begin with, the GDPR has an incredibly expansive list of rights that all consumers have. These include the right to be informed, right to erasure, the right to restrict data processing, the right to data rectification, the right to object to data portability, right to access, and the right to know if their information is being used for any sort of profiling among several other rights. Perhaps the biggest difference between GDPR and CCPA/CPRA is the opt-in vs. opt-out consent requirements. In other words, as per the GDPR, businesses need to have a lawful basis for processing any sort of customer data - and if the lawful basis is consent, then data subjects must opt-in to agree to the processing. On the other hand, in CCPA/CPRA, businesses are allowed to process consumer personal information for any purpose they want unless the consumer exercises their right to opt-out of having their personal information sold to or shared with third parties.
Scope	Firstly, entities covered under the GDPR include both for-profit and nonprofit entities - including government bodies - which process the personal data of data subjects within the EU. CCPA/CPRA only applies to for-profit businesses which conduct business in California and cater to at least 100,000 customers or households, have $25 million or more in gross revenues or make 50% or more of their gross revenue by sharing/selling consumers' personal information. The GDPR covers almost all forms of personal data while the CCPA/CPRA is specific about the exclusion of certain personal information from its scope such as medical information, clinical trials information, financial information covered under the Gramm-Leach-Bliley Act, and personal information covered under the Driver's Privacy Protection Act.
Enforcement Agency	Since coming into effect across the EU in May 2018, the Information Commissioner's Office (ICO) has been the primary enforcement body. In 2019, it was announced that despite the United Kingdom's decision to leave the EU, ICO would continue to enforce GDPR laws across the UK.
Penalties	Under GDPR, non-compliance and data breaches can result in fines as high as 20 million euros or 4% of the violating company's annual global turnover - whichever amount is higher. Under CCPA/CPRA unintentional violations can lead to administrative fines of $2500 per violation and intentional violations can lead to fines of $7500 per violation.

CCPA The CCPA legislation was a landmark for data privacy and protection when it was passed in 2018. For consumers in California, it was the first real piece of legislation that provided them the right to privacy they merited in the 21st century. However, in hindsight, a clear room for improvement can be seen. Especially after the CPRA was approved less than a year later.
Rights of Customers	Under CCPA, all California residents have the right to opt-out of third-party data sales, the right to be informed of data collection and rights, the right to have collected data disclosed, the right to have collected data deleted, and the right to equal services and prices without discrimination.
Scope	The CCPA only affects for-profit entities. It went to the length of describing what qualifies as a business with further expansion on that definition by the CPRA. Furthermore, while both the GDPR and CCPA regulations require businesses to inform users when their data is being collected, sold, or disclosed, the GDPR is significantly more thorough. The CCPA requires users to be informed how their data was used every 12-months, while the GDPR requires this to be done within one month. Additionally, the CCPA requires all third parties to inform users if they've obtained their information while the GDPR requires all of that plus the reason why their data was obtained in the first place.
Enforcement Agency	The CCPA is enforced by the California Office of the Attorney General (OAG). The Attorney General's office is responsible for prescribing appropriate fines and penalties for entities found in violation of CCPA rules.
Penalties	The CCPA only levies penalties after a breach occurs. Non-compliance does not result in any sort of fine at all. The penalties involved are as follows: $2,500 for violations $7,500 for intentional violations $100 - $750 in damages in civil court

CPRA The best way to describe CPRA would be that it can be considered a more comprehensive version of the CCPA. There are several key areas where it expands on the CCPA's provisions.
Rights of Customers	Under CPRA, all consumers in California have the right to limit a business's use and disclosure of sensitive information. Additionally, they maintain the right to direct the business to use such information when absolutely necessary. Other than that, all businesses have to provide a clearly visible banner on their website homepage titled “Limit the Use of My Sensitive Personal Information.” with a proper link to a page that would allow them to do so.
Scope	CPRA amended the criteria for what qualifies as a “Business”. While the CCPA described a business as an entity that buys, sells, or shares the personal information of 50,000 consumers, CPRA ups the threshold to 100,000. Moreover, the CPRA added the term, “sharing” to the CCPA's criteria of a business deriving 50% or more of its annual revenue from selling consumers' personal information. Other than that, the CPRA introduced an entirely new category of protected data: sensitive personal information (SPI). This provision is fairly similar to the GDPR's Article 9. As a result, consumers have a right to ask a business' website to limit the use of their sensitive personal information if they fall under CPRA regulations. Other provisions the CPRA has adopted from the GDPR include data minimization, purpose limitation, and storage limitation. Unlike the CCPA, these provisions are codified parts of the official CPRA regulation.
Enforcement Agency	The CPRA created an entirely new authority responsible for enforcing it. The CPRA will be enforced by the California Privacy Protection Agency (CPPA), with absolute investigative and enforcement powers.
Penalties	Same penalties as prescribed by the CCPA. An additional $7,500 fine in case the consumer privacy rights of a minor are violated. Businesses can avoid the fines if they address and rectify the issues within a 30-day period after being notified by the Attorney General.

Conclusion

There are still certain aspects of the CPRA that won't come into effect until January 1, 2023. Most companies will spend 2021 and 2022 laying their infrastructural groundwork for CPRA compliance.

Seeing how their counterparts in the EU have dealt with the GDPR could be key in ensuring a smooth transition. With CPRA requiring businesses to structure their data collection in accordance with the new regulation, this is where Securiti could be just what you need.

As a leader in global privacy compliance software, Securiti harnesses the power of artificial intelligence and machine learning to provide businesses the ability to automate a significant portion of their compliance tasks. Through its AI-driven data discovery, DSR automation, documented accountability, and automation you can become CPRA compliant with a simple click of a button.

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.