Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Thailand PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

CPRA vs. GDPR – The notable similarities and differences

By Privacy Research Team

Published on June 29, 2021

Essential amendments introduced by the CPRA include:

Increase to the applicability threshold. The CPRA applies to organizations that buy, sell, or share the Personal information of 100,000+ California consumers or households. Previously, under the CCPA, the threshold was 50,000.
Data minimization purpose limitation and storage limitation requirements on the personal information collected by organizations.
Obligations on organizations to undertake reasonable security measures for collected personal information.
The requirement of consent to be freely given, specific, and informed.
A ban on using dark patterns to get consent.
Obligation for organizations to revamp written contracts with third parties, contractors, and service providers to ensure the personal information of consumers sold/shared is provided a similar level of privacy protection as required by the CPRA.
There is a new definition of “sensitive personal information” and organizations’ obligations regarding its processing for non-essential purposes.
New restrictions on “sharing” personal information, aimed at the digital advertising industry.
New rights for consumers to correct inaccurate information limit the use of their sensitive personal information, access the logic of any automated decision-making technology used by organizations (including profiling), and opt-out.
Expansion of their privacy notices to include:
- The categories of sensitive personal information to be collected.
- The purposes for which the categories of sensitive personal information are collected or used.
- Whether personal information or sensitive personal information is sold or shared and with whom it is sold/shared.
- The retention periods for both personal information and sensitive personal information.
The CPRA established a new privacy authority, the California Privacy Protection Agency (CPPA), with $10 million in initial funding.
- The CPPA can make regulations to enforce the CPRA and conduct hearings, and impose fines for violations of the law.
Regular Risk Assessments and Cyber-Security Audits for risky processing activities by organizations.

Background of the GDPR

In 2016, the GDPR was passed into law, and its purpose was to award rights to individuals over their personal data through a uniform standard of protection across the EU.

The GDPR’s key data protection principles are:

Personal data must be processed lawfully, fairly, and transparently.
Personal data must be processed only for specified and legitimate purposes.
Data collection must be limited to what is necessary for the purposes for which they are processed.
Data must be kept accurate.
Data must be stored for no longer than is necessary for the purposes.
Data must be protected against any unauthorized or unlawful processing.
Organizations are accountable and responsible for the protection of personal data.

The notable similarities between CPRA and GDPR

The CPRA mandates that organizations collect personal information only to the extent that it is relevant and limited to what is necessary to the purposes it is being collected, used, and shared.

The GDPR mandates that organizations collect only the data that is adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

Organizations that wish to use Personal Information differently than previously disclosed must notify consumers before proceeding with the data use.

Organizations can process personal data only for specified, explicit, and legitimate purposes.

Organizations must not retain PI for longer than is “reasonably necessary” for each disclosed purpose. At the time of collection, they must also disclose their retention periods for each category of PI—or, if that is not possible, the criteria used to determine the retention period.

Organizations cannot retain personal data for “longer than is necessary for the purposes for which the personal data are processed.” Also, personal data must be deleted once the legitimate purpose for which it was collected is fulfilled.

Inspired by the GDPR, the CPRA has introduced a new sub-category of personal information called Sensitive Personal Information (SPI). SPI defines higher-risk, sensitive information about a person that could cause significant harm to the person if it were to be made public or fall into the wrong hands. Examples of SPI under CPRA include:

Government-issued identifiers
Financial account information
Geolocation data
Religious beliefs
Genetic data
Health information, and others

To learn more about CPRA, click here.

Also, organizations must limit their use of sensitive personal information to only that which is necessary to perform the services or provide the goods reasonably expected by an average consumer.

The CPRA also gives consumers the right to restrict organizations from using, disclosing, or sharing their sensitive personal information for specific secondary purposes to third parties.

The GDPR also defines a sub-category of personal data called Sensitive Personal Data (SPD). Similar to the CPRA, SPD describes higher-risk, sensitive information about a person that could cause significant harm to the person if it were to be made public or fall into the wrong hands. Examples of SPD under the GDPR include data revealing:

Racial or Ethnic origin
Political Opinions
Religious or philosophical beliefs
Trade Union Membership
Genetic Data
Biometric Data
Health data
Data concerning a natural person’s sex life or sexual orientation

Learn the key details of the GDPR in our knowledge center article: What is GDPR?

Organizations that process consumer personal information which presents a significant risk to consumer privacy or security must perform regular risk assessments and annual Cyber-security Audits. Risk assessment and audit results must be submitted to the newly-created California Privacy Protection Agency (CPPA).

Organizations that perform high-risk data processing activities must undertake data protection impact assessment (DPIA) before such processing. High-risk data processing activities include using new technologies and systematic/extensive evaluation of personal aspects of individuals. These evaluations are based on automated processing, including processing special categories of data on a large scale to create individual profiles. These special categories include personal data relating to:

Criminal convictions and offenses
Public area systematic monitoring on a large scale

Effective Date: January 1, 2023.

The CPRA applies only to for-profit organizations that conduct organization in California and collect personal information from California residents and meet at least one of the following criteria:

Gross annual revenue is greater than $25 million (January to January),
Buys, sells, or shares the personal information of 100,000 or more California consumers or households,
Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information.

The CPRA also applies to joint ventures, which are defined as follows: “joint venture or partnership composed of organizations in which each organization has at least a 40 percent interest.”

Effective Date: May 25, 2018.

The GDPR applies to organizations that are processing personal data in any of the following ways:

Processing personal data of consumers located in the EU and the processing activities are related to monitoring the behavior of consumers. However, this behavior must be within the EU (even if the organization is not established in the EU).
Processing of personal data of consumers who are in the EU and the processing. activities are related to offering goods or services to data subjects in the EU (even if the organization is not established in the EU).
Processing of personal data in the context of the activities of the establishment in the EU, regardless of whether the processing takes place in the EU or not.
Processing of personal data in a place where member state law applies under international law when the organization is not established in the EU.

Every organization must identify non-EU group processors or service providers that monitor, track or target EU data subjects and ensure compliance with the GDPR.

The CPRA allows consumers to make requests to access their PI, which is collected, sold, and covered by organizations. Consumers can request personal information collected by an organization for up to 12 months. While consumers’ can request personal information collected from before the 12 months, if the request requires disproportionate effort or is impossible to do so for the organization, the request can be denied. It is also important to note that if the request requires access to personal information collected beyond the 12 months, an organization is only liable to provide the PI collected after January 1, 2022.

Information required to be sent as part of an access request is:

Categories of PI collected, disclosed for an organization purpose, sold, and shared about the consumer.
Categories of sources from where the PI is collected,
The organization or commercial purposes for collecting, selling, or sharing the consumer’s PI,
The categories of third parties with whom the organization discloses, sells, or shares the PI,
Specific pieces of PI asked for by the consumer.

Under the GDPR, data subjects have the right to confirm the processing of personal data held by the organization concerning them and access to the personal data and obtain a copy.

Information required to be sent as part of an access request is:

The purposes of the processing,
The categories of personal data concerned,
The recipients or categories of recipients to whom the personal data have been or will be disclosed,
The envisaged period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period,
The right to request rectification or erasure of personal data,
The right to restriction of processing of personal data or to object to such processing,
The right to lodge a complaint with a supervisory authority,
The source of personal data when the personal data are not collected from the data subject,
The existence of automated decision-making, including profiling, Activities, and the conceived consequences of such processing for the data subject.

The CPRA prohibits selling the personal information of a person under the age of 16 without consent. Children aged 13 – 16 can provide consent. Parents must provide consent for children under 13. Specifically, the CPRA triples fines for violations involving children’s personal information under the age of 16.

The GDPR requires organizations to obtain consent from the holder of parental responsibility of those under 16 before using their personal data. Member states may require a lower age in their national laws provided that such age is not below 13 years. Moreover, any information specifically addressed to a child should be in such clear and plain language that the child can easily understand.

The CPRA requires that organizations whose processing of Personal Information “presents a significant risk to consumers’ privacy or security” perform an annual cybersecurity audit.

There are no Cybersecurity audit requirements under the GDPR.

New California Privacy Protection Agency (CPPA) is given full administrative power, authority, and jurisdiction to implement and enforce CPRA.

The European Data Protection Board (EDPB) ensures uniform application of the provisions of the GDPR across the EU. The GDPR also requires every EU member state to designate a Supervisory Authority to monitor the application of the GDPR.

Under the CPRA, organizations can be fined $2,500 per unintentional violation and up to $7,500 per intentional violation. In addition, fines for all violations related to children’s personal information under the age of 16 are $7,500 per violation if the organization had actual knowledge that the personal information belonged to a minor.

Also, organizations do not have the 30-day cure period before being fined for violations. Instead, the CPRA gives this responsibility to the CPPA agency, which has the discretionary power to provide a period to cure.

Under the GDPR, organizations can be fined up to EUR 20 million or 4% of annual global revenue, whichever is greater. Also, EU member states may impose penalties at their discretion related to GDPR violations that are not subject to administrative fines.

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

Watch a demo

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.