'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

CPRA vs. GDPR - The notable similarities and differences

Background of the CPRA

The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot, as 56% of California voters favored the law. It amends and strengthens consumer data privacy rights. In addition, the CPRA imposes consumer privacy protection obligations on organizations. The new law will take effect starting January 1, 2023, and enforcement will begin six months later, on July 1, 2023.


Essential amendments introduced by the CPRA include:

 

  • Increase to the applicability threshold. The CPRA applies to organizations that buy, sell, or share the Personal information of 100,000+ California consumers or households. Previously, under the CCPA, the threshold was 50,000.
  • Data minimization purpose limitation and storage limitation requirements on the personal information collected by organizations.
  • Obligations on organizations to undertake reasonable security measures for collected personal information.
  • The requirement of consent to be freely given, specific, and informed.
  • A ban on using dark patterns to get consent.
  • Obligation for organizations to revamp written contracts with third parties, contractors, and service providers to ensure the personal information of consumers sold/shared is provided a similar level of privacy protection as required by the CPRA.
  • There is a new definition of “sensitive personal information” and organizations’ obligations regarding its processing for non-essential purposes.
  • New restrictions on “sharing” personal information, aimed at the digital advertising industry.
  • New rights for consumers to correct inaccurate information limit the use of their sensitive personal information, access the logic of any automated decision-making technology used by organizations (including profiling), and opt-out.
  • Expansion of their privacy notices to include:
    • The categories of sensitive personal information to be collected.
    • The purposes for which the categories of sensitive personal information are collected or used.
    • Whether personal information or sensitive personal information is sold or shared and with whom it is sold/shared.
    • The retention periods for both personal information and sensitive personal information.
  • The CPRA established a new privacy authority, the California Privacy Protection Agency (CPPA), with $10 million in initial funding.
    • The CPPA can make regulations to enforce the CPRA and conduct hearings, and impose fines for violations of the law.
  • Regular Risk Assessments and Cyber-Security Audits for risky processing activities by organizations.

Background of the GDPR

In 2016, the GDPR was passed into law, and its purpose was to award rights to individuals over their personal data through a uniform standard of protection across the EU.

The GDPR’s key data protection principles are:

  • Personal data must be processed lawfully, fairly, and transparently.
  • Personal data must be processed only for specified and legitimate purposes.
  • Data collection must be limited to what is necessary for the purposes for which they are processed.
  • Data must be kept accurate.
  • Data must be stored for no longer than is necessary for the purposes.
  • Data must be protected against any unauthorized or unlawful processing.
  • Organizations are accountable and responsible for the protection of personal data.

The notable similarities between CPRA and GDPR

The CPRA mandates that organizations collect personal information only to the extent that it is relevant and limited to what is necessary to the purposes it is being collected, used, and shared.

vs

The GDPR mandates that organizations collect only the data that is adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

Organizations that wish to use Personal Information differently than previously disclosed must notify consumers before proceeding with the data use.

vs

Organizations can process personal data only for specified, explicit, and legitimate purposes.

Organizations must not retain PI for longer than is “reasonably necessary” for each disclosed purpose. At the time of collection, they must also disclose their retention periods for each category of PI—or, if that is not possible, the criteria used to determine the retention period.

vs

Organizations cannot retain personal data for “longer than is necessary for the purposes for which the personal data are processed.” Also, personal data must be deleted once the legitimate purpose for which it was collected is fulfilled.

Inspired by the GDPR, the CPRA has introduced a new sub-category of personal information called Sensitive Personal Information (SPI). SPI defines higher-risk, sensitive information about a person that could cause significant harm to the person if it were to be made public or fall into the wrong hands. Examples of SPI under CPRA include:

  • Government-issued identifiers
  • Financial account information
  • Geolocation data
  • Religious beliefs
  • Genetic data
  • Health information, and others

To learn more about CPRA, click here.

Also, organizations must limit their use of sensitive personal information to only that which is necessary to perform the services or provide the goods reasonably expected by an average consumer.

The CPRA also gives consumers the right to restrict organizations from using, disclosing, or sharing their sensitive personal information for specific secondary purposes to third parties.

vs

The GDPR also defines a sub-category of personal data called Sensitive Personal Data (SPD). Similar to the CPRA, SPD describes higher-risk, sensitive information about a person that could cause significant harm to the person if it were to be made public or fall into the wrong hands. Examples of SPD under the GDPR include data revealing:

  • Racial or Ethnic origin
  • Political Opinions
  • Religious or philosophical beliefs
  • Trade Union Membership
  • Genetic Data
  • Biometric Data
  • Health data
  • Data concerning a natural person’s sex life or sexual orientation

Learn the key details of the GDPR in our knowledge center article: What is GDPR?

Organizations that process consumer personal information which presents a significant risk to consumer privacy or security must perform regular risk assessments and annual Cyber-security Audits. Risk assessment and audit results must be submitted to the newly-created California Privacy Protection Agency (CPPA).

vs

Organizations that perform high-risk data processing activities must undertake data protection impact assessment (DPIA) before such processing. High-risk data processing activities include using new technologies and systematic/extensive evaluation of personal aspects of individuals. These evaluations are based on automated processing, including processing special categories of data on a large scale to create individual profiles. These special categories include personal data relating to:

  • Criminal convictions and offenses
  • Public area systematic monitoring on a large scale

The notable differences between CPRA and GDPR

Effective Date: January 1, 2023.

The CPRA applies only to for-profit organizations that conduct organization in California and collect personal information from California residents and meet at least one of the following criteria:

  • Gross annual revenue is greater than $25 million (January to January),
  • Buys, sells, or shares the personal information of 100,000 or more California consumers or households,
  • Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information.

The CPRA also applies to joint ventures, which are defined as follows: “joint venture or partnership composed of organizations in which each organization has at least a 40 percent interest.”

vs

Effective Date: May 25, 2018.

The GDPR applies to organizations that are processing personal data in any of the following ways:

  • Processing personal data of consumers located in the EU and the processing activities are related to monitoring the behavior of consumers. However, this behavior must be within the EU (even if the organization is not established in the EU).
  • Processing of personal data of consumers who are in the EU and the processing. activities are related to offering goods or services to data subjects in the EU (even if the organization is not established in the EU).
  • Processing of personal data in the context of the activities of the establishment in the EU, regardless of whether the processing takes place in the EU or not.
  • Processing of personal data in a place where member state law applies under international law when the organization is not established in the EU.

Every organization must identify non-EU group processors or service providers that monitor, track or target EU data subjects and ensure compliance with the GDPR.

The CPRA allows consumers to make requests to access their PI, which is collected, sold, and covered by organizations. Consumers can request personal information collected by an organization for up to 12 months. While consumers’ can request personal information collected from before the 12 months, if the request requires disproportionate effort or is impossible to do so for the organization, the request can be denied. It is also important to note that if the request requires access to personal information collected beyond the 12 months, an organization is only liable to provide the PI collected after January 1, 2022.

Information required to be sent as part of an access request is:

  • Categories of PI collected, disclosed for an organization purpose, sold, and shared about the consumer. 
  • Categories of sources from where the PI is collected,
  • The organization or commercial purposes for collecting, selling, or sharing the consumer’s PI,
  • The categories of third parties with whom the organization discloses, sells, or shares the PI,
  • Specific pieces of PI asked for by the consumer.
vs

Under the GDPR, data subjects have the right to confirm the processing of personal data held by the organization concerning them and access to the personal data and obtain a copy.

Information required to be sent as part of an access request is:

  • The purposes of the processing,
  • The categories of personal data concerned,
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed,
  • The envisaged period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period,
  • The right to request rectification or erasure of personal data,
  • The right to restriction of processing of personal data or to object to such processing,
  • The right to lodge a complaint with a supervisory authority,
  • The source of personal data when the personal data are not collected from the data subject,
  • The existence of automated decision-making, including profiling, Activities, and the conceived consequences of such processing for the data subject.

The CPRA prohibits selling the personal information of a person under the age of 16 without consent. Children aged 13 – 16 can provide consent. Parents must provide consent for children under 13. Specifically, the CPRA triples fines for violations involving children’s personal information under the age of 16.

vs

The GDPR requires organizations to obtain consent from the holder of parental responsibility of those under 16 before using their personal data. Member states may require a lower age in their national laws provided that such age is not below 13 years. Moreover, any information specifically addressed to a child should be in such clear and plain language that the child can easily understand.

The CPRA requires that organizations whose processing of Personal Information “presents a significant risk to consumers’ privacy or security” perform an annual cybersecurity audit.

vs

There are no Cybersecurity audit requirements under the GDPR.

New California Privacy Protection Agency (CPPA) is given full administrative power, authority, and jurisdiction to implement and enforce CPRA.

vs

The European Data Protection Board (EDPB) ensures uniform application of the provisions of the GDPR across the EU. The GDPR also requires every EU member state to designate a Supervisory Authority to monitor the application of the GDPR. 

Under the CPRA, organizations can be fined $2,500 per unintentional violation and up to $7,500 per intentional violation. In addition, fines for all violations related to children’s personal information under the age of 16 are $7,500 per violation if the organization had actual knowledge that the personal information belonged to a minor.

Also, organizations do not have the 30-day cure period before being fined for violations. Instead, the CPRA gives this responsibility to the CPPA agency, which has the discretionary power to provide a period to cure. 

vs

Under the GDPR, organizations can be fined up to EUR 20 million or 4% of annual global revenue, whichever is greater. Also, EU member states may impose penalties at their discretion related to GDPR violations that are not subject to administrative fines.

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.