November 11, 2022

CPRA vs GDPR

Does your business operate in both Europe and the United States? If so, you need to know how to follow the CPRA and GDPR. In this article, we'll talk about the differences between the GDPR and the CPRA.

Let's say you do business in both Europe and the U.S. In that case, you need to follow the General Data Protection Regulation (GDPR) of the European Union, the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and a few other data privacy laws and their amendments in the United States.

Multinational businesses know how hard it is to follow international laws, and privacy regulations are no different. Even though most countries and regions around the world have laws that are similar to the GDPR, federal and state laws in the US are still different.

Because of this, you need to know how to follow the CPRA and GDPR. In this article, we'll talk about the differences between the GDPR and the CPRA. This will help you understand what you need to watch out for if you want to comply with the regulations in both regions.

Differences and Similarities Between the Data Privacy Laws: the GDPR vs. the CPRA (and CCPA)

We'll look at the differences between GDPR and CPRA in the following sections:

  • Who must comply with the law?
  • What is personal data?
  • Basic principles
  • Opt-in vs. opt-out
  • Privacy policy requirements
  • The rules on cookies
  • The rules on direct marketing
  • Honoring data subject/consumer rights requests
  • Contracts with third-party data processors
  • Sharing of personal data with third parties
  • Transferring personal information abroad
  • Data breach reporting and prevention
  • Enforcement of the law

Who Must Comply with the Law?

GDPR applies to businesses from any of the EU member states and to any non-EU business that processes the personal data of EU residents. Find out if the GDPR affects your business.

CPRA is based on the same territorial principle, which applies to businesses that are based in California or have customers in California. But there are two things to keep in mind: it applies only to for-profit businesses that meet at least one of the following thresholds:

  • Have a gross annual revenue of at least $25 Million,
  • At least 50% of the annual gross revenue is derived from selling or sharing consumers’ personal information, or
  • Buys, sells or shares with third parties the personal information of at least 100.000 California residents or households.

Because of this, not every business has to follow the CPRA. But a lot of people could easily get around the CPRA by sharing the personal information of 100,000 customers, which is not hard to do. For example, say you get 100,000 unique visitors from California every year and use Google Analytics to track how they use your site. In that case, this is how you give Google access to their personal information.

What Is Personal Data?

GDPR says that personal data is any information that could be used to directly or indirectly find out who a person is. The person has to be alive, so personal information about a dead person is not personal data. Also, the GDPR doesn't protect personal information that is available to the public.

The definition of the CPRA, aside from the information that could identify a person, directly or indirectly, also covers households. The information that could identify a household is consumer data, too.

CPRA goes further and lists the categories of personal information covered by the law, such as geolocation, biometric data, browsing history, education information, and other data.

GDPR v. CPRA Basic Principles

Both laws are based on basic principles about how businesses should handle data protection.

The GDPR is based on these principles:

  • Lawfulness, transparency, and fairness
  • Data minimization
  • Purpose limitation
  • Data accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Section 1780.100 of the CPRA tells businesses that handle personal information what they have to do. These responsibilities come from:

  • Data minimization
  • Purpose limitation
  • Storage limitation
  • Accountability
  • Transparency
  • Data accuracy
  • Data security

The lawfulness principle is the only big difference between the two laws. The CPRA doesn't require that the processing be legal because you don't need a legal reason to process personal information. This brings us to the next difference: the principles of opt-in and opt-out.

Opt-In v. Opt-Out

GDPR is based on the "opt-in" principle, which says that you can only use users' data if they agree to it.

The CPRA is based on the "opt-out" principle, which says that you can freely collect and use data until the consumer opts out.

Both laws follow the principles of "opt-in" and "opt-out".

GDPR v. CPRA Privacy Policy Requirements

Your GDPR privacy policy is important if you want to meet the requirement for transparency and get valid consent for cookies. In short, you need to tell users information about your data collection practices, why and how you do it, and who you share it with. You must also tell them how long you keep data (data retention period) and how to make a data subject request. Having these important parts in your GDPR privacy notice will make it legal.

On the other hand, if you do business in California or sell to California residents, you need a privacy policy that meets the requirements of the CPRA, the CCPA, and the CalOPPA. Most of the requirements are the same, but you still need to have them all when making your privacy notice.

At the very least, you should be clear about what categories of personal data you process, why you do it, how long you keep it, and who you share it with. If you sell personal information or offer incentives for people to share information with you, you need to tell people about it and tell them how to stop it.

Read more about CPRA requirements.

GDPR v. CPRA Rules on Cookies

The comparison of "opt-in" and "opt-out" should give you an idea of how cookie rules differ between the two privacy laws.

GDPR says that you have to get permission to use cookies. Without clear permission, it is against the law to process the information. Also, consent must be given voluntarily, be clear, specific, and informed. Here, you can learn more about the rules.

CPRA lets you use cookies without having to ask anyone. All you have to do is show the user a notice about how information will be collected. When you give them the notice, which has a link to the privacy policy, you can use their information for the reasons listed in the privacy notice. So, you need a cookie banner that complies with the CPRA. This will make it easy for you to handle personal information in a legal way.

GDPR v. CPRA Rules on Direct Marketing

The idea that the GDPR bans direct marketing is a myth. It is okay because it is in the business's best interest. But you need to do a balancing test to make sure that your business needs are more important than people's privacy rights.

The GDPR says that legitimate interest can be used as a basis for direct marketing in many situations.

Concerning the CPRA, you can contact prospects until they tell you to stop. You need to pay attention to the CAN-SPAM Act and what it says.

Data Subject Rights v. Consumer Rights Requests

Both data protection laws grant users rights. GDPR calls them data subjects and allows them to exercise the right to know, access, portability, rectification, erasure, learn, and not to be subject to automated decision-making and profiling.

CPRA grants consumers similar rights. Some overlap, such as the right to erasure, to know, and others.

CPRA differs from the GDPR by granting consumers the right to limit the sharing of their sensitive personal information and opt out of selling personal information. That doesn’t exist in the GDPR but arises from the nature of the laws in the US states.

Using Third-Party Processors

GDPR holds data controllers liable for the violations of the data processors about their data. For example, if your email marketing automation provider breaches the GDPR, you are responsible for the violation to your customers. Data processors have status as if they were part of the data controller.

In the US, they process data differently. Service providers used to use the provided data for their purposes, but now CPRA has ended that.

Businesses must require service providers to protect the personal information they’ve been sold or shared with and to specify that the personal information is sold or shared only for limited purposes.

Sharing Personal Data with Third Parties

CPRA grants consumers the right to either limit their sensitive personal information processing or to opt out of the sharing entirely by using the “Do Not Sell My Personal Info” functionality.

CPRA, unlike the CCPA, expands the definition of the sale of personal information to sharing the data with service providers.

GDPR allows sharing personal data with third parties only if you have a legal basis for doing so. In many cases, this means consent for collecting and processing the data.

Suppose the data subject is not happy with anything related to the processing of their data by the data processors. In that case, they can object to the processing of a specific data processor.

Transferring Personal Data Abroad

CPRA doesn’t care about international data transfers. Data protection rules in the United States are not as strict as in Europe. However, you have to be careful not to send your data to data centers in an unsafe country where data breaches are likely due to inadequate legislation or data security measures.

GDPR is the world’s most advanced data protection law and aims to protect data at all times. This includes transfers to third countries. Transfers within the EU and to adequate countries are free, but sending data to third countries requires precautions and a legal basis.

Data Breach Reporting and Prevention

As data breaches become more common worldwide, privacy legislation requires businesses to take good care of their data security practices.

GDPR and CPRA contain provisions requiring businesses to take a proactive approach to data security. Businesses have to take adequate technical and organizational measures to prevent breaches.

CPRA also obliges you to conduct regular risk assessments and cybersecurity audits if you process sensitive personal data. GDPR requires you to conduct Data Protection Impact Assessment (DPIA) to determine the risks and act accordingly.

In addition, it is helpful to have a data breach response plan in place. Data breaches happen to everyone, so you better be prepared.

Enforcement of the Law and Penalties

Both the GDPR and CPRA establish data protection agencies to enforce the law in the case of non-compliance. In California, that’s the California Privacy Protection Agency (CPPA). In the EU, each member state establishes its own data supervisory authority. They investigate the violations and impose administrative fines on violators.

GDPR fines are capped at either 4% of the annual revenue or EUR 20 Million - whichever is greater.

CPRA fines are capped at $2500 for unintentional violations and $7500 for intentional abuses or violations of the rights of minors. Both caps are per violation, and the violation of the rights of one consumer means one violation. If the data of 100 consumers have been affected, the administrative fine should be $2500 x 100, which means the cap at $250.000.

The proceeds from the CPRA fines go to the Consumer Privacy Fund, which covers the costs incurred by the CPPA and the California Attorney General regarding investigations.

Conclusion

Even though the CPRA is a step toward the GDPR's privacy rules, it is still a very specific law. They have some things in common, but the differences make it hard to follow both laws at the same time. Each of them has its own set of rules that you have to follow.