Understanding the Key Differences Between GDPR And CPRA

As the world of data security and privacy evolves, it is important to stay abreast of the latest developments. This article will examine the key differences between the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Rights Act (CPRA). Learn how these two privacy regulations interact with each other and how their requirements might affect your business.

What is GDPR?

The General Data Protection Regulation (GDPR) is a set of regulations that member states of the European Union must implement to protect the privacy of digital data. The regulation is also known as the EU Data Protection Regulation, Reg. No. 765/2016.

It takes the place of the Data Protection Directive (95/46/EC), which was passed in 1995 and didn't consider how technology has changed since then.

The GDPR sets out strict rules about personal data collection and how data is processed and stored by organizations operating in the EU. It gives individuals the right to know what personal data is being collected about them, the right to have that data erased, and the right to object to its use.

The regulation applies to any company that processes or intends to process the data of individuals in the EU, regardless of whether the company is based inside or outside the EU. This means that even companies based in non-EU countries will have to comply with GDPR if they process the data of EU citizens. An article on who the GDPR applies can be found here.

The GDPR came into force on May 25, 2018, and has been fully enforceable since January 1, 2019.

What is CPRA?

The California Privacy Rights Act (CPRA) is a new data privacy law passed by California’s Attorney General in 2020. It strengthens the California Consumer Privacy Act (CCPA), passed in 2018. The CPRA creates new rights for Californians and imposes new obligations on businesses.

The CPRA gives Californians the right to know what personal information is being collected about them. They also have the right to know how that information is being used and shared, and they have the right to tell businesses not to sell their personal information.

The CPRA applies to any business that collects, uses, or shares the personal information of Californians. Businesses must follow the CPRA if they make more than $25 million a year, or 50% or more of their annual income, from selling personal information about Californians. For a complete checklist, check out our blog post here.

The CPRA went into effect on January 1, 2023.

Key Differences Between GDPR and CPRA

The EU's General Data Protection Regulation and the California Privacy Rights Act are two of the world's most comprehensive data privacy laws. They share many similarities, but there are also some key differences. Here's a look at the key differences between GDPR and CPRA:

• Personal data: Both laws have a nearly similar definition of personal data. However, the information covered by CPRA is broader than GDPR.
• Framework: GDPR relies on legal bases for personal data processing, while the CPRA relies on opt-out consent.
• Enforcement: GDPR is enforced by the European Commission, while the California Attorney General enforces CPRA.
• Geographical scope and applicability: The GDPR applies to all companies processing the personal data of EU citizens, regardless of where the company is based. CPRA only applies to companies that do business in California or process the personal data of California residents.
• Rights of individuals: GDPR gives individuals the right to access their personal data, the right to have their personal data erased, and the right to object to processing personal data. CPRA gives individuals the right to know what personal information is being collected about them, to delete their personal information, and to opt out of having their personal information sold.
• Penalties: GDPR imposes fines of up to 4% of a company's global annual revenue or €20 million (whichever is greater), while the CPRA imposes fines of up to $7,500 per violation.
  

Personal data

The GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, such as the identification number, online identifier, email address, phone number, or sensitive type of data related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject. GDPR excludes the following sets of personal data:

• Data related to deceased persons,
• Data processed through non-automated means,
• anonymous data, and
• data processed for personal or houseful purposes.

The CCPA and CPRA define personal information as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, device, or household, such as name, email address, purchase records, browsing history, location, biometric data, and inferences from other personal information. CPRA expands on the personal information covered by CCPA and covers additional types of personal information called Sensitive Personal Information (SPI)—like GDPR. This includes race, sexual orientation, political views, etc.

The CPRA excludes the following personal data sets from its scope:

• medical information protected under CMIA or HIPPA,
• information collected for clinical trials,
• sale of information to or from consumer reporting agencies;
• personal information under the Gramm-Leach-Bliley Act,
• information covered by California’s Driver’s Privacy Protection Act and
• any publicly available information from federal, state, or local government records.
  

Framework

The GDPR also aims to create a "privacy by default" legal framework for the entire EU. In contrast, the CPRA aims to increase transparency and consumer rights in California's massive data economy.

The GDPR allows EU users to close before their data is processed. The CPRA opens a window for Californian consumers to see what of their data has already been collected by a business or sold to a third party.

The GDPR says that websites, companies, and businesses in the EU have to have a legal reason for processing personal data, and the first one is consent. The GDPR requires organizations to offer an opt-in process for data collection, meaning most types of data cannot be collected without individual consent.

The CPRA, however, doesn't have such a framework. According to the CPRA, a business does not need a user's prior consent before any processing activity, nor does a website need a user's prior consent before selling its data to third parties.

Enforcement

The European Data Protection Board (EDPB) and the European Commission make sure that GDPR is followed.

The EDPB ensures that data protection law is applied equally across all EU member states. They can look into complaints and take action against businesses that they think aren't following GDPR.

The European Commission is responsible for investigating breaches of EU law, including GDPR. They can also impose fines on companies they believe have breached GDPR.

The California Attorney General's Office enforces the CPRA. They are responsible for investigating complaints and taking enforcement action against companies they believe are not complying with the CPRA.

Geographical scope and applicability

The GDPR applies to data controllers, who decide how and why to process personal information, and, in part, to data processors, who process personal data on a controller’s behalf. A controller or processor can be any individual, public body, or business of any size. A controller may be based outside the EU if the following conditions are met:

• Is established in the EU, or
• Offers goods and services in the EU, or
• Monitors the behavior of people in the EU.

Therefore, the GDPR applies to any company that processes the personal data of individuals in the European Union, regardless of whether those companies are based inside or outside of the EU. This means that even if a company is based in the United States, it will still need to comply with GDPR if it processes the personal data of EU residents.

The GDPR applies to the U.K. and the European Economic Area (EEA).

In contrast, the CPRA only applies to organizations that do business in California and that process the consumer data of California residents. The CPRA applies primarily to any for-profit organization that does business in California and fulfills one or more of the following characteristics:

• Has annual gross revenues in excess of $25 million;
• Derives 50% or more of its annual revenues from selling consumers’ personal information; or
• Has access to the personal information of 50,000 or more consumers, households, or devices.

This means that even if a company isn't based in California, it will still have to ensure CPRA and CCPA compliance if it meets any of the above thresholds and handles the personal information of Californian citizens.

Rights of Individuals

The GDPR provides the following data subject rights:

• The right to be informed
• The right to access personal data
• The right to rectification
• The right to deletion and erasure
• The right to restrict personal data processing
• The right to data portability
• The right to object to personal data processing
• The right to object automated data processing for decision-making and profiling

Controllers have one month to respond to a request from a data subject, but they can get an extra month if needed.

Consumers have the following rights under the CCPA:

• The right to know about and access personal information
• The right to delete personal information if collected from consumers
• The right to opt out of the sale of personal information
• The right to non-discrimination for exercising the CCPA rights

The CPRA adds the following rights:

• The right to know about and opt out of automated decision-making
• The right to correct personal information
• The right to limit the disclosure of sensitive personal information
• The right to opt out of the sharing and selling of sensitive personal information

Under California law, businesses must answer requests within 45 days, but if they need more time, they can get another 45 days.

Penalties

Data Protection Authorities (DPAs) ensure that GDPR is followed in each member state. They can issue administrative fines of:

• For less serious offenses, the fine could be up to €10 million or 2% of the total worldwide sales, whichever is higher.
• For more serious offenses, the fine could be up to €20 million or 4% of the total worldwide sales, whichever is higher.
• Individuals, groups, and non-profit organizations can also bring private legal claims if they have suffered losses due to a GDPR violation.

More information about GDPR fines can be found here.

Under the CPRA, the California Attorney General can issue civil penalties for:

• Up to $7,500 per intentional violation
• Up to $2,500 per unintentional violation
• Consumers can also bring private legal claims for data breaches, which can result in:
• Actual damages covering any losses
• Statutory damages of between $100 and $750 per consumer per incident of non-compliance

The CPRA establishes the California Privacy Protection Agency (CPPA), which will enforce the law alongside the California Attorney-General. The CPRA also expands the enforcement of the CCPA’s provisions slightly:

• Violations involving children’s personal information under 16 are always considered "intentional."
• The definition of a "data breach" is broadened slightly.
  

Final Thoughts

As you can see, there are some key differences between GDPR and CPRA. Understanding these differences is important for companies that do business in Europe and California or process the personal data of EU citizens and California residents.

These differences are important for organizations to consider when developing data privacy policies and procedures. Businesses must follow the laws in each place they do business or face fines and other penalties.