As the world of data security and privacy evolves, it is important to stay abreast of the latest developments. This article will examine the key differences between the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Rights Act (CPRA). Learn how these two privacy regulations interact with each other and how their requirements might affect your business.
As the world of data security and privacy evolves, it is important to stay abreast of the latest developments. This article will examine the key differences between the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Rights Act (CPRA). For comparison with other GDPR-inspired frameworks, see also Nigeria's NDPA 2023, which represents Africa's leading data protection legislation.
The General Data Protection Regulation (GDPR) is a set of regulations that member states of the European Union must implement to protect the privacy of digital data. The regulation is also known as the EU Data Protection Regulation, Reg. No. 765/2016.
It takes the place of the Data Protection Directive (95/46/EC), which was passed in 1995 and didn't consider how technology has changed since then.
Explore more privacy compliance insights and best practices
The GDPR sets out strict rules about personal data collection and how data is processed and stored by organizations operating in the EU. It gives individuals the right to know what personal data is being collected about them, the right to have that data erased, and the right to object to its use.
The regulation applies to any company that processes or intends to process the data of individuals in the EU, regardless of whether the company is based inside or outside the EU. This means that even companies based in non-EU countries will have to comply with GDPR if they process the data of EU citizens. An article on who the GDPR applies can be found here.
The GDPR came into force on May 25, 2018, and has been fully enforceable since January 1, 2019.
The California Privacy Rights Act (CPRA) is a new data privacy law passed by California’s Attorney General in 2020. It strengthens the California Consumer Privacy Act (CCPA), passed in 2018. The CPRA creates new rights for Californians and imposes new obligations on businesses.
The CPRA gives Californians the right to know what personal information is being collected about them. They also have the right to know how that information is being used and shared, and they have the right to tell businesses not to sell their personal information.
The CPRA applies to any business that collects, uses, or shares the personal information of Californians. Businesses must follow the CPRA if they make more than $25 million a year, or 50% or more of their annual income, from selling personal information about Californians. For a complete checklist, check out our blog post here.
The CPRA went into effect on January 1, 2023.
The EU's General Data Protection Regulation and the California Privacy Rights Act are two of the world's most comprehensive data privacy laws. They share many similarities, but there are also some key differences. Here's a look at the key differences between GDPR and CPRA (and the CCPA):
The GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, such as the identification number, online identifier, email address, phone number, or sensitive type of data related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject. GDPR excludes the following sets of personal data:
The CCPA and CPRA define personal information as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, device, or household, such as name, email address, purchase records, browsing history, location, biometric data, and inferences from other personal information. CPRA expands on the personal information covered by CCPA and covers additional types of personal information called Sensitive Personal Information (SPI)—like GDPR. This includes race, sexual orientation, political views, etc.
The CPRA excludes the following personal data sets from its scope:
The GDPR also aims to create a "privacy by default" legal framework for the entire EU. In contrast, the CPRA aims to increase transparency and consumer rights in California's massive data economy.
The GDPR allows EU users to close before their data is processed. The CPRA opens a window for Californian consumers to see what of their data has already been collected by a business or sold to a third party.
The GDPR says that websites, companies, and businesses in the EU have to have a legal reason for processing personal data, and the first one is consent. The GDPR requires organizations to offer an opt-in process for data collection, meaning most types of data cannot be collected without individual consent.
The CPRA, however, doesn't have such a framework. According to the CPRA, a business does not need a user's prior consent before any processing activity, nor does a website need a user's prior consent before selling its data to third parties.
The European Data Protection Board (EDPB) and the European Commission make sure that GDPR is followed.
The EDPB ensures that data protection law is applied equally across all EU member states. They can look into complaints and take action against businesses that they think aren't following GDPR.
The European Commission is responsible for investigating breaches of EU law, including GDPR. They can also impose fines on companies they believe have breached GDPR.
The California Attorney General's Office enforces the CPRA. They are responsible for investigating complaints and taking enforcement action against companies they believe are not complying with the CPRA.
The GDPR applies to data controllers, who decide how and why to process personal information, and, in part, to data processors, who process personal data on a controller’s behalf. A controller or processor can be any individual, public body, or business of any size. A controller may be based outside the EU if the following conditions are met:
Therefore, the GDPR applies to any company that processes the personal data of individuals in the European Union, regardless of whether those companies are based inside or outside of the EU. This means that even if a company is based in the United States, it will still need to comply with GDPR if it processes the personal data of EU residents.
The GDPR applies to the U.K. and the European Economic Area (EEA).
In contrast, the CPRA only applies to organizations that do business in California and that process the consumer data of California residents. The CPRA applies primarily to any for-profit organization that does business in California and fulfills one or more of the following characteristics:
This means that even if a company isn't based in California, it will still have to ensure CPRA and CCPA compliance if it meets any of the above thresholds and handles the personal information of Californian citizens.
The GDPR provides the following data subject rights:
Controllers have one month to respond to a request from a data subject, but they can get an extra month if needed.
Consumers have the following rights under the CCPA:
The CPRA adds the following rights:
Under California law, businesses must answer requests within 45 days, but if they need more time, they can get another 45 days.
Data Protection Authorities (DPAs) ensure that GDPR is followed in each member state. They can issue administrative fines of:
More information about GDPR fines can be found here.
Under the CPRA, the California Attorney General can issue civil penalties for:
The CPRA establishes the California Privacy Protection Agency (CPPA), which will enforce the law alongside the California Attorney-General. The CPRA also expands the enforcement of the CCPA’s provisions slightly:
As you can see, there are some key differences between GDPR and CPRA (and the CCPA). Understanding these differences is important for companies that do business in Europe and California or process the personal data of EU citizens and California residents.
These differences are important for organizations to consider when developing data privacy policies and procedures. Businesses must follow the laws in each place they do business or face fines and other penalties.
