Understanding the Key DifferencesBetween GDPR And CPRA
As the world of data security and privacy evolves, it is important to stay abreast of the latest developments. This article will examine the key differences between the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Rights Act (CPRA). Learn how these two privacy regulations interact with each other and how their requirements might affect your business.
, which represents Africa's leading data protection legislation.
What is GDPR?
The General Data Protection Regulation (GDPR) is a set of regulations that member states of the European Union must implement to protect the privacy of digital data. The regulation is also known as the EU Data Protection Regulation, Reg. No. 765/2016.
It takes the place of the Data Protection Directive (95/46/EC), which was passed in 1995 and didn't consider how technology has changed since then.
The GDPR sets out strict rules about personal data collection and how data is processed and stored by organizations operating in the EU. It gives individuals the right to know what personal data is being collected about them, the right to have that data erased, and the right to object to its use.
The regulation applies to any company that processes or intends to process the data of individuals in the EU, regardless of whether the company is based inside or outside the EU. This means that even companies based in non-EU countries will have to comply with GDPR if they process the data of EU citizens. An article on who the GDPR applies can be found here.
The GDPR came into force on May 25, 2018, and has been fully enforceable since January 1, 2019.
The CPRA gives Californians the right to know what personal information is being collected about them. They also have the right to know how that information is being used and shared, and they have the right to tell businesses not to sell their personal information.
The CPRA applies to any business that collects, uses, or shares the personal information of Californians. Businesses must follow the CPRA if they make more than $25 million a year, or 50% or more of their annual income, from selling personal information about Californians. For a complete checklist, check out our blog post here.
The CPRA went into effect on January 1, 2023.
Key Differences Between GDPR and CPRA
The EU's General Data Protection Regulation and the California Privacy Rights Act are two of the world's most comprehensive data privacy laws. They share many similarities, but there are also some key differences. Here's a look at the key differences between GDPR and CPRA (and the CCPA):
Personal data: Both laws have a nearly similar definition of personal data. However, the information covered by CPRA is broader than GDPR.
Framework: GDPR relies on legal bases for personal data processing, while the CPRA relies on opt-out consent.
Enforcement: GDPR is enforced by the European Commission, while the California Attorney General enforces CPRA.
Geographical scope and applicability: The GDPR applies to all companies processing the personal data of EU citizens, regardless of where the company is based. CPRA only applies to companies that do business in California or process the personal data of California residents.
Rights of individuals: GDPR gives individuals the right to access their personal data, the right to have their personal data erased, and the right to object to processing personal data. CPRA gives individuals the right to know what personal information is being collected about them, to delete their personal information, and to opt out of having their personal information sold.
Penalties: GDPR imposes fines of up to 4% of a company's global annual revenue or €20 million (whichever is greater), while the CPRA imposes fines of up to $7,500 per violation.
Personal data
The GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, such as the identification number, online identifier, email address, phone number, or sensitive type of data related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject. GDPR excludes the following sets of personal data:
Data related to deceased persons,
Data processed through non-automated means,
anonymous data, and
data processed for personal or houseful purposes.
The CCPA and CPRA define personal information as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, device, or household, such as name, email address, purchase records, browsing history, location, biometric data, and inferences from other personal information. CPRA expands on the personal information covered by CCPA and covers additional types of personal information called Sensitive Personal Information (SPI)—like GDPR. This includes race, sexual orientation, political views, etc.
The CPRA excludes the following personal data sets from its scope:
medical information protected under CMIA or HIPPA,
information collected for clinical trials,
sale of information to or from consumer reporting agencies;
personal information under the Gramm-Leach-Bliley Act,
information covered by California’s Driver’s Privacy Protection Act and
any publicly available information from federal, state, or local government records.
Framework
The GDPR also aims to create a "privacy by default" legal framework for the entire EU. In contrast, the CPRA aims to increase transparency and consumer rights in California's massive data economy.
The GDPR allows EU users to close before their data is processed. The CPRA opens a window for Californian consumers to see what of their data has already been collected by a business or sold to a third party.
The GDPR says that websites, companies, and businesses in the EU have to have a legal reason for processing personal data, and the first one is consent. The GDPR requires organizations to offer an opt-in process for data collection, meaning most types of data cannot be collected without individual consent.
The CPRA, however, doesn't have such a framework. According to the CPRA, a business does not need a user's prior consent before any processing activity, nor does a website need a user's prior consent before selling its data to third parties.
Enforcement
The European Data Protection Board (EDPB) and the European Commission make sure that GDPR is followed.
The EDPB ensures that data protection law is applied equally across all EU member states. They can look into complaints and take action against businesses that they think aren't following GDPR.
The European Commission is responsible for investigating breaches of EU law, including GDPR. They can also impose fines on companies they believe have breached GDPR.
The California Attorney General's Office enforces the CPRA. They are responsible for investigating complaints and taking enforcement action against companies they believe are not complying with the CPRA.
Geographical scope and applicability
The GDPR applies to data controllers, who decide how and why to process personal information, and, in part, to data processors, who process personal data on a controller’s behalf. A controller or processor can be any individual, public body, or business of any size. A controller may be based outside the EU if the following conditions are met:
Is established in the EU, or
Offers goods and services in the EU, or
Monitors the behavior of people in the EU.
Therefore, the GDPR applies to any company that processes the personal data of individuals in the European Union, regardless of whether those companies are based inside or outside of the EU. This means that even if a company is based in the United States, it will still need to comply with GDPR if it processes the personal data of EU residents.
The GDPR applies to the U.K. and the European Economic Area (EEA).
In contrast, the CPRA only applies to organizations that do business in California and that process the consumer data of California residents. The CPRA applies primarily to any for-profit organization that does business in California and fulfills one or more of the following characteristics:
Has annual gross revenues in excess of $25 million;
Derives 50% or more of its annual revenues from selling consumers’ personal information; or
Has access to the personal information of 50,000 or more consumers, households, or devices.
This means that even if a company isn't based in California, it will still have to ensure CPRA and CCPA compliance if it meets any of the above thresholds and handles the personal information of Californian citizens.
Rights of Individuals
The GDPR provides the following data subject rights:
Under the CPRA, the California Attorney General can issue civil penalties for:
Up to $7,500 per intentional violation
Up to $2,500 per unintentional violation
Consumers can also bring private legal claims for data breaches, which can result in:
Actual damages covering any losses
Statutory damages of between $100 and $750 per consumer per incident of non-compliance
The CPRA establishes the California Privacy Protection Agency (CPPA), which will enforce the law alongside the California Attorney-General. The CPRA also expands the enforcement of the CCPA’s provisions slightly:
Violations involving children’s personal information under 16 are always considered "intentional."
The definition of a "data breach" is broadened slightly.
Final Thoughts
As you can see, there are some key differences between GDPR and CPRA (and the CCPA). Understanding these differences is important for companies that do business in Europe and California or process the personal data of EU citizens and California residents.
These differences are important for organizations to consider when developing data privacy policies and procedures. Businesses must follow the laws in each place they do business or face fines and other penalties.
