GDPR vs CCPA vs CPRA
The EU General Data Protection Regulation (GDPR) came into effect in May 2018, and it’s still the world’s most powerful and comprehensive data protection law.
But the rest of the world is catching up—even in the U.S., where privacy legislation is comparatively weak.
The California Consumer Privacy Act (CCPA), which took effect in January 2020, represented a huge step forward for U.S. privacy law. And the California Privacy Rights Act (CPRA), which takes effect in January 2023 and will amend the CCPA, is set to make the state’s data rules even stricter.
This article will look at some key similarities and differences between the GDPR, the CCPA, and the CPRA (note that the CPRA might change a little before it comes into force).
Here’s the GDPR’s core definition of “personal data”:
“…any information relating to an identified or identifiable natural person…”
This extensive definition of personal data can apply to all sorts of information, depending on the context, including names, IP addresses, or device IDs.
Here’s the CCPA’s core definition of “personal information”:
“…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This definition is still quite broad, but the phrase “reasonably linked” makes it somewhat narrower than the GDPR’s.
The CPRA uses much the same definition of “personal information.” However, the CPRA’s definition is slightly narrower again—personal information must also be reasonably capable of being associated with a particular consumer or household.
The GDPR applies to “controllers,” who decide how and why to process personal information, and, in part, to “processors,” who process personal data on a controller’s behalf.
A controller or processor can be any individual, public body, or business of any size. A controller can be based outside the EU, as long as it:
- Is established in the EU, or
- Offers goods and services in the EU, or
- Monitors the behaviour of people in the EU.
The GDPR also applies in the U.K. and the wider European Economic Area (EEA).
The CCPA and CPRA are narrower in scope, but both laws similarly apply to organisations based outside of California.
The CCPA applies primarily to “businesses,” defined as any for-profit organisation that does business in California and fulfils one or more of the following characteristics:
- It has gross annual revenues of at least $25 million
- It annually buys or sells—or receives or shares for commercial purposes—personal information from at least 50,000 consumers, households, or devices
- It derives at least half of its annual revenues from selling consumers’ personal information
The CPRA keeps the CCPA’s definition of a “business,” with a small but significant change to section “b”. A “business now “annually buys, sells, or shares the personal information of 100,000 or more consumers or households.”
The GDPR provides individuals with the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to deletion
- The right to restriction of processing
- The right to data portability
- The right to object
- Rights related to automated decision-making
Controllers must respond to a request within one month, with a possible extension of one month where necessary.
Consumers have the following rights under the CCPA:
- The right to know
- The right of access
- The right to delete
- The right to opt out of the sale of personal information
- The right to non-discrimination
The CPRA adds the following rights:
- The right to correct
- The right to opt out of the sharing of personal information
- The right to limit the disclosure of sensitive personal information
Under both California laws, businesses must respond to a request within 45 days, with a possible extension of 45 days where necessary.
Targeted advertising rules
An important part of all three laws is how they affect online advertising via cookies.
Under EU law, the ePrivacy Directive sets the main rules on cookies. The law requires websites and apps to obtain consent for using non-necessary cookies (e.g. for marketing and analytics).
The GDPR sets the standard of consent: a freely-given, informed, specific, unambiguous, clear affirmative action.
The CCPA requires businesses to offer consumers an opportunity to opt out of the “sale” of their personal information. Because of the broad definition of “sale,” this has been widely interpreted as a requirement to provide consumers with a facility to opt out of third-party cookies.
The CPRA makes this rule even clearer: businesses must offer consumers an opportunity to opt out of the sale or sharing of personal information, including cookies.
The EU and California laws all include a similar type of entity—called a “processor” under the GDPR and a “service provider” under the CCPA and CPRA.
Under all three laws, a processor (or service provider):
- Processes personal data on behalf of a controller (or business)
- Acts on the controller’s (or business’) written instructions under a contract
- May not process personal data for purposes outside of this contract
Despite this core similarity, there are some important differences between the three laws.
Under the GDPR, the written agreement between the controller and its processor must contain an extensive list of clauses that are set out in the GDPR. These clauses govern the scope of the processing, data security obligations, and cooperation between the two parties.
Under the CCPA, the agreement between a businesses and its service provider contains fewer mandatory clauses. For the most part, the agreement simply has to oblige the service provider not to process personal information outside of the contract.
The CPRA adds several new obligations on service providers, including:
- Additional mandatory clauses in the service provider agreement
- A legal requirement to assist the business with data security
- A legal requirement to assist the business with facilitating consumer rights requests
The GDPR is enforced by Data Protection Authorities (DPAs) in each member state, who can issue administrative fines of:
- For less serious violations, up to €10 million or 2 percent of total worldwide turnover (whichever is greater)
- For more serious violations, up to €20 million or 4 percent of total worldwide turnover (whichever is greater)
Individuals, groups, and non-profit organisations can also bring private legal claims if they have suffered losses due to a GDPR violation.
Under the CCPA, the California Attorney-General can issue civil penalties of:
- Up to $7,500 per intentional violation
- Up to $2,500 per unintentional violation
Consumers can also bring private legal claims for data breaches, which can result in:
- Actual damages covering any losses
- Statutory damages of between $100 and $750 per consumer, per incident
The CPRA establishes the California Privacy Protection Agency (CPPA), which will enforce the law alongside the California Attorney-General. The CPRA also expands the enforcement CCPA’s provisions slightly:
- Violations involving children’s personal information under the age of 16 are always treated as “intentional.”
- The definition of a “data breach” is broadened slightly.