CCPA, CPRA, & GDPR: Privacy Laws Explained

The European Union’s (EU) General Data Protection Regulation (GDPR) set the stage for subsequent privacy regulations, most notably the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

The GDPR took effect in May 2018, establishing strict new rules for handling personal data. GDPR applies to any company that processes the data of EU citizens, regardless of where the company is based.

In terms of CCPA vs CPRA, the CCPA was signed in 2018 closely after the GDPR was passed and went into effect in January 2020. The CPRA is an expansion of the CCPA that was approved by California voters in November 2020. It strengthens the CCPA in several key ways, including expanding the definition of personal information and extending the law’s reach to cover more businesses.

Below we discuss the differences between these privacy laws in more detail.

General Data Protection Regulation (GDPR)

The GDPR is currently the most comprehensive regulation on consumer data privacy. As such, it’s considered the global gold standard. The regulation sets out strict rules on how personal data must be collected, used, and protected.

Scope

The GDPR compliance applies to for-profit and nonprofit organizations (such as government bodies) that handle the personal data of EU data subjects—therefore GDPR also affects non-EU businesses. The GDPR applies to almost all types of personal data, unlike the CCPA and CPRA which are limited to certain forms of personal information.

Consumer Rights

The GDPR also protects a variety of rights that all customers have. These include the right to

• know
• deletion
• data rectification
• access
• control data processing
• object to data portability

Bulleted List

Enforcement Agency

The Information Commissioner’s Office (ICO) became the primary enforcement body for GDPR after it went into effect across the EU in May 2018. Even though the United Kingdom (UK) decided to leave the EU in 2019, it was announced that ICO would still enforce GDPR laws across the UK. However, individual EU member states also have their own data protection authorities that can levy fines.

Penalties

Non-compliance with the regulation and any data breaches could result in fines of up to €20 million or 4% of the company’s annual global turnover, whichever is greater.

California Consumer Privacy Act (CCPA)

The CCPA was a watershed moment for data privacy and protection. It was the first piece of legislation that gave consumers in California (and by extension the US) many of the same rights found in the GDPR.

Scope

Only for-profit businesses are affected by the CCPA. CCPA compliance requires cookie consent to let their users know when data is being collected from them, sold, or otherwise shared.

Consumer Rights

Consumers are entitled to certain rights under the CCPA, including the right to

• opt-out of data sales
• be informed about data collection
• have collected data disclosed
• have collected data deleted
• receive equal services without discrimination

Bulleted List

Enforcement Agency

The CCPA is regulated by the California Office of the Attorney General (OAG). The OAG has the authority to set fines and penalties for entities that don’t uphold CCPA rules.

Penalties

The CCPA’s penalties are tiered, therefore companies can be fined more if they knowingly violate the law or if they fail to comply with an enforcement order:

• $2,500 for unintentional violations
• $7,500 for intentional violations
• $100 – $750 in damages per incident of breach, filed in civil court

Bulleted List

California Privacy Rights Act (CPRA)

CPRA, in a nutshell, is a more comprehensive version of the CCPA. It adds several important components to the CCPA’s rules.

Scope

The CCPA previously stated that a business is an entity that buys, sells, or shares the personal information of 50,000 consumers. However, the CPRA has increased this number to 100,000. The CPRA also modified the CCPA’s definition of a business deriving 50% or more of its annual revenue from selling consumers’ personal information to include the term “sharing”.

Consumer Rights

The CPRA gives consumers additional control over how businesses meet CPRA data retention requirements. As such, companies must have a prominent banner on their website titled “Limit the Use of My Sensitive Personal Information” with a link to a page that allows consumers to do so.

Enforcement Agency

The CPRA created a new authority, the California Privacy Protection Agency (CPPA), whose sole purpose is to investigate and enforce violations of the law.

Penalties

The same penalties that are outlined under the CCPA will apply, with an additional fine of $7,500 if the privacy rights of a minor are violated. Businesses can avoid fines by correcting issues within 30 days after being notified of a violation.

Conclusion

The CPRA takes effect in 2023 and it will be interesting to see how it affects businesses in California and beyond. In the meantime, companies should ensure they comply with the CCPA and GDPR, as well as any other data privacy laws that may apply to them, such as CCPA vs LGPD and CCPA vs PIPEDA.