Difference between CCPA, CPRA and GDPR
When it was approved in 2018, the CCPA law marked a turning point for the
privacy and protection of data. It was the first substantial piece of
legislation that gave Californian customers the right to privacy that they
deserved in the twenty-first century. However, looking back, it is obvious that
there is potential for growth, particularly following the CPRA's approval less
than a year later. The CPRA may be viewed as a more complete version of the CCPA,
which is the best way to define it.
It enhances the CCPA's provisions in a few
crucial areas. Both these laws have a common derivative, which is the General
Data Protection Regulation (GDPR). The GDPR, issued by the European Union (EU),
is the most extensive law ever made addressing consumer data privacy. It was
inevitable that the GDPR and the CCPA/CPRA would be compared in all subsequent
laws on the issue in Europe and internationally.
||Basis for differentiation
||General Data Protection
||California Consumer Privacy Act (CCPA)
||California Privacy Rights Act (CPRA)
||Right of Customers
||The necessity for opt-in vs. opt-out
permission, which means that businesses must comply with the GDPR in order
to process any kind of customer data by obtaining consent and then only the
data subjects must opt-in to the processing, is arguably the largest
distinction between GDPR and CCPA/CPRA. Contrarily, under the CCPA/CPRA,
companies may process customer personal data for any reason they want,
unless the consumer exercises a right to prevent the sale or sharing of such
data with third parties.
||All Californians are entitled, under
the CCPA, to the right to equal services and prices without discrimination,
the right to be informed about data collection and rights, the right to have
compiled information disclosed, the right to have compiled information
deleted, and the right to opt-out of third-party data sales.
||All Californians have the right to
restrict how a company uses and discloses their sensitive information under
the CPRA, and how they retain the authority to instruct the company to
utilise such information when it is absolutely essential. Other than that,
all companies are required to include a prominent banner on the front page
of their websites, along with a suitable link to a page that would enable
customers to limit the usage of their personal data on their websites.
||The organisations covered by the
GDPR include both for-profit and charity organisations, as well as
governmental authorities, that handle the personal data of individuals
inside the EU. The GDPR covers almost all forms of personal data and is not
restricted in including data such as medical information, clinical trial
information, financial information, or personal confidential details, and is
far more comprehensive than CCPA requirements in obligating companies to
notify customers when their data is being collected, sold, or revealed.
||The CCPA applies solely to
businesses that are for profit and also defines what counts as a business.
While the GDPR mandates that this information be provided to users within
one month and mandates that consumers be informed of whether the business
has their data and how it was acquired, the CCPA has a 12-month requirement
and it only compels all third parties to notify users of whether they have
got their information and not how they got it.
||The definition of what comes under
"business" and "sharing" has been modified by the CPRA for a widened scope
of application of the Act, and has also created a brand-new kind of
protected data called Sensitive Personal Information (SPI). The CPRA, unlike
the CCPA, has also accepted requirements from the GDPR that pertain to data
reduction, purpose limitation, the right to request that a company's website
limit how it uses their sensitive personal information, and storage
||The Information Commissioner's
Office (ICO) has served as the key enforcement authority since the EU-wide
regulations went into effect in May 2018. In spite of the United Kingdom's
choice to exit the EU, it was declared in 2019 that the ICO would continue
to enforce GDPR legislation throughout the UK.
||The California Office of the
Attorney General (OAG) is responsible for enforcing the CCPA. When an
organisation is determined to be in breach of CCPA guidelines, the Attorney
General's office is in charge of imposing the proper fines and penalties.
||The CPRA established a brand-new
agency in charge of enforcing it. The California Privacy Protection Agency (CPPA),
which has complete investigative and enforcement authority, is responsible
for enforcing the CPRA.
|GDPR imposes fines for
non-compliance and data breaches that can exceed 20 million euros or 4% of
the offending company's annual global revenue, whichever is larger.
Unintentional violations of the CCPA/CPRA are punishable by administrative
fines of $2500, and intended offences are punishable by a penalty of $7500.
||The CCPA only imposes fines once a
breach takes place. There is absolutely no penalty for non-compliance. The
penalty for violations of CCPA is $2,500. For intentional violations, it is
$7,500. $100 - $750 in damages in civil court may also be claimed by the
||The same punishments as the CCPA
specifies are laid down under the CPRA, as well as a further $7,500 penalty
if a minor's consumer privacy rights are abused. If businesses address and
fix the problems within 30 days after being alerted by the Attorney General,
they can escape the penalty.
Implications of CPRA's Enforcement
The CPRA came into effect on January 1, 2023, amending the CCPA. However,
enforcement of the CPRA's provisions has been delayed until July 1, 2023. This
delay offers businesses some respite as they refine their compliance programs
and avoid penalties.
During the enforcement delay, regulators cannot penalize businesses for
violations that occurred before July 1, 2023, under the CPRA's new or amended
obligations. Nonetheless, businesses must still adhere to the CPRA's substantive
requirements, including new consumer rights and changes in vendor contracting.
Final CPRA regulations, initially due earlier, are still pending, adding to
To prepare for the eventual enforcement, businesses should prioritize compliance
efforts, such as data mapping�an inventory of data processing activities to
determine applicable requirements. Penalties for CPRA noncompliance, starting
from July 1, 2023, can be significant, with each violation costing up to $2,500
($7,500 for intentional or child-related violations).
While awaiting CPRA enforcement, businesses should also remember that the CCPA,
in effect since 2020, remains enforceable, now covering additional data types.
Furthermore, other state privacy laws, such as the Virginia Consumer Data
Protection Act, pose compliance hurdles. In conclusion, businesses should refine
their compliance programs to meet CPRA requirements before the July 1
enforcement deadline. Despite the enforcement delay, adherence to the CPRA's
substantive obligations is essential. Compliance with the enforceable CCPA and
awareness of other state privacy laws remain crucial.
The California Privacy Rights Act (CPRA), a new state-wide data privacy law, was
signed into law. Due to its major expansions over the current California
Consumer Privacy Act (CCPA), it further establishes California's position as the
U.S. frontier in data privacy regulation. The California Privacy Rights Act (CPRA)
essentially functions as an addendum to the CCPA, strengthening resident rights,
tightening business regulations on the use of private data, and creating a new
regulating authority for state-wide data privacy enforcement named the
California Privacy Protection Agency (CPPA), among other significant changes to
the data privacy regime in the Golden State. The Act makes data gathered by
companies after the threshold date subject to compliance.
While the California Privacy Rights Act merits consideration on its own terms,
we regret that the ballot proposal fails to take advantage of significant
changes to make the CCPA more palatable for consumers. By integrating strong
data minimization language that restricts data collection, use, and disclosure
to only what is necessary to deliver the service the customer has requested, a
better model would respect consumer privacy by default. Stronger laws that
California has already established are a superior replacement for the cumbersome
opt-out procedures under the California Privacy Rights Act. Additionally, the
California Privacy Rights Act might have prevented discrimination against or
increased charges for customers who exercise their right to privacy.
It is clear that while the California Privacy Rights Act delivers significant
short-term incremental changes, its long-term effects are unclear and may even
be detrimental. Strong pro-privacy polling, however, reveals that customers are
willing to have their privacy protected, if only there were effective
regulations to allow them to do so. Appropriate implementation mechanisms for
this act can do wonders for its sustenance and relevance in California.
Frequently Asked Questions (FAQs):
What is the California Privacy Rights Act (CPRA)?
On January 1, 2023, the California Privacy Rights Act (CPRA), the legislation
governing data privacy, came into force. It strengthens California's current
privacy rules, such as the California Consumer Privacy Act (CCPA). Businesses
that gather personal information about California residents must comply with the
CPRA. Its privacy regulations are comparable to the General Data Protection
Regulation (GDPR) in the EU.
Is the CCPA supplanted by the CPRA?
Not quite. It would be more correct to refer to the CPRA as a modification of
the CCPA. The California Public Records Act (CPRA) clearly indicates that it
"adds" new provisions and "amends" existing sections of the CCPA.
Which enforcement agency is in charge of protecting the privacy rights under the
The California Privacy Rights Act established a new agency called the California
Privacy Protection Agency, which has complete executive authority and
jurisdiction to execute and enforce the CCPA.
When did the California Privacy Protection Agency assume rulemaking authority?
The Attorney General's CCPA regulation power was officially passed to the Agency
on April 21, 2022. On April 21, 2022, the newly established California Privacy
Protection Agency officially received rulemaking authority under the California
Consumer Privacy Act (CCPA), as mandated by the California Privacy Rights Act of
2020. This marked an important new chapter for the California Privacy Protection
How does the CPPA enforce the CPRA?
The establishment of a new body charged with regulating and enforcing the CCPA
as revised by the CPRA is one of the most important structural changes to
privacy administration that the CPRA brings. The CCPA as amended by the CPRA
will be administered, implemented, and enforced by the California Privacy
Protection Agency, a new administrative organisation governed by a five-person
board of privacy and technology experts. The CPRA allocates $5 million for the
Agency's first year of operation and $10 million for each fiscal year after
Who is subjected to the CPRA?
The companies that purchase, sell, or share the personal information of 100,000
or more consumers or households in a year; or exceed the gross revenue of $25
million in the preceding calendar year as of January 1 of the present calendar
year; or derive not less than 50% of their annual revenue from selling or
sharing consumers' data, are "businesses" under the CPRA and have to comply with
the CPRA provisions.
How does the CPRA affect businesses?
Similar to the CCPA, regulations have to be used to fill in the gaps in the
CPRA's major provisions, such as those governing the right of rectification,
technical specifications for opt-outs, and data usage agreements for service
providers and the freshly designated "contractor" businesses. The CPRA mandates
that final regulations must be adopted by July 1, 2022, thus the new Agency has
its job cut out for it over the next 18 months to give time for feedback,
amendment, and implementation. However, these have only come into effect on 1
January 2023, and some of the provisions even got delayed to 1 July 2023.
How has the CPRA modified the CCPA's application to companies handling
California citizens' personal information?
The CPRA alters the CCPA's application by altering what is meant by a "business"
which comes under the applicability domain of this Act. The definition of
"business" under the CPRA determines the sorts of entities that are covered, and
consequently the reach and applicability of the legislation. The two business
categories listed in the CCPA are modified by the CPRA, and two further
categories are added to account for new company kinds.
How does the notice of collection obligations of the CCPA get expanded by the
According to the CCPA, a covered firm must warn customers "at or before the time
of collection" of the types of personal information that will be gathered and
the uses to which it will be put.
This need is expanded upon by the CPRA, which
calls for notification of:
Do the CCPA's employee and B2B exemptions continue to exist in the CRPA?
- Whether the data will be shared or sold;
- How long the data will be retained; and
- Further disclosures about the acquisition and use of "sensitive personal information".
The CPRA extends the CCPA's employee and B2B exemption expiry dates from January
1, 2021, to January 1, 2023. They are no longer applicable post the January 1,
2023 cutoff date.
Written By: Tejaswini Kaushal,
A Student At Dr. Ram Manohar Lohiya National Law University, Lucknow.