Editor’s Note: This piece from 1Touch does a solid and succinct job of comparing the key provisions of GDPR and CCPA regulations as they currently stand.
In this digital age, ownership of data is emerging as both a liability and a hot commodity. With governments and policymakers enforcing stringent regulation to protect PII and PI data, individuals are more conscious of privacy and their rights.
By Luis Marte
The California Consumer Privacy Act (CCPA) was created and passed by the California legislature in response to a California ballot initiative. The CCPA was designed to be less restrictive than the ballot initiative and was passed contingent on the fact that the ballot initiative was abandoned.
The California Privacy Rights Act (CPRA) is a new ballot initiative designed to improve upon the CCPA. It is designed to enhance – rather than replace – the CCPA and includes additional protections for California residents as well as some updates designed to correct issues with the original bill, such as exempting a larger number of small businesses from CCPA responsibilities and protecting the law from being weakened by the legislature.
Comparing GDPR and CPRA
The EU’s General Data Protection Regulation (GDPR) is the world’s most famous data protection law. It has been used as a reference for creating and evaluating a number of new data privacy laws, including the CPRA.
CONSUMERS’ RIGHTS
A primary goal of the GDPR, CCPA, and CPRA is to provide consumers with certain rights regarding their data. The CCPA and GDPR already had significant overlap in this area, but the CPRA added additional protections. Many of these rights overlap with the GDPR, but some are unique to one regulation or the other.
| GDPR | CCPA | CPRA | |
| Shared Across all Three Regulations | |||
| Right to know what data has been collected about you | Y | Y | Y |
| Right to request a copy of data collected about you (in a portable format) | Y | Y | Y |
| Right to object to the sale of your data | Y | Y | Y |
| Right to require deletion of your data | Y | Y | Y |
| Right to not be discriminated against based upon your data | Y | Y | Y |
| Introduced in CPRA | |||
| Right to correct data collected about you | Y | N | Y |
| Right to restrict use of sensitive personal data | Y | N | Y |
| Right to restrict storage of data longer than necessary | Y | N | Y |
| Right to restrict collection of more data than necessary | Y | N | Y |
| Right to restrict use of precise geolocation | Y | N | Y |
| Right to transparency regarding automated decision-making | Y | N | Y |
| Right to restrict transfer of data onward | Y | N | Y |
| Only in GDPR | |||
| Requirement for explicit consent for data processing | Y | N | N |
| Requirement for legal basis for processing | Y | N | N |
| Missing from GDPR | |||
| Requirement for easy “Do Not Sell” button on websites | N | Y | Y |
| Ability to browse without popups or sale of information | N | N | Y |
As shown above, the protections provided under the CPRA are largely equivalent to those under the GDPR. However, the GDPR has slightly more protection (requirements for explicit consent and legal basis for processing), while the CPRA includes provisions to make private browsing easier.
BUSINESSES’ OBLIGATIONS
Data protection laws are designed to protect consumer privacy and the security of the data collected by an organization regarding a data subject. To ensure privacy, security, and enforce an individual’s rights, businesses have several obligations under the GDPR, CCPA, and CPRA.
| GDPR | CCPA | CPRA | |
| Disclosure of Privacy Policy | Y | Y | Y |
| Response to rights requests | Y | Y | Y |
| Secure sensitive information | Y | Y | Y |
| Written contracts with third parties that have access to customer data | Y | Y | Y |
| Introduced in CPRA | |||
| Data protection by design and default | Y | N | Y |
| Maintain records of processing activities | Y | N | Y |
| Require high-impact data processors to perform regular risk assessments | Y | N | Y |
| Only in GDPR | |||
| Adherence to rules of cross-border data transfers | Y | N | N |
| Missing from GDPR | |||
| Require high-impact data processors to perform regular cybersecurity audits | N | N | Y |
As shown above, the CPRA primarily strengthens the protection of customers’ sensitive data collected and stored by an organization. New requirements are focused on maintaining records and completing regular risk assessments and cybersecurity audits for high-risk data.
Preparing for the CPRA
The CPRA is a long way from impacting an organization’s operations. Before it can go into effect, it must successfully be accepted for inclusion on the November 2020 ballot, win a majority vote before California voters, and undergo a significant ramp-up period designed to enable businesses to achieve compliance before enforcement begins.
That said, achieving compliance with CPRA and other data privacy laws can be a very involved process, so starting as soon as possible is important. The first (and most important) step in this process is identifying where customers’ data is located within your organization.
Learn more about how you can become CCPA compliance — and how to prepare for the CPRA.
SOURCES
- https://www.caprivacy.org/your-privacy-rights/
- https://tomkemp.blog/2020/05/30/comparing-consumer-rights-gdpr-vs-ccpa-vs-cpra/
- https://tomkemp.blog/2020/06/01/comparing-business-obligations-gdpr-vs-ccpa-vs-cpra/
- https://lucidprivacy.io/cpra-against-ccpa-and-gdpr-56fbc3ed26c2
This article originally appeared in 1Touch.io. Photo by Maarten van den Heuvel on Unsplash.
