CCPA 2.0 Gets Closer to Reality! But How Does it Compare to GDPR?

Published On: November 22, 2022Categories: Blog

In this digital age, ownership of data is emerging as both a liability and a hot commodity. With governments and policymakers enforcing stringent regulation to protect PII and PI data, individuals are more conscious of privacy and their rights.

The California Consumer Privacy Act (CCPA) was created and passed by the California legislature in response to a California ballot initiative.  The CCPA was designed to be less restrictive than the ballot initiative and was passed contingent on the fact that the ballot initiative was abandoned.

The California Privacy Rights Act (CPRA) is a new ballot initiative designed to improve upon the CCPA.  It is designed to enhance – rather than replace –  the CCPA and includes additional protections for California residents as well as some updates designed to correct issues with the original bill, such as exempting a larger number of small businesses from CCPA responsibilities and protecting the law from being weakened by the legislature.

Comparing GDPR and CPRA

The EU’s General Data Protection Regulation (GDPR) is the world’s most famous data protection law.  It has been used as a reference for creating and evaluating a number of new data privacy laws, including the CPRA.

Consumers’ Rights

A primary goal of the GDPR, CCPA, and CPRA is to provide consumers with certain rights regarding their data.  The CCPA and GDPR already had significant overlap in this area, but the CPRA added additional protections.  Many of these rights overlap with the GDPR, but some are unique to one regulation or the other.GDPRCCPACPRAShared Across all Three RegulationsRight to know what data has been collected about youYYYRight to request a copy of data collected about you (in a portable format)YYYRight to object to the sale of your dataYYYRight to require deletion of your dataYYYRight to not be discriminated against based upon your dataYYYIntroduced in CPRARight to correct data collected about youYNYRight to restrict use of sensitive personal dataYNYRight to restrict storage of data longer than necessaryYNYRight to restrict collection of more data than necessaryYNYRight to restrict use of precise geolocationYNYRight to transparency regarding automated decision-makingYNYRight to restrict transfer of data onwardYNYOnly in GDPRRequirement for explicit consent for data processingYNNRequirement for legal basis for processingYNNMissing from GDPRRequirement for easy “Do Not Sell” button on websitesNYYAbility to browse without popups or sale of informationNNY

As shown above, the protections provided under the CPRA are largely equivalent to those under the GDPR.  However, the GDPR has slightly more protection (requirements for explicit consent and legal basis for processing), while the CPRA includes provisions to make private browsing easier.

Businesses’ Obligations

Data protection laws are designed to protect consumer privacy and the security of the data collected by an organization regarding a data subject.  To ensure privacy, security, and enforce an individual’s rights, businesses have several obligations under the GDPR, CCPA, and CPRA. GDPRCCPACPRADisclosure of Privacy PolicyYYYResponse to rights requestsYYYSecure sensitive informationYYYWritten contracts with third parties that have access to customer dataYYY Introduced in CPRA Data protection by design and defaultYNYMaintain records of processing activitiesYNYRequire high-impact data processors to perform regular risk assessmentsYNY Only in GDPR Adherence to rules of cross-border data transfersYNNMissing from GDPR Require high-impact data processors to perform regular cybersecurity audits NNY

As shown above, the CPRA primarily strengthens the protection of customers’ sensitive data collected and stored by an organization.  New requirements are focused on maintaining records and completing regular risk assessments and cybersecurity audits for high-risk data.

Preparing for the CPRA

The CPRA is a long way from impacting an organization’s operations.  Before it can go into effect, it must successfully be accepted for inclusion on the November 2020 ballot, win a majority vote before California voters, and undergo a significant ramp-up period designed to enable businesses to achieve compliance before enforcement begins.

That said, achieving compliance with CPRA and other data privacy laws can be a very involved process, so starting as soon as possible is important.  The first (and most important) step in this process is identifying where customers’ data is located within your organization.

Learn more about how you can become CCPA compliance — and how to prepare for the CPRA. can help! — Schedule a demo today!