Comparing privacy laws:

GDPR v. CCPA
& CPRA

January 2022
 Table of contents
About the authors Introduction 5
OneTrust DataGuidanceTM provides a suite of privacy solutions designed to help organisations 1. Scope
monitor regulatory developments, mitigate risk, and achieve global compliance. 1.1.
Personal scope 7
1.2. Territorial scope 9
OneTrust DataGuidanceTM Regulatory Research includes focused guidance around core topics (i.e. 1.3. Material scope 10
GDPR, data transfers, breach notification, among others), Comparisons which allow you to compare
regulations across multiple jurisdictions at a glance, a daily customised news service, and expert 2. Key definitions
analysis. These tools, along with our in-house analyst service to help with your specific research 2.1. Personal data 12
questions, provide a cost-effective and efficient solution to design and support your privacy program.
2.2. Pseudonymisation 16
Newmeyer & Dillion LLP is a full service law firm headquartered in Newport Beach, California, with
2.3. Controller and processors 17
additional offices located in Walnut Creek, California and Las Vegas, Nevada. Newmeyer Dillion's 2.4. Children 20
attorney roster is comprised of business-focused lawyers with a focus on the big picture, from 2.5. Research 22
business transactions and litigation to the forefront of technology, privacy, and the law, seeking to
counsel clients holistically at every stage of their business and work side-by-side and hand in glove 3. Legal basis 24
to create solutions at the best possible cost.
4. Controller and processor obligations
The attorneys of Newmeyer Dillion strive to be the kind of people you actually enjoy dealing with 4.1. Data transfers 26
and the kind of law firm you are proud to call a partner. The business relationships become lifelong 4.2. Data processing records 30
friendships and the friendships become lifelong business relationships. 4.3. Data protection impact assessment 32
4.4. Data protection officer appointment 34
Contributors 4.5. Data security and data breaches 36
4.6. Accountability 38
Newmeyer & Dillion LLP: Jeffrey Dennis, Kyle Janecek

OneTrust DataGuidanceTM: Iana Gaytandjieva, Angela Potter, Edidiong

5. Individuals' rights
Udoh, Alexander Fetani, Marcello Ferraresi, Victoria Prescott 5.1. Right to erasure 39
5.2. Right to be informed 42
5.3. Right to object 44
5.4. Right of access 46
5.5. Right not to be subject to discrimination 48
5.6. Right to data portability 49
Image production credits:
Cover/p.3/p.43: Bulgac / Signature collection / istockphoto.com, cnythzl / Signature collection / istockphoto.com
Scale key p6-49: enisaksoy / Signature collection / istockphoto.com 6. Enforcement
Icon p.33-40: AlexeyBlogoodf / Essentials collection / istockphoto.com
Icon p.47-51: cnythzl / Signature collection / istockphoto.com | MicroStockHub / Signature collection / istockphoto.com 6.1. Monetary penalties 50
6.2. Supervisory authority 52
6.3. Civil remedies for individuals 54

2 3
Should I be worried about an ADA website claim?
What exposure do I face if named in a cyber-
based complaint?
What should I do if my company suffers a
breach, or experiences ransomware?
How do we choose the right cyber insurance?
What privacy compliance frameworks impact my
company, and how do I comply? Introduction
Soon after the entry into effect of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') on 25 May 2018, the
California Consumer Privacy Act of 2018 ('CCPA') (under Sections 1798.100 et seq. of Title 1.81.5. of Part 4 of Division 3 of the California

24/7 Data Breach Response / Ransomware Hotline Civil Code ('Cal. Civ. Code')) was signed into law on 28 June 2019. The CCPA later entered into effect on 1 January 2020 and became
enforceable from 1 July 2020. Both the GDPR and the CCPA aim to guarantee the protection of individuals' personal data and apply
to businesses processing such data.

To date, the GDPR is one of the most comprehensive data protection laws, with several countries using it as inspiration to strengthen
or establish laws on the protection of personal data. In the US, and absent a comprehensive federal framework, the CCPA is one
of the most significant and strictest privacy laws, with a wide territorial application due to California being one of the largest global
economies.

844.414.2333 On 14 August 2020, the Final CCPA Regulations ('the CCPA Regulations'), which provide further requirements and clarifications on the
application of the CCPA, were approved. Then on 15 March 2021, additional regulations to the CCPA were approved, further facilitating
understanding of, and compliance with, the CCPA.

On 4 November 2020, the California Privacy Rights Act of 2020 ('CPRA'), or Proposition 24, passed the 2020 California General
Elections. Although the CPRA became effective immediately, most of its provisions will not be operational until January 2023 and
will not be enforced until July 2023. The CPRA has introduced a number of changes to the CCPA, such as new definitions, expanded
To find the right answers, ask the right questions consumer rights, and the establishment of the California Privacy Protection Agency ('CPPA'), among other important obligations for
business.
Your most pressing legal problems rarely have simple answers. That’s why we Notably, the GDPR and CCPA are similar in certain aspects, such as with certain definitions, affording protections to individuals under
ask before we act—about your business, your goals and your deepest concerns. the age of 16, and with the inclusion of various rights, such as the right to access personal information and the right to delete such data.

For more than three decades, Newmeyer Dillion has used the answers to propel However, the laws diverge with respect to scope of application, provisions around limitations on the collection of personal information,
and on certain obligations such as accountability. Moreover, while the GDPR requires a legal basis for the processing of personal data,
clients to success. the CCPA does not require the same. Furthermore, the CCPA provides for requirements around the selling of personal information,
requiring that businesses include on their homepage a 'Do Not Sell My Personal Information' link, among various other differences.
Download our free guide, Five Questions to Ask Before Buying Cyber Insurance, at
This Guide aims to assist organisations in understanding and comparing the relevant provisions of the GDPR with the CCPA and
newmeyerdillion.com/5questions-cyber. provisions of the CPRA, to ensure compliance with both laws.

Newport Beach | Walnut Creek | Las Vegas

newmeyerdillion.com 5
 1. Scope
Introduction (cont'd)
1.1. Personal scope Fairly inconsistent

Structure and overview of the Guide

While the definitions differ, the scope of the CCPA and the CPRA are similar to the GDPR in that the laws and regulations apply to
This Guide provides a comparison of the two legislative frameworks on the following key provisions:
natural persons. However, unlike the GDPR, the CCPA and CPRA do not include definitions for 'data controllers' or 'data processors'
and instead apply to 'businesses' and 'service providers' outlining specific thresholds for the former.
1. Scope
2. Key definitions
3. Legal basis GDPR California Privacy Laws
4. Controller and processor obligations Articles 3, 4(1) Sections 1798.140 and 1798.145 of the CCPA
5. Individuals' rights Recitals 2, 14, 22-25 Section 14 of the CPRA
6. Enforcement
Similarities
Each topic includes relevant provisions from the two legislative frameworks, a summary of the comparison, and a detailed analysis of
Article 4(1) of the GDPR clarifies that a 'data subject' The CCPA and CPRA protect natural persons
the similarities and differences between the GDPR and the CCPA/CPRA (collectively, the 'California Privacy Laws').
is 'an identified or identifiable natural person.' who are California residents.

Differences
Key for giving the consistency rate
  The GDPR only protects living individuals. The GDPR The CCPA and CPRA do not address whether its

Consistent: The GDPR and the CCPA/CPRA bear a high degree of similarity in the does not protect the personal data of deceased protections extend to deceased persons.

rationale, core, scope, and the application of the provision considered. individuals, this being left to Member States to regulate.

Fairly consistent: The GDPR and the CCPA/CPRA bear a high degree of similarity The GDPR defines a 'data controller' as a 'natural and The CCPA and CPRA do not define the term 'data controllers'

in the rationale, core, and the scope of the provision considered, however, the legal person, public authority, agency or other body which, but instead refer to 'businesses'. Businesses are limited to

details governing its application differ. alone or jointly, with others, determines the purposes sole proprietorships, partnerships, limited liability companies,
and means of the processing of personal data.' corporations, associations or another legal entity that is

Fairly inconsistent: The GDPR and the CCPA/CPRA bear several differences with organised or operated for profit, and doing business with
Inconsistent Consistent
regard to the scope and application of the provision considered, however, its California residents. This is coupled with a 'size minimum'

rationale and core presents some similarities. of gross revenues in excess of $25,000,000, deriving 50%
of its annual revenue from the sale of personal information,

Inconsistent: The GDPR and the CCPA/CPRA bear a high degree of difference with or buying, selling, or sharing for commercial purposes, the

regard to the rationale, core, scope, and application of the provision considered. personal information of 100,000 or more consumers or
households under the CPRA (NB: the CCPA only requires
personal information of 50,000 individuals or households,
which will change under the CPRA from 1 January 2023).

While this definition may encompass entities that would

Usage of the Guide also fall under the definition of a 'data controller', it greatly
This Guide is general and informational in nature, and is not intended to provide, and should not be relied on as a source of, legal limits which entities are subject to the CCPA and CPRA.
advice. The information and materials provided in the Guide may not be applicable in all (or any) situations and should not be acted
upon without specific legal advice based on particular circumstances. The GDPR defines a 'data processor' as a 'natural or legal The CCPA and CPRA do not define the term 'data processors'
person, public authority, agency or other body which but instead refer to 'service providers'. This includes
processes personal data on behalf of the controller.' any person (including natural persons or legal entities).
Notwithstanding this, service providers have certain restrictions
on how information can be disclosed or otherwise utilised.

6 7
 GDPR California Privacy Legislation 1.2. Territorial scope
Fairly inconsistent
Differences (cont'd) The CCPA and CPRA are similar to the GDPR in that they apply to entities with a presence within the respective territories. The
GDPR, however, applies to natural persons regardless of their nationality, whereas the CCPA and CPRA are more limited in scope,
Further, there are additional subsets including applying solely to California residents and entities doing business in the state of California.
'contractors' (who must have a contract with the entity
collecting the information) and 'third parties' who are GDPR California Privacy Laws
defined as any party aside from the business collecting Articles 3, 4, 11 Section 1798.145 of the CCPA
the data, contractors, or service providers. Recitals 2, 14, 22-25

The GDPR applies to data controllers and data The CCPA/CPRA do not apply to public bodies.
Similarities
processors who may be public bodies.

The GDPR applies to organisations that have presence The CCPA and CPRA apply to entities that
The GDPR provides that it 'should apply to natural persons, The CCPA and CPRA are limited solely to California residents in the EU. In particular under Article 3, the GDPR applies do business in the state of California.
whatever their nationality or place of residence, in and entities doing business in the state of California, to entities or organisations established in the EU, notably
relation to the processing of their personal data.' while activities that occur wholly outside of California entities that have an 'establishment' in the EU or if While not expressly defined within the CCPA, this could
fall outside of the purview of the CCPA and CPRA. processing of personal data takes place in the context of include: (i) having registered to do business with the Secretary
the activities of that establishment, irrespective of whether of State; (ii) being subject to court jurisdiction; or (iii) active
the data processing takes place in the EU or not. engagement with any transaction for financial gain or profit.

Differences

In relation to extraterritorial scope, the GDPR applies The CCPA and CPRA are limited solely to California residents
to the processing activities of data controllers and data and entities doing business in the state of California,
processors that do not have any presence in the EU, while activities that occur wholly outside of California
where processing activities are related to the offering fall outside of the purview of the CCPA and CPRA.
of goods, or services to individuals in the EU, or to the
monitoring of the behaviour of individuals in the EU.

8 9
 1.3. Material scope Fairly consistent
GDPR California Privacy Laws

As it pertains to the material scope, the CCPA and CPRA generally apply to the same information and categories of information Similarities (cont'd)
as with the GDPR. While the GDPR applies to activities involving the processing of personal data by either automated or non-
automated means where the data in question is part of a filing system, the CCPA/CPRA do not delineate in the same way. Instead, personal data rendered anonymous in such a manner
the CCPA/CPRA apply with respect to obligations around 'collecting', 'selling', or 'sharing' of personal information. that the data subject is not or no longer identifiable.

GDPR California Privacy Laws The GDPR applies to the processing of personal The CCPA and CPRA apply to the collection and use of
Articles 2-4, 9, 26 Sections 1798.105, 1798.140, and data by automated means or non-automated personal data, and though 'processing' is not expressly defined,
Recitals 15-21, 26 1798.145 of the CCPA means if the data is part of a filing system. the CCPA and CPRA pertain to many similar activities.
Section 14 of the CPRA

Differences
Similarities
The GDPR applies to the 'processing' of personal data. The CCPA/CPRA are not limited in their applicability to
The GDPR defines 'personal data' as 'any information' The CCPA and CPRA define 'personal information' The definition of 'processing' covers 'any operation' information collected electronically or over the internet,
that directly or indirectly relates to an identified or as anything that could be linked, directly or indirectly, performed on personal data 'such as collection, recording, but apply to the collection and sale of all personal
identifiable individual. The GDPR does not apply with a particular consumer or household. organisation, structuring, storage, adaptation or alteration, information collected by a business from consumers.
to the personal data of deceased persons. retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment
The GDPR defines special categories of personal data The CCPA, as amended by the CPRA, includes special or combination, restriction, erasure or destruction.'
as personal data revealing racial or ethnic origin, political categories of personal information, 'sensitive personal
opinions, religious or philosophical beliefs, or trade information'. This includes social security information,
union membership, and the processing of genetic data, drivers' licenses, login information, credit card number,
biometric data for the purpose of uniquely identifying a precise geolocation, racial or ethnic origin, the
natural person, data concerning health or data concerning contents of email and text, as well as genetic data.
a natural person's sex life or sexual orientation. The GDPR
also provides specific requirements for its processing.

The GDPR excludes from its application the processing The CCPA applies to businesses that are collecting
of personal data by individuals for purely personal or information and operating for profit. As such, non-profit
household purposes. This is data processing that has 'no entities generally would be exempt from the CCPA.
connection to a professional or commercial activity.'

The GDPR excludes from its application data processing The CCPA and CPRA permit businesses to perform
in the context of law enforcement or national security. activities to comply with laws, law enforcement
and civil, criminal, or regulatory actions.

The GDPR provides requirements for specific processing The CCPA and CPRA provide exceptions for processing
situations including processing for journalistic purposes related to public or peer-reviewed scientific, historical,
and academic, artistic or literary expression. or statistical research in the public interests.

The GDPR excludes anonymous data from its application, The CCPA and CPRA exclude anonymised data, specifically
which is defined as information that does not relate to any personal data rendered anonymous in such a manner
an identified or identifiable natural person or to that the data subject is not or no longer identifiable.

10 9 11
 2. Key definitions Similarities (cont'd)

purchased, obtained, or considered, or other

2.1. Personal data Fairly consistent purchasing or consuming histories or tendencies;

• biometric information;

The GDPR, CCPA and CPRA refer to 'personal data' and 'personal information' respectively, both of which are broadly defined. • internet or other electronic network activity information,
including, but not limited to, browsing history, search

Under the CCPA and CPRA, the definition of 'personal information' provides practical examples of what information that relates to history, and information regarding a consumer's interaction

an identified or identifiable person could mean. For example, the definition refers to information relating to both individuals and with an internet website, application, or advertisement;

households. The GDPR on the other hand only explicitly refers to individuals to whom its requirements will relate provided they are • geolocation data;

identifiable, in accordance with the definition of 'personal data'. • audio, electronic, visual, thermal,
olfactory, or similar information;

Moreover, while the GDPR expressly defines sensitive data as special categories of data, the CCPA provides for a definition to • professional or employment-related information;

'biometric data', which includes elements of the GDPR's definition of special categories of data, such as DNA, fingerprints, and iris • education information, defined as information that

scans. Both the GDPR and the CCPA/CPRA provide for increased requirements when businesses process such categories of data. is not publicly available personally identifiable
information as defined in the Family Educational

However, one notable difference is that while the GDPR protects data related to health to a higher degree as it is considered one Rights and Privacy Act of 1974; and

of the special categories of data, the CCPA excludes from its protection categories of medical information, as well as data related • inferences drawn from any of the information identified

to health collected for clinical trials. in this subdivision to create a profile about a consumer
reflecting the consumer's preferences, characteristics,
psychological trends, predispositions, behaviour,
GDPR California Privacy Laws
attitudes, intelligence, abilities, and aptitudes.
Articles 4(1), 9 Section 1798.140(b), (o) and (v)(2) of the CCPA
Recitals 26-30 Section 14 of the CPRA
'Personal information' under the CCPA does not
include consumer information that is de-identified
Similarities or aggregate consumer information.

The GDPR defines 'personal data' as 'any information The CCPA and CPRA define 'personal information'
The CPRA will include in this definition of 'personal
relating to an identified or identifiable natural person ('data as information that identifies, relates to, describes, is
information', sensitive personal information as well.
subject'); an identifiable natural person is one who can be reasonably capable of being associated with, or could
identified, directly or indirectly, in particular by reference reasonably be linked, directly or indirectly, with a
The GDPR defines special categories of personal data The CPRA defines 'sensitive personal information' as:
to an identifier such as a name, an identification number, particular consumer or household. Personal information
as data revealing a data subject's 'racial or ethnic origin, • personal information that reveals:
location data, an online identifier or to one or more factors includes, but is not limited to, the following if it identifies,
political opinions, religious or philosophical beliefs, trade ◦ a consumer's social security, driver's license,
specific to the physical, physiological, genetic, mental, relates to, describes, is reasonably capable of being
union membership, and the processing of genetic data, state identification card, or passport number;
economic, cultural or social identity of that natural person.' associated with, or could be reasonably linked, directly
biometric data for the purpose of uniquely identifying a ◦ a consumer's account log-in, financial account, debit
or indirectly, with a particular consumer or household:
natural person, data concerning health or data concerning card, or credit card number in combination with
• identifiers such as a real name, alias, postal address, unique
a natural person's sex life or sexual orientation. any required security or access code, password,
personal identifier, online identifier, internet protocol address,
or credentials allowing access to an account;
email address, account name, social security number, driver's
◦ a consumer's precise geolocation;
license number, passport number, or other similar identifiers;
◦ a consumer's racial or ethnic origin, religious or
• any personal information described in
philosophical beliefs, or union membership;
Section 1798.80(e) of the CCPA;
◦ the contents of a consumer's mall, email and text
• characteristics of protected classifications
messages, unless the business is the intended
under California or federal law;
recipient of the communication; and
• commercial information, including records of
◦ a consumer's genetic data;
personal property, products or services

12 12 13
 Similarities (cont'd) GDPR California Privacy Laws

• the processing of:

Differences (cont'd)
◦ biometric information for the purpose of
uniquely identifying a consumer;
is lawfully made available from federal, state, or local
◦ genetic data;
government records, or if any conditions associated with
◦ personal information collected and analysed
such information that a business has a reasonable basis to
concerning a consumer's health; or
believe is lawfully made available to the general public by
◦ personal information collected and analysed concerning
the consumer or from widely distributed media, or by the
a consumer's sex life or sexual orientation.
consumer; or information made available by a person to whom
the consumer has disclosed the information if the consumer
The CCPA, with some amendments from the CPRA, will
has not restricted the information to a specific audience.
define 'biometric information' as an individual's physiological,
biological or behavioural characteristics, including information
pertaining to an individual's deoxyribonucleic acid ('DNA'),
that is used or intended to be used, singly or in combination
with each other or with other identifying data, to establish
individual Identity. Biometric information includes, but is not
limited to, imagery of the iris, retina, fingerprint, face, hand,
palm, vein patterns, and voice recordings, from which an
identifier template, such as a faceprint, a minutiae template,
or a voiceprint, can be extracted, and keystroke patterns
or rhythms, gait patterns or rhythms, and sleep, health,
or exercise data that contain identifying information.

The GDPR specifies that online identifiers may be Personal information includes 'identifiers such as a real
considered as personal data, such as IP addresses, cookie name, alias, postal address, unique personal identifier,
identifiers, and radio frequency identification tags. online identifier, internet protocol address, email address,
account name, social security number, driver's license
number, passport number, or other similar identifiers'.

The GDPR does not apply to 'anonymised' data, where the The CCPA and CPRA exclude anonymised data, specifically
data can no longer be used to identify the data subject. any personal data rendered anonymous in such a manner
that the data subject is not or no longer identifiable.

Differences

The GDPR does not contain a similar provision. Sensitive personal information that is publicly available is
not considered 'sensitive personal information' or 'personal
information'. Personal information also does not include
deidentified or aggregate consumer information.

Under the CPRA, 'personal information' does not include

publicly available information or lawfully obtained, truthful
information that is a matter of public concern. For these
purposes, 'publicly available' means information that

14 15
 2.2. Pseudonymisation 2.3. Controllers and processors
Fairly consistent Fairly consistent

Under the GDPR and the CCPA/CPRA, the definitions of pseudonymisation are fairly similar, defining it as the processing of personal The term 'businesses' under the CCPA/CPRA bears similarity with the GDPR's 'data controllers', where both are responsible for
data or information in a way that the data or information cannot be attributed to an identified or identifiable person without using complying with specific obligations with respect to their processing of data. However, one difference is that the GDPR places more
additional information, as well as requiring that any such additional information is kept separately and secured. responsibility and detailed obligations on 'data processors' which process personal data on behalf of data controllers, compared to
the comparable 'service providers' under the CCPA/CPRA.
GDPR California Privacy Laws
Articles 4(5), 11 Sections 1798.140(r), and 1798.145(k) of the CCPA With respect to having contracts in place to regulate this relationship between data controller and data processors or businesses
Recitals 26, 29 Section 14 of the CPRA and service providers, the GDPR provides for detailed contract requirements to be in place. Similarly, the CCPA/CPRA also requires
that a written contract be in place to regulate the disclosure of personal information to service providers.

Similarities GDPR California Privacy Laws

Articles 4, 17, 28, 30, 32, 33, 35, 37, 38 Sections 1798.105, 1798.140,
The GDPR defines pseudonymised data as 'the processing The CCPA defines pseudonymisation as 'the processing Recitals 64, 90, 93 1798.145, 1798.155 of the CCPA
of personal data in such a manner that the personal data that of personal information in a manner that renders the Sections 4, 6, 14, 21 of the CPRA
can no longer be attributed to a specific data subject without personal information no longer attributable to a specific
the use of additional information, provided that such additional consumer without the use of additional information,
Similarities
information is kept separately and is subject to technical and provided that the additional information is kept
organisational measures to ensure that the personal data are separately and is subject to technical and organizational
A data controller is a natural or legal person, public authority A business is defined as a for-profit entity that collects
not attributed to an identified or identifiable natural person.' measures to ensure that the personal information is not
agency or other body that determines the purposes and means consumers' personal information or on the behalf of which
attributed to an identified or identifiable consumer'.
of the processing of personal data, alone or jointly with others. that information is collected and that alone, or jointly with
others, determines the purposes and means of the processing
Differences of consumers' personal information, that does business in
the State of California, and that meets certain criteria.
The GDPR provides that the only instance where the The CCPA provides that nothing should be construed
controller has to reidentify a dataset is where the data to require a business to reidentify or otherwise link
A data processor is a natural or legal person, public Under the CCPA, a service provider is defined as a for
subject provides the additional information enabling information that is not maintained in a manner that
authority, agency or other body which processes profit legal entity that processes information on behalf of a
their identification in order for the controller to be able to would be considered personal information.
personal data on behalf of the controller. business and to which the business discloses a consumer's
comply with requests for the rights of the data subject.
personal information for a business purpose pursuant to
a written contract, provided that the contract prohibits
the entity receiving the information from retaining, using,
or disclosing the personal information for any purpose
other than for the specific purpose of performing the
services specified in the contract for the business.

The CPRA expands this definition with some amendments,

including expanding the prohibitions around the service
provider's use of the data, as well as expanded obligations
to notify the business about certain processing activities.

Furthermore, the CPRA includes new definitions

for 'contactor' and 'third party'.

Data controllers must comply with the purpose limitation The CPRA will amend the CCPA to require businesses
and accuracy principles, and rectify a data subject's to comply with consumers' requests to rectify their

16 17
 GDPR California Privacy Laws GDPR California Privacy Laws

Similarities (cont'd) Differences (cont'd)

personal data if it is inaccurate or incomplete. personal information, and are required to rectify Data controllers based outside the EU and involved in certain The CCPA and CPRA do not include mandatory
any inaccurate or incomplete information. forms of processing, with exceptions based on the scale provisions on designating a representative based in
of processing and type of data, are obliged to designate California for a business based outside of the State.
Data controllers must implement technical and Under the CPRA, a business that collects a consumer's a representative based within the EU in writing.
organisational security measures, and notify personal information shall implement reasonable security
supervisory authorities of data breaches. procedures and practices appropriate to the nature of the The GDPR provides for the designation of a data protection The CCPA and CPRA do not specify an
personal information to protect the personal information. officer ('DPO') by data controllers or data processors obligation to appoint a DPO.
and defines the role of a DPO (see section 4.4.).
The GDPR stipulates that data controllers and data processors Under the CPRA, the newly established
keep records of processing activities and provides an CPPA will issue regulations specifying record
exception from this obligation for small organisations. keeping requirements for businesses.

The GDPR provides that where processing is to be carried Businesses also have certain disclosure requirements
out on behalf of a controller, the controller shall use when collecting or selling personal data, and are
only data processors providing sufficient guarantees required to disclose consumer's personal information for
to implement appropriate technical and organisational a business purpose pursuant to a written contract.
measures in such a manner that processing will meet the
requirements of the GDPR and ensure the protection of the The CPRA stipulates that the business shall enter into
rights of the data subject. In addition, the data processor an agreement with a service provider that obligates it
shall not engage another data processor without prior to comply with applicable obligations under the CPRA
specific or general written authorisation of the controller. and to provide the same level of privacy protection as is
required by the law. Moreover, the agreement shall grant
the business rights to take reasonable and appropriate
steps to help to ensure that the service provider uses the
personal information transferred in a manner consistent with
the business's obligations under the CPRA. In addition, the
service provider shall not engage another subprocessor
without notifying the business of such engagement, and the
engagement shall be pursuant to a written contract binding
the other person to observe all the requirements set forth.

Differences

The GDPR provides that a data controller or data Although the CCPA and CPRA do not explicitly refer
processors conduct Data Protection Impact to 'DPIAs', the CPRA allows regulation on the matter
Assessments ('DPIAs') in certain circumstances. to require businesses to conduct risk assessments
in certain circumstances on an annual basis.

18 19
2.4. Children GDPR California Privacy Laws
Fairly inconsistent

While both the GDPR and the CCPA/CPRA have rules specific to the protection of children, their provisions differ in scope. The Differences
GDPR contains provisions which require special protection for children, but also provides specific provisions for protecting children's
personal data with respect to processing for the provision of information society services. Contrastingly, while the CCPA also creates controllers must take appropriate measures to provide
a special rule for children with regard to the selling and sharing of their data, it does not limit this rule to information society services. information relating to processing in a concise, transparent,
However, it should be noted that being a part of the US, the CCPA has some overlap with the federal Children's Online Privacy intelligible and easily accessible form, using clear and
Protection Act of 1998 ('COPPA'). plain language, that the child can easily understand.

Regarding the age of consent of children, the GDPR parental or guardian consent on behalf of children under the age of 16 is The GPDR provides that data controllers are required The CCPA/CPRA do not contain a similar provision.
required, with Member States being permitted to lower this age requirement to 13. Contrastingly, the CCPA and CPRA introduce an to make reasonable efforts to verify that consent is
opt-in requirement for the selling and sharing of personal information of minors under 16 years old, while parents or legal guardians given or authorised by a parent or guardian.
are required to opt-in for minors at least 13 and under 16.
The GDPR does not explicitly outline an exception The CCPA provides for an exception for businesses that
Additionally, while the GDPR allows for other lawful grounds other than consent for the processing of children's data, the CCPA for actual knowledge of a child's age. did not have actual knowledge of a child's age.
provides that the sale of personal information is only permitted on the basis of consent.

GDPR California Privacy Laws

Articles 6, 8, 12, 40, 57 Section 1798.120(c) of the CCPA
Recitals 38, 58, 75 Section 9 of the CPRA

Similarities

The GDPR does not define 'child' nor 'children.' The CCPA and CPRA do not define 'child' nor
'children'. However, the CCPA provides for opt-
in rights for minors under the age of 16.

Where the processing is based on consent, the Businesses must have opt-in consent to sell or share the
consent of a parent or guardian is required for providing personal information of consumers under the age of 16 if they
information society services to a child below the age of have actual knowledge that a consumer is under the age of
16. EU Member States can lower this age limit to 13. 16. For consumers at least 13 years of age and less than 16
years of age, the child's parent or guardian must affirmatively
authorise the sale or sharing of the child's personal information.
A business that willfully disregards the consumer's age shall be
deemed to have had actual knowledge of the consumer's age.

Differences

The GDPR considers children as 'vulnerable natural persons' The CCPA/CPRA do not contain a similar provision.
that merit specific protection with regard to their personal
data. In particular, specific protection should be given when
children's personal data is used for marketing or collected
for information society services offered directly to a child.

When any information is addressed specifically to a child, The CCPA/CPRA do not contain a similar provision.

20 21
2.5. Research GDPR California Privacy Laws
Fairly consistent
Under the GDPR, specific provisions regulate the processing of personal data for 'historical or scientific research', and for processing Similarities (cont'd)
for 'statistical purposes'. Moreover, exceptions in this regard are also provided for under the GDPR, which include specific
requirements regarding the lawful basis for processing, as well as a specific exception to the right of erasure. Member States are also The GDPR provides that 'further processing for archiving The CCPA also imposes safeguards for research conducted
permitted to implement derogations from the rights of the data subject where personal data is processed for scientific or historical purposes in the public interest, scientific or historical on consumer information collected initially for other
research purposes. research purposes or statistical purposes shall, in purposes. For example, the CCPA requires that:
accordance with Article 89(1), not be considered • the personal information be subsequently
The CCPA and CPRA also define research broadly, outlining that the processing of consumer data obtained in the course of providing to be incompatible with the initial purposes'. pseudonymised and deidentified;
a service can be further processed for research purposes, as this may be considered compatible with the initial business purpose • should be made subject to technical safeguards that prohibit
for the processing of the data. However, and unlike the GDPR, the CCPA/CPRA do not have or provide for an overarching principle reidentification of the consumer to whom the information
of purpose limitation that would limit the purposes for which a business can use personal information. may pertain, other than as needed to support the research;
• should be made subject to business processes that
The GDPR also requires that controllers have in place technical and organisational measures for the processing of personal data for specifically prohibit reidentification of the information
research purposes. Similarly, the CCPA also requires that safeguards be put in place, but provides a detailed list of such measures. and protected from any reidentification attempts;
• should be made subject to business processes to prevent
Another difference between the laws is that the CCPA excludes clinical trials from its scope of application, while the GDPR does not. inadvertent release of deidentified information;
• should be used solely for research purposes

GDPR California Privacy Laws that are compatible with the context in which the

Articles 5(1)(b), 9(2)(j), 14(5), 17(3), 21(6), 89 Sections 1798.105, 1798.140, 1798.145 of the CCPA personal information was collected; and

Recitals 33, 159-161 Sections 5 and 14 of the CPRA • should be subject to additional security controls that allow
access to this information on an only need-to-know basis.

Similarities
Under the GDPR, where personal data are processed for The CCPA provides that a business or a service provider
research purposes, it is possible for Member States to shall not be required to comply with a consumer's request
According to the GDPR, the processing of sensitive data is According to the CCPA, processing is not prohibited when
derogate from some data subjects' rights, including the to delete their personal information if it is necessary to
not prohibited when 'necessary for archiving purposes in the necessary for research. 'Research' is defined as scientific,
right to access, the right to rectification, the right to object maintain this information in order to engage in public
public interest, scientific or historical research purposes or systematic study and observation, including basic research or
and the right to restrict processing, insofar as such rights or peer-reviewed scientific, historical, or statistical
statistical purposes, which shall be proportionate to the aim applied research that is in the public interest and that adheres
are likely to render impossible or seriously impair the research in the public interest, when the business'
pursued, respect the essence of the right to data protection to all other applicable ethics and privacy laws or studies
achievement of the specific purposes, and such derogations deletion of the information is likely to render impossible
and provide for suitable and specific measures to safeguard conducted in the public interest in the area of public health.
are necessary for the fulfilment of those purposes. or seriously impair the achievement of such research,
the fundamental rights and the interests of the data subject.'
and if the consumer has provided informed consent.
The CPRA will introduce some amendments to this definition,
defining 'research' as scientific analysis, systematic study
Differences
and observation, including basic research or applied
research that is designed to develop or contribute to
Under the GDPR, the processing of personal data for The CCPA/CPRA do not outline specific riles for the
public or scientific knowledge and that adheres or
research purposes is subject to specific rules (e.g. processing of personal data for research purposes. Regarding
otherwise conforms to all other applicable ethics and
with regard to the purpose limitation principle, right to the understanding of 'business purpose', undertaking
privacy laws, including but not limited to studies conducted
erasure, data minimisation and anonymisation etc.). internal research for technological development and
in the public interest in the area of public health.
demonstration is considered a business purpose.

The data subject has the right to object to the processing The CCPA provides that research with personal information that
The GDPR clarifies that the processing of personal data The CCPA excludes clinical trials from its scope of application.
of personal data for research purposes unless such may have been collected from a consumer in the course of the
for scientific research purposes should be interpreted The CPRA expands on this and provides that this applies
research purposes are for reasons of public interest. consumer's interactions with a business's service or device for
'in a broad manner including for example technological provided that such information is not sold or shared in a
other purposes is considered compatible with the business
development and demonstration, fundamental research, manner not permitted by the CCPA, and if it is inconsistent, that
purpose for which the personal information was collected.
applied research and privately funded research.' participants be informed of such use and provide consent.

22 23
 3. Legal basis Fairly inconsistent
GDPR California Privacy Laws

To compare the GDPR with the CCPA and CPRA, it is important to note that processing under the GDPR is explicitly defined to be Similarities (cont'd)
operation(s) performed on personal data or sets of personal data, including 'collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, restriction or destruction'. Whereas the CCPA and The GDPR recognises consent as a legal basis to process The CCPA and CPRA recognise consent as a legal basis.
CPRA do not explicitly reference collection. personal data and includes specific information on how Specific information regarding consent is also listed,
consent must be obtained and can be withdrawn. including an explicit prohibition on dark patterns.
Additionally, and under the GDPR, processing of personal data is only considered to be lawful when one of the six legal grounds for
processing under Article 6 are fulfilled, namely consent, the performance of a contract, complying with a legal obligation, to protect The GDPR defines consent as 'any freely given, specific, The CCPA and CPRA define consent as 'any freely
the data subject's vital interests, for the public interest, and for the legitimate interests pursued by the controller or by a third party. informed and unambiguous indication of the data given, specific, informed, and unambiguous
Contrastingly, the CCPA/CPRA do not outline a set list of grounds as legal bases for the processing of personal data, but provides subject's wishes by which he or she, by a statement or indication of the consumer's wishes'.
for data subjects' right to opt-out or request the erasure of their data from processing through to collection, sale, or disclosure of by a clear affirmative action, signifies agreement to the
their personal data. processing of personal data relating to him or her.'

GDPR California Privacy Laws Differences

Articles 4-10 Sections 1798.100, 1798.105,
Recitals 39-48 1798.121(d), 1798.140(h) and (q), and Under the GDPR, consent should be given by a clear Consent is not explicitly required to process information in the
1798.145(e) and (f) of the CCPA affirmative act establishing a freely given, specific, same way that processing is defined under the GDPR. However,
Sections 4, 5, 10, 14, and 15 of the CPRA informed and unambiguous indication of the data notice is required prior to, or at the point of, collection.
subject's agreement to the processing of personal data
Similarities relating to him or her, such as by a written statement,
including by electronic means, or an oral statement.
The GDPR states that data controllers can only The CCPA, as amended by the CPRA, permits businesses
process personal data when there is a legal subject to the CCPA and CPRA to process personal data The GDPR does not contain similar provisions with respect The CCPA, as amended by the CPRA, permits businesses
ground for it. The legal grounds are: quite broadly. The legal grounds are, among others: to such legal bases for processing personal data. subject to the CCPA and CPRA to process personal
• consent; • consent; data broadly, and includes legal grounds such as:
• when processing is necessary for the performance • when processing is necessary for a business purpose • when processing is necessary for a business purpose
of a contract which the data subject is part of pursuant to the initial notice or reason for collection; pursuant to the initial notice or reason for collection; or
in order to take steps at the request of the data • compliance with legal obligations that • debugging or identifying and repairing errors.
subject prior to the entering into a contract; the business is subject to;
• compliance with legal obligations to which • engaging in public or peer reviewed scientific,
the data controller is subject; historical, or statistical interest; and
• to protect the vital interest of the data • exercise or defence of legal claims.
subject or of another natural person;
• performance carried out in the public interest or in the
official authority vested in the data controller; or
• for the legitimate interest of the data controller when this
does not override the fundamental rights of the data subject.
Further permissible uses are provided for the processing
of special categories of personal data under Article 9(2).

There are specific legal grounds for processing special Regarding special categories of data, specific
categories of data, such as explicit consent. notices are required and there are restrictions on
processing the information depending on its use.

24 25
 GDPR California Privacy Laws

4. Controller and processor Differences (cont'd)

obligations In the absence of a decision on adequate level of protection,

a transfer is permitted when the data controller or data
The CCPA/CPRA do not explicitly address transfer
mechanisms. Instead, transfers of personal data to third
processor provides appropriate safeguards with effective parties are conditioned on the third party providing the

4.1. Data transfers Fairly inconsistent

legal remedies that ensure the data subjects' rights as same level of protection of the consumer's rights.
prescribed under the GDPR. Appropriate safeguards include:
• binding corporate rules with specific requirements
The concept of data transfers under the GDPR is substantially different from the CCPA and CPRA, where transferring under the
(e.g. a legal basis for processing, a retention
CCPA/CPRA falls within the definition of sharing personal information. Nonetheless, the CCPA and CPRA do find consistency with
period, complaint procedures, etc.);
the GDPR in some regards, namely those related to specific requirements for third party entities, particularly with the CPRA's
• standard data protection clauses adopted by the
expansion of contracting requirements to include third parties and contractors.
EU Commission or by a supervisory authority;
• an approved code of conduct; or
GDPR California Privacy Laws
• an approved certification mechanism.
Articles 44-50 Sections 1798.105, 1798.121, 1798.130,
Recitals 101, 112 1798.140, 1798.145 of the CCPA
The grounds for a cross-border transfer includes the The CCPA/CPRA do not contain a similar provision.
Sections 5, 10, 12, 14, and 15 of the CPRA
transfer being made from a register which, according to

Similarities the Union or a Member States' law, is intended to provide

information to the public, and which is open to consultation

The GDPR allows personal data to be transferred to a third The CCPA/CPRA permits the transfer of information in the either by the public in general or by any person who can

country or international organisation that has an adequate event that the recipient entity is obligated to provide the same demonstrate a legitimate interest, but only to the extent

level of protection as determined by the EU Commission. level of privacy protection required under the Statute. that the conditions laid down by Union or Member State
law for consultation are fulfilled in the particular case.

One of the following legal grounds can be applied The following legal grounds, among others,
to the transfer of personal data abroad: are applicable to the transfer of personal data, The GDPR does not provide similar grounds as a The transfer of personal data can be justified through

• prior consent; though vary depending on the situation: legal basis for the transfer of personal data. certain legal grounds, among others, although

• when a data subject has explicitly consented to the • consent; these may vary depending on the situation:

proposed transfer and acknowledged the possible • compliance with legal obligations that • when processing is necessary for a business purpose

risks of such transfer due to inadequate safeguards; the business is subject to; pursuant to the initial notice or reason for collection;

• when the transfer is necessary for the • engaging in public or peer reviewed scientific, • debugging or identifying and repairing errors; and

performance or conclusion of a contract; historical, or statistical interest; and • any internal lawful use in the same context in

• when the transfer is necessary for • exercise or defence of legal claims. which the consumer provided the information.

important public interest reasons;

• when the transfer is necessary for the establishment,
exercise, or defence of a legal claim; and
• when the transfer is necessary to protect the vital
interests of a data subject or other persons.

Differences

The GDPR specifies that a cross-border transfer is allowed The CCPA/CPRA do not address cross-border transfers
based on international agreements for judicial cooperation. based on international agreements for judicial cooperation.

26 27
Global Regulatory Build a global privacy program by
comparing key legal frameworks
Research Software against the GDPR

40 In-House Legal Researchers, 500 Lawyers CCPA | Russia | Thailand | Brazil | Japan | China
Across 300 Jurisdictions and 20+ other global laws & frameworks
Monitor regulatory developments, mitigate risk,
and achieve global compliance Understand and compare key provisions of the GDPR
with relivant data protection laws from around the globe

The GDPR Benchmarking tool provides comparison of the

various pieces of legislation on the following key provisions

Scope Rights

Definitions and legal basis Enforcement

• Employ topic specific guidance to develop your

compliance activities

• Monitor news and access written opinion pieces on

the most recent developments

Start your free trial at

www.dataguidance.com
4.2. Data processing records GDPR California Privacy Laws
Fairly inconsistent

Record maintenance is needed to cover any data which is collected, and the CCPA/CPRA require maintaining records for satisfying Differences (cont'd)
consumer requests, and that notices must be provided at the outset and prior to the collection of any data. Thus, although there are
some inconsistencies with the GDPR around requirements to keep records, the laws are similar in the list of information that needs identification of third countries or international organisations,
to be provided at the outset. and the documentation of adopted suitable safeguards.

GDPR California Privacy Laws The requirements around data processing records The CCPA and CPRA do not set a minimum employee number
Article 30 Sections 1798.105, 1798.121, 1798.130, shall not apply to an organisation with less than in order for businesses to be subjected to their provisions.
Recital 82 1798.140, 1798.145 of the CCPA 250 employees, unless the processing:
Sections 5, 10, 12, 14, and 15 of the CPRA • is likely to result in a risk to the rights
Sections 999.312, 999.313, and and freedoms of data subjects;
999.317 of the CCPA Regulations • is not occasional; or
• includes special categories of data in Article 9(1) (e.g.
religious beliefs, ethnic origin, etc.) or is personal data
Similarities
relating to criminal convictions and offences in Article 10.

Data controllers and data processors have an Entities subject to the CCPA are required to maintain
obligation to maintain a record of processing records of verifications of requests and to provide a The GDPR does not provide general requirements The CCPA/CPRA do not contain a similar provision.

activities under their responsibility. general guideline of what information is collected. for registering with a supervisory authority.

The obligations in relation to data processing records are The business collecting and then disclosing or selling
also imposed on the representatives of data controllers. personal information is required to specify limitations on
the information sold and require that the recipients have in
place systems whereby they can fulfil consumer requests.

The processing of information recorded by a data The CCPA requires that records of consumer requests are kept
controller shall be in writing or electronic form. by the business satisfying such requests. However, neither
the CCPA or CPRA explicitly address the form of the requests.

Differences

The GDPR prescribes a list of information The CCPA and CPRA require that the entity provides
that a data controller must record: the following at the outset, prior to collection:
• the name and contact details of the data controller; • contact information for the business to exercise
• the purposes of the processing; rights, specifically two different methods,
• a description of the categories of personal data; including a toll-free phone number;
• the categories of recipients to whom the • the categories of personal information collected;
personal data will be disclosed; • the purposes of the collection and processing; and
• the estimated period for erasure of • specification whether the information is
the categories of data; and sold or disclosed by the business.
• a general description of the technical and organisational
security measures that have been adopted.

The GDPR prescribes a list of information that a data controller The CCPA/CPRA do not contain a similar provision.
must record international transfers of personal data, with the

30 31
4.3. D
 ata protection impact GDPR California Privacy Laws

assessment Fairly inconsistent

Differences (cont'd)
Under the GDPR a DPIA is required and should contain a systematic description of the processing operations, an assessment of
The GDPR provides that a DPIA must be conducted The CCPA does not contain a similar provision,
necessity and proportionality, and an assessment of the risks and freedom of data subjects, in addition to measures to address
under the following circumstances: although the CPRA will introduce certain requirements
those risks. While the CCPA and CPRA do not explicitly refer to DPIAs the CPRA does introduce a provision outlining that the
• the processing may result in a high risk to the for risk assessments as detailed above.
California Attorney General ('AG') has the authority to adopt regulations requiring businesses whose processing of consumers'
rights and freedoms of an individual;
personal information presents a significant risk to consumers' privacy or security, to submit on a regular basis a risk assessment with
• when a systematic and extensive evaluation of personal
respect to their processing of personal information.
aspects relating to natural persons is involved, which
is based on automated processing or profiling;
GDPR California Privacy Laws
• there is processing on a large scale of
Article 35, 36 Section 1798.100 of the CCPA
special categories of data; and
Recitals 75, 84, 89-93 Section 21 of the CPRA
• there is systematic monitoring of a publicly
accessible area on a large scale.
Similarities
The assessment must contain at least the following: The CCPA does not contain a similar provision,
Not applicable. Not applicable.
• a systematic description of the envisaged processing; although the CPRA will introduce certain requirements
• operations and legitimate purposes of the processing; for risk assessments as detailed above.
Differences • the necessity and proportionality of the
operations in relation to the purposes; and
Under the GDPR, a DPIA must be conducted The CCPA and CPRA do not explicitly refer to 'DPIAs'. However,
• the risks to the rights and freedoms of data subjects.
under specific circumstances. it is contemplated that there are annual audits in cases
where businesses whose processing of personal information
A data controller must consult the supervisory authority The CCPA does not contain a similar provision,
presents risks to consumers, in addition to risk assessments.
prior to any processing that would result in a high risk in the although the CPRA will introduce certain requirements
However, certain concepts, like proportionality and necessity,
absence of risk mitigation measures as indicated by the DPIA. for risk assessments as detailed above.
remain as concepts as it pertains to collection at the outset.

This will change under the CPRA, which requires the AG

to solicit broad public participation and adopt regulations
on, among other things, requiring businesses whose
processing of consumers' personal information presents
significant risk to consumers' privacy or security, to: (a)
perform a cybersecurity audit on an annual basis; and (b)
submit to the CPPA on a regular basis a risk assessment
with respect to their processing of personal information.

A data controller is required to, where necessary, carry The CCPA does not contain a similar provision,
out a review to assess whether the processing of personal although the CPRA will introduce certain requirements
data is in accordance with the DPIA, particularly when for risk assessments as detailed above.
there is a change in risks to processing operations.

The GDPR provides that a DPIA must be conducted if a data The CCPA does not contain a similar provision,
controller utilises new technologies to process personal data. although the CPRA will introduce certain requirements
for risk assessments as detailed above.

32 33
4.4. D
 ata protection officer GDPR California Privacy Laws
appointment Inconsistent

Differences (cont'd)
Unlike the GDPR, the concept of a DPO is not required specifically within the CCPA and CPRA, though there are requirements
regarding the training of those parties handling consumer requests under the CCPA and CPRA. As a result, it should be noted that
• to monitor compliance with the GDPR with other Union
a DPO-like role may be necessary to satisfy the CCPA and CPRA's requirements regarding having trained individuals responsible
or Member State data protection provisions and with the
for handling consumer inquiries.
policies of the data controller or data processor in relation
to the protection of personal data, including the assignment
GDPR California Privacy Laws of responsibilities, awareness-raising and training of staff
Articles 13 - 14, 37-39 Section 999.317 of the CCPA Regulations involved in processing operations, and the related audits; and
Recital 97 • to act as a contact point the supervisory authority
on issues relating to processing, including the prior
Similarities consultation referred to in Article 36, and to consult,
where appropriate, with regard to any other matter.
Not applicable. Not applicable.
The DPO shall be designated on the basis of The CCPA and CPRA do not include a similar

Differences professional qualities and expert knowledge requirement. However, it is required that all individuals
of data protection law and practices. responsible for handling consumer inquiries regarding
Under the GDPR, data controllers and data processors, The CCPA and CPRA do not include a requirement privacy practices or compliance with the CCPA and
including their representatives, are required to for businesses to appoint a DPO. CPRA are informed of all the requirements in the
appoint a DPO in certain circumstances. CCPA and the CCPA Regulations thereunder.

The data controller and the data processor shall The CCPA/CPRA do not contain a similar provision. The DPO can be a staff member of the data controller or data The CCPA/CPRA do not contain a similar provision.
designate a DPO in any case where: processor, or can perform tasks based on a service contract.
• the processing is carried out by a public authority or
body, except for courts acting in their judicial capacity; Contact details of the DPO must be included in the The CCPA/CPRA do not contain a similar provision.
• the core activities of a data controller or data process or privacy notice for data subjects, and they must be
consist of processing operations which, by virtue of their communicated to the supervisory authority.
nature, their scope and/or their purposes, require regular and
systematic monitoring of data subjects on a large scale; or Data subjects may contact the DPO with regard The CCPA/CPRA do not contain a similar provision.
• the core activities of the controller or the processor relate to the processing of their personal data as
to a large scale of special categories of personal data well as the exercising of their rights.
(e.g. religious beliefs, ethnic origin, data required for the
establishment, exercise, or defence of legal claims etc.) The DPO must be provided with the resources necessary The CCPA/CPRA do not contain a similar provision.
to carry out his or her obligations under the GDPR.
A group may appoint a single DPO who must be The CCPA/CPRA do not contain a similar provision.
easily contactable by each establishment. The GDPR recognises the independence of DPOs. The CCPA/CPRA do not contain a similar provision.

The DPO shall perform a list of tasks including: The CCPA/CPRA do not contain a similar provision.
• to inform and advise the controller or the data processor
and the employees who carry out processing of their
obligations pursuant to the GDPR and to other Union
or Member State data protection provisions;

34 35
 GDPR California Privacy Laws
4.5. Data security and data
breaches Fairly consistent
Similarities (cont'd)

While the CCPA and CPRA do require businesses to adopt reasonable security measures, notices are covered under a separate • what the business is doing; and
provision under California law. While there are striking similarities between what is required under the GDPR and California's laws, • what the individual affected can do.
California adopts a slightly less prescriptive approach to the requirements to the GDPR.
Differences
GDPR California Privacy Laws
Article 5, 24, 32-34 Sections 1798.100 and 1798.150 (in conjunction Under the GDPR, a personal data breach must be Notice under California law is determined by the amount of
Recitals 74-77, 83-88 with Section 1798.82 of the Cal. Civ. Code) notified to the supervisory authority without undue affected persons. However, there is no prescribed timeline to
Sections 4, 14 and 16 of the CPRA delay and, where feasible, no later than 72 hours notify the AG under California's data breach notification law.
Sections 999.313, 999.317, 999.323, and after having become aware of the breach.
999.326 of the CCPA Regulations
Under the GDPR, the obligation of data controllers to notify The CCPA/CPRA do not include similar

Similarities data subjects when the data breach is likely to result in a provisions regarding exemptions.
high risk to the rights and freedoms of natural persons,
The GDPR recognises integrity and confidentiality as The CPRA recognises and provides a is exempted in certain circumstances such as where:
fundamental principles of protection by stating that definition of 'security and integrity'. • appropriate technical and organisational protective
personal data must be processed in a manner that measures have been implemented;
ensures appropriate security of the personal data. In addition, the CCPA and CPRA generally recognise • any subsequent measures have been taken in order to
privacy rights of consumers, providing various methods ensure that the risks are no longer likely to materialise; or
for them to exert control over their own information. As • it would involve is proportionate effort.
part of this, verification measures are implemented
as part of consumer requests under the act. The GDPR provides a list of technical and organisational Specific obligations regarding security have not been
measures, where appropriate, that data controllers and implemented. Ultimately, as 'reasonable security' can
The GDPR states that data controllers and data processors The CCPA and CPRA require that reasonable security data processors may implement such as pseudonymisation, vary based on what information is collected, and what
are required to implement appropriate technical and measures are enacted to ensure that information is adequately encryption and the ability to restore availability and access to information needs to be disclosed, the measure of the
organisational security measures to ensure that the processing protected, including verification of consumer requests. personal data in a timely manner in the event of physical or security will vary and so, solid guidelines or methods
of personal data complies with the obligations of the GDPR. technical incidents, to ensure integrity and confidentiality. to determine what is 'reasonable' is unavailable.

In the case of a personal data breach, the data controller In the event of a data breach, the business is to notify the AG of The GDPR states that data processors must notify The CCPA/CPRA do not contain a similar requirement,
must notify the competent supervisory authority of the the breach in the event that the notice needs to be submitted the data controller without undue delay after and notices are covered under a separate provision
breach, unless the personal data breach is unlikely to to over 500 California residents as a result of a single breach. becoming aware of the personal data breach. under California law, specifically under Section 1798.82 of
result in a risk to the individuals' rights and freedoms. Title 1.81. of Part 4 of Division 3 of the Cal. Civ. Code.

The controller must notify the data subject of a data breach The notice of a data breach to affected California
without undue delay if the data breach is likely to result in residents is to be in the most expedient time
a high risk to the rights and freedoms of natural persons. possible and without unreasonable delay, but may
be delayed due to requests by law enforcement.

The GDPR provides a list of information that must be, at California has specific requirements as to what
minimum, included in the notification of a personal data needs to be included within the data breach
breach. For example, a notification must describe the nature notification, including, at minimum:
of the breach, the approximate number of data subjects • what happened;
concerned, and the consequences of the breach. • what information was involved;

36 37
4.6. Accountability
Fairly consistent
5. Rights Fairly consistent

While the CCPA and CPRA do not specifically reference 'accountability' as a 'fundamental principle', as is the case with the GDPR, 5.1. Right to erasure
they do determine that the business entities responsible for requesting and processing the information are responsible for ensuring
third parties acting on their behalf follow the CCPA and CPRA. The right to erasure under the CCPA and CPRA is generally similar to that which is outlined under the GDPR, which should not be a
major surprise as the inspiration for the provisions came from the general 'right to be forgotten' that emerged as part of the GDPR.

GDPR California Privacy Laws

Nevertheless, there are still some differences between these laws, such as with timelines for complying with a data subject's
Articles 5, 24-25, 35, 37 Sections 1798.100 and 1798.145 of the CCPA
request to exercise their data subject right. Additionally, the CCPA/CPRA provides for, among other things, the possibility of
Recital 39
maintaining confidential records of deletion requests to prevent such information from being sold, for compliance with laws, or for
other permissible purposes.
Similarities

The GDPR recognises accountability as a fundamental The CCPA and CPRA do not expressly recognise
GDPR California Privacy Laws
principle of data protection. Article 5 states that 'the data accountability, but do recognise that the primary
Articles 12, 17 Section 1798.105 of the CCPA
controller shall be responsible and able to demonstrate entity collecting data is ultimately responsible for the
Recitals 59, 65-66 Sections 3 and 5 of the CPRA
compliance with, paragraph 1 [accountability].' In addition, obligations of following the CCPA and CPRA, including
Sections 1546 to 1546.4 of Chapter 3.6
the principles can be taken to apply to several other themselves and third parties acting on their behalf.
of Title 12 of Part 2 of the California
principles as mentioned in other sections of this report,
Penal Code ('the Penal Code')
including the appointment of a DPO, and DPIAs.
Similarities
Differences
The GDPR provides for a right to erasure which applies The CCPA and CPRA both provide for a consumers'
to specific grounds, such as where consent of the right to delete personal information. A consumer
The GDPR explicitly recognises accountability There is no explicit provision regarding accountability.
data subject is withdrawn and there is no other legal has the right to request that a business delete any
as a fundamental principle.
ground for processing, or the personal data is no longer personal information about the consumer which the
necessary for the purpose of which it was collected. business has collected from the consumer.

The right can be exercised free of charge. There may There is no cost to making a request to delete
be some instances, however, where a fee may be personal information. However, the request must
requested, notably when requests are unfounded, be verified as coming from the consumer.
excessive, or have a repetitive character.

Data subjects must be informed that they have Consumers must be informed that they have a right
the right to request for their data to be deleted and to request deletion of their personal information.
are entitled to ask for their data to be erased.

If the data controller has made personal data public A business that has shared any personal information
and is obliged to erase the personal data, the data with outside sources must notify all service providers,
controller, taking into account the available technology contractors and third parties to whom the business
and the cost of implementation, shall take reasonable has sold or shared personal information, to delete the
steps, including technical measures, to inform controllers consumer's personal information, unless this proves
processing the personal data that the data subject has impossible or involves disproportionate efforts.

38 39
 GDPR California Privacy Laws GDPR California Privacy Laws

Similarities (cont'd) Differences (cont'd)

requested the erasure by such controllers of any links The GDPR does not provide for a similar requirement. A service provider or contractor must cooperate with
to, or copy or replication of, such personal data. the business in responding to a request for deletion,
delete any such requested personal information, and give
Exceptions to the right of erasure provided by the GDPR include: Exceptions to the right to deletion under both the notice to any additional service provider, contractor, or
• freedom of expression and freedom of information; CCPA and CPRA include the following scenarios: third party to whom the service provider or contractor
• complying with public interest purposes • where the personal information is required to complete the has shared the consumer's personal information of their
in the area of public health; transaction for which the personal information was provided; obligation to delete the personal information as well.
• establishment, exercise, or defence of legal claims; and • to ensure security and integrity to the extent the use
• complying with legal obligations for of the consumer's personal information is reasonably The GDPR does not contain a similar provision or requirement. A service provider or contractor does not need to comply
a public interest purpose. necessary and proportionate for those purposes; with a deletion request received directly from the consumer,
• to debug, identity, and repair errors; to the extent that the service provider or contractor received
• exercising free speech; the personal information directly from the business.
• compliance with the California Electronic Rather, the request should be made directly to the business
Communications Privacy Act under the Penal Code; as opposed to the service provider or contractor.
• engage in scientific research;
• for solely internal uses at a business; and
• comply with a legal obligation.

A request can be made in writing, orally, and through other A request can be made in writing, orally, and through
means including electronic means where appropriate. other means or electronic means where appropriate.

A data controller must have in place mechanisms The request must be a verified consumer request.
to ensure that the request is made by the data
subject whose personal data is to be deleted.

Differences

Data subject requests under this right must be replied As with other consumer requests, a request for deletion must
to without 'undue delay and in any event within one be responded to, and information deleted, within 45 days, with
month from the receipt of request.' The deadline can be an additional 45-day extension available, with notice to the
extended by two additional months taking into account consumer. Additionally, a business must acknowledge receipt
the complexity and number of requests. In any case, of a request to delete within ten business days of receipts.
the data subject must be informed of such extension
within one month from the receipt of the request.

The GDPR does not contain a similar provision or requirements. The business may maintain a confidential record of
deletion requests solely for the purpose of preventing the
personal information of a consumer who has submitted
a deletion request from being sold, for compliance
with laws, or for other permissible purposes.

40 41
 GDPR California Privacy Laws
5.2. Right to be informed
Fairly consistent
Similarities (cont'd)
Unlike the GDPR, the CCPA/CPRA do not explicitly refer to a 'right to be informed'. However, California has implemented various
required disclosures which collectively create a 'right to know'. This includes many of the same aspects contained within the GDPR,
data has been collected from a third party, which includes
giving consumers similar rights regarding their information.
the sources from which the data was collected.

GDPR California Privacy Laws Information relating to personal data processing (e.g. the The CCPA and CPRA require transparency at the time
Articles 5-14, 47 Sections 1798.100, 1798.110, and purpose of the processing, the rights of data subjects, of collection as to specific information regarding a
Recitals 58-63 1798.115 of the CCPA etc.) must be provided to data subjects by the data consumer's personal information – including what
Sections 4 and 7 of the CPRA controller at the time when personal data is obtained. will be collected, why, and with whom the personal
information will be sold, shared, or disclosed.
Similarities
Differences
Data subjects have the right to receive information Consumers have the right to know, and businesses who
on the following, among other things, at the time of collect personal information must inform consumers, Data subjects must be informed of the existence of The CCPA/CPRA do not contain a similar requirement.
collection where data is collected from them: at or before the time of collection, of the following automated decision-making, including profiling,
• the identity and the contact details of the information about the personal information: at the time when personal data is obtained.
controller or controller's representative; • the categories of personal information
• the contact details of the DPO; it has collected from consumers; Information can be provided to data subjects orally, The CCPA and CPRA only contemplate providing responses to
• the purposes of the processing as well as • under the CPRA, a business must also disclose in addition to in writing form or electronic means. consumer requests in a written or electronic format, not orally.
the legal basis for the processing; categories of sensitive personal information collected;
• any legitimate interests pursued by the • the categories of sources from which the personal The GDPR provides examples of circumstances, The CCPA/CPRA do not contain a similar provision.
controller or by a third party, if applicable; information or sensitive personal information is collected; which can be considered as 'legitimate interest.'
• the recipients or categories of recipients • the business purpose for such collection, sharing, or selling;
of the personal data, if any; • the categories of third parties to whom to personal Data subjects must be informed of the possible The CCPA/CPRA do not contain a similar provision.
• where applicable, the fact that the controller information or sensitive personal information is disclosed to; consequences of a failure to provide personal data whether
intends to transfer personal data to a third • that a consumer has the right to request the specific in complying with statutory or contractual requirements,
country and related information; pieces of personal information collected; and or a requirement necessary to enter into a contract.
• the period for which the personal data will be stored, or if • the length of time that the business intends to
that is not possible, the criteria used to determine that period; retain each category of personal information A data controller must inform data subjects of the existence The CCPA/CPRA do not contain a similar provision.
• the data subject's rights; and and sensitive personal information. or absence of an adequacy decision, or in the case of
• whether the provision of personal data is an obligation. transfers referred to in Article 46 or 47, or the second
subparagraph of Article 49(1), reference the appropriate or
Information should be provided to data subjects in an easily The responses must be in a readily useable suitable safeguards and the means by which to obtain a
accessible form with clear and plain language, which can be format that allows the consumer to transmit the copy of them or where they have been made available.
in writing and other means such as an electronic format. information to another entity without hindrance.
In the case of indirect collection, a data controller must The CCPA/CPRA do not contain a similar provision,
A data controller cannot collect and process personal A business's collection, use, retention, and sharing of a provide information relating to such collection to data but requires, in the context of disclosure obligations
data for purposes other than the ones about which consumer's personal information must be reasonably subjects within a reasonable period after obtaining the for collecting and selling personal information, that
the data subjects were informed, unless the data necessary and proportionate to achieve the purposes data, but at the latest within one month, or at the time of businesses disclose, among other things, the categories
controller provides them with further information. for which the personal information was collected or the first communication with the data subject, or when of sources from which information is collected.
processed, and not for undisclosed business purposes. personal data is first disclosed to the recipient.

The GDPR provides specific information that must The CCPA and CPRA require businesses to provide categories
be given to data subjects when their personal of sources from which personal information is collected.

42 43
5.3. Right to object Fairly consistent GDPR California Privacy Laws

Similar to the GDPR's broader right to object to any kind of processing of personal data, the CCPA and CPRA present a comparable
Differences (cont'd)
right, namely allowing consumers to opt-out of the sale of their personal information. The CPRA would slightly extend this by
requiring businesses to comply with a consumer's direction that a business limit use of sensitive personal information to that use
• pending the verification of whether the legitimate grounds
which is necessary to perform the services or provide the goods reasonably expected by an average consumer.
of the controller override those of the data subject.

GDPR California Privacy Laws The GDPR does not contain a similar provision. A business may not sell or share the personal information
Articles 7, 12, 18, 21 Sections 1798.120 and 1798.121 of the CCPA of a consumer less than 16 years of age, unless the
Sections 9 and 10 of the CPRA consumer (when 13 and over) affirmatively authorises
the sale or sharing of personal information.
Similarities
For consumers under the age of 13, express/affirmative parental
Data subjects shall have the right to withdraw their consent A consumer shall have the right to direct a business not to consent is required to sell or share personal information.
to the processing of their personal data at any time. sell or share the personal information with a third party.
Under the GDPR, data subjects are provided with The CCPA and CPRA allow for businesses to
The data subject has the right to be A consumer must be provided explicit notice the right to object to the processing of their personal ignore requests that would inhibit:
informed about the right to object. that the consumer has the right to opt-out of the data in specific circumstances, although this right • completing transactions;
sale or sharing of their personal information. may be limited in certain circumstances: • detecting security incidents;
• the processing of personal data is due to tasks carried • conduct debugging;
Upon the receipt of an objection request, a Upon receiving direction from a consumer to not sell or out in the public interest or based on a legitimate • exercising free speech;
data controller shall no longer process the share their personal information, a business is prohibited interest pursued by the data controller or third party; • complying with the California Electronic
personal data unless an exception applies. from selling or sharing the consumer's personal information • the processing of personal data is for Communications Privacy Act;
after receipt of a do not sell/share request from the direct marketing purposes; and • engage in public or peer-reviewed scientific,
consumer, unless the consumer subsequently provides • the processing of personal data is for scientific, historical, or statistical research (if the consumer
consent for the sale or sharing of personal information. historical research or statistical purposes. has provided informed consent);
• enable solely internal uses based on

Differences reasonable expectations; and

• comply with legal obligations.
Data subjects must be provided with information Consumers must be provided with a 'Do Not Sell or Share
about how to exercise the right. My Personal Information' button on a business website
(assuming it sells or shares personal information), and must
be provided with several different ways to make such a
request, including an address, email address, webform and/
or toll-free number, depending on the company's presence.

The GDPR establishes a right to restrict processing where: The CCPA and CPRA do not establish similar provisions.
• the accuracy of the personal data is However, the CPRA gives consumers the right to
contested by the data subject; direct a business to limit its use of a consumer's
• the processing is unlawful and the data subject sensitive personal information to that use which is
opposes the erasure of the personal data; necessary to perform the services or provide the goods
• the controller no longer needs the personal reasonably expected by an average consumer.
data for the purposes of the processing, but
they are required by the data subject;

44 45
 GDPR California Privacy Laws
5.4. Right of access Fairly consistent

Similarities (cont'd)
The CCPA and CPRA give rights to consumers that are similar, but distinct from the GDPR's right to access. This includes disclosure
rights that are granted to consumers, particularly with respect to businesses that collect personal data and businesses that sell The GDPR specifies that a data controller must have The CCPA requires that businesses are
personal data. Although similar, the laws differ slightly with respect to the procedures around responding to a consumer's request in place mechanisms to for identity verification. able to verify consumer requests.
to access their data, and the CCPA/CPRA couples portability requirements when receiving a request electronically, while the GDPR
carves this out as an independent right.
Differences

GDPR California Privacy Laws The GDPR provides that the right of access must not The CCPA/CPRA do not contain a similar provision.
Articles 15 Sections 1978.110 and 1798.115 of the CCPA adversely affect the rights or freedoms of others.
Recitals 59-64 Section 7 of the CPRA
A data controller can refuse to act on a request when it is The CCPA/CPRA do not contain a similar provision.

Similarities manifestly unfounded, excessive, or has a repetitive character.

The GDPR recognises that data subjects have the right to The CCPA and CPRA both provide consumers with a right The GDPR provides that the right of access must not The CCPA/CPRA do not contain a similar provision.
access their personal data that is processed by a data controller. to know what personal information is being collected about adversely affect the rights or freedoms of others,
them, as well as a right to access their personal information. including those related to trade secrets.

The GDPR specifies that, when responding Upon receipt of a verifiable consumer request, The right to access can be exercised free of charge. Under the CCPA, business must respond to a consumers
to an access request, the data controller must a business that collects personal information There may be some instances where a fee may be request to access their data, and must deliver the data
indicate the following information: must disclose the following to a consumer: requested, notably when the requests are unfounded, free of charge. There are no express requirements
• the purposes of the processing; • the categories of personal information being collected; excessive, or have a repetitive character. as to the possible imposition of charges.
• the categories of personal data concerned; • the categories of sources from which the
• the recipients or categories of recipients to whom the personal information is collected; Data subjects' requests under this right must be replied A business has 45 days to respond to a consumer
personal data has been or will be disclosed, in particular • the commercial purpose for collecting, to without 'undue delay and in any event within one request for access, which can be extended an
recipients in third countries or international organisations; selling, or sharing personal information; month from the receipt of a request.' The deadline can be additional 45 days upon notice to the consumer.
• where possible, the envisaged period for which • the categories of third parties to whom the extended by two additional months taking into account
the personal data will be stored, or, if not possible, business discloses personal information; and the complexity and number of requests. In any case,
the criteria used to determine that period; • the specific pieces of personal information the data subject must be informed of such an extension
• the existence of the right to request from the controller it has collected about that consumer. within one month from the receipt of a request.
rectification or erasure of personal data or restriction
of processing of personal data concerning the
data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data
subject, any available information as to their source; and
• the existence of automated decision-
making, including profiling.

Data subjects must have a variety of means through The CCPA and CPRA generally require at least
which they can make their request, including orally and two methods of making a request, including
through electronic means. In addition, when a request through a toll-free number and online.
is made through electronic means, a data controller
should submit a response through the same means.

46 47
5.5. Right not to be subject to
5.6. Right to data portability
discrimination Inconsistent Fairly consistent

Similar to the GDPR, the CCPA and CPRA provide for the right to data portability and outline specific format requirements.
The GDPR does not explicitly address discrimination, although some of its provisions may be found to be based on this principle.
However, the CCPA and CPRA do expressly address discrimination. GDPR California Privacy Laws
Articles 12, 20, 28 Section 1798.130 of the CCPA
GDPR California Privacy Laws Recitals 68, 73 Section 12 of the CPRA
Articles 5, 22 Section 1798.125 of the CCPA
Recitals 39, 71-73
Similarities

Similarities The GDPR provides individuals with the right to data portability. The CCPA and CPRA provide consumers
with a right to data portability.
Not applicable. Not applicable.

The GDPR defines the right to data portability as the right to The business must provide any requested consumer
Differences receive data processed on the basis of contract or consent data in a readily useable format that allows the
and processed by automated means, in a 'structured, consumer to transmit the information from one
The GDPR does not explicitly address the right A business shall not discriminate against a commonly used, and machine-readable format' and to entity to another entity without hindrance.
not to be subject to discrimination; therefore, consumer because a consumer exercised any of the transmit that data to another controller without hindrance.
no scope of implementation is defined. consumer's rights under the CCPA or CPRA.
Anonymous data is not subject to the GDPR, and The CCPA and CPRA do not specifically address
The GDPR does not contain a similar provision. A business may not discriminate in any of the following ways: therefore to the right to data portability. anonymous data and there is no explicit requirement
• denying goods or services to the consumer; to provide this type of data to consumers.
• charging different prices or rates for goods/services;
• providing a different level or quality of Differences
goods or services to the consumer;
• suggesting that the consumer will receive a different The GDPR does not explicitly limit the scope of the right to The CCPA/CPRA do not contain a similar provision.
rate, level, or quality of goods or services; or data portability to special categories of personal data.
• retaliate against any employee, applicant, or
independent contractor for exercising their rights.

The GDPR does not contain a similar provision. A business may offer financial incentives for the collection
of personal information; and may offer a different price,
rate, level, or quality of goods or services to the consumer
if that price or difference is reasonably related to the value
provided to the business by the consumer's data.

48 49
 6. Enforcement Fairly inconsistent
GDPR California Privacy Laws

6.1. Monetary penalties Differences (cont'd)

Under both the GDPR and the CCPA/CPRA, monetary penalties can be issued for violations of the law. However, the penalties differ Any violation of the CCPA is assessed and recovered
in terms of their nature, amount, and the procedure to be followed when issuing such penalties. in a civil action brought by the CPPA.

GDPR California Privacy Laws Depending on the violation occurred the penalty may The CCPA does not provide for a maximum penalty amount
Article 83, 84 Section 1798.155 of the CCPA be up to either: 2% of global annual turnover or €10 that can result for the imposition of several penalties for
Recitals 148-149 Section 17 of the CPRA million, whichever is higher; or 4% of global annual each violation. Depending on the violation, the penalty
turnover or €20 million, whichever is higher. that can be issued may be up to $2,500 for each violation;

Similarities $7,500 for each intentional violation, or violations

involving the personal information of consumers whom
The GDPR provides for the possibility of administrative, The CCPA/CPRA provides for monetary the business, service provider, contractor, or other
monetary penalties to be issued by the supervisory fines in case of non-compliance. person has actual knowledge is under 16 years of age.
authorities in cases of non-compliance.
Under the GDPR, it is left to Member States to There is not a similar provision under the CCPA/CPRA. Under
When applying an administrative sanction, the With respect to consumer relief for breaches of create rules on the application of administrative the CCPA, businesses or third parties may seek the opinion of
supervisory authority must consider: their nonencrypted and nonredacted personal fines to public authorities and bodies. the AG for guidance on how to comply with the provisions of
• the nature, gravity and duration of the infringement; information, courts shall consider any one or more of the law. Under the CPRA, the CPPA is responsible for issuing
• the intentional or negligent character of the infringement; the relevant circumstances presented by any of the regulations which clarify compliance obligations for businesses.
• any action taken to mitigate the damage; parties to the case, including, but not limited to:
• the degree of responsibility of the controller or processor; • the nature and seriousness of the misconduct;
• any relevant previous infringements; • the number of violations;
• the degree of cooperation with the supervisory authority; • the persistence of the misconduct;
• the categories of personal data affected by the infringement; • the length of time over which the misconduct occurred;
• the manner in which the infringement became • the wilfulness of the defendant's misconduct; and
known to the supervisory authority; • the defendant's assets, liabilities, and net worth.
• where measures referred to in Article 58(2) have
previously been ordered against the controller
or processor concerned with regard to the same
subject-matter, compliance with those measures;
• adherence to approved codes of conduct or
approved certification mechanisms; and
• any other aggravating or mitigating factor
applicable to the circumstances of the case.

Differences

Fines may be issued directly by supervisory authorities. The CCPA, with some amendments from the CPRA, provides
for the possibility of administrative fines to be issued.
Additionally, the CCPA provides for a 30-day cure period
for violations, under Section 1798.155 of the CCPA, which
is removed by the CPRA under Section 17 of the CPRA.

50 51
6.2. Supervisory authority GDPR California Privacy Laws
Fairly consistent

An authority to supervise the application of the law and to assist organisations in their understanding and compliance efforts
is provided for by both the GDPR and the CCPA/CPRA. However, the two designated supervisory authorities, the AG acting in Differences
conjunction with the CPPA as well as the EU's national data protection authorities under the CCPA/CPRA and the GDPR respectively,
It is left to each Member State to establish a supervisory The AG and the CPPA have the power to
have different powers with respect to investigatory actions and enforcement.
authority, and to determine the qualifications required to be assess a violation of the CCPA.
a member, and the obligations related to the work, such as
Moreover, and important to note, is that the EU's national data protection authorities form part of the European Data Protection
duration of term as well as conditions for reappointment.
Board, which ensures the consistent application of the GDPR across Europe.

Supervisory authorities may be subject to financial The monetary penalties collected through civil
GDPR California Privacy Laws
control only if it does not affect its independence. actions under the CCPA form the Consumer Privacy
Articles 51-84 Sections 1798.155, 1798.185 of the CCPA
They have separate, public annual budgets, which Fund, which funds the activities of the CPPA.
Recitals 117-140 Section 24 of the CPRA
may be part of the overall national budget.

Similarities
The GDPR does not contain a similar provision. No administrative action brought under the CCPA

Under the GDPR, supervisory authorities have investigatory The AG and the CPPA have the power to initiate investigations will be commenced more than five years after

powers which include: (i) ordering a controller and processor and actions against alleged non-compliance from businesses. the date on which the violation occurred.

to provide information required; (ii) conducting data protection The CPRA provided for the creation of the CPPA which acts as a
audits; (iiI) carrying out a review of certifications issued; and supervisory authority responsible for enforcement of the CCPA
(iv) obtaining access to all personal data and to any premises. and with full administrative power, authority, and jurisdiction.

The CPPA may investigate possible violations of the

CCPA, with investigatory powers including: (i) subpoenaing
witnesses, compelling attendance and testimony; (ii)
administering oaths and affirmation; and (iii) taking evidence.

Under the GDPR, supervisory authorities have corrective Under the CPRA, the CPPA is tasked with the
powers which include: (i) issuing warnings and reprimands; responsibility to administer, implement, and enforce
(ii) imposing a temporary or definitive limitation including a the law through administrative actions.
ban on processing; (iii) ordering the rectification or erasure
of personal; and (iv) imposing administrative fines. The CPPA further has corrective powers which
include: (i) issuing cease and desists; and (ii) imposing
administrative fines. It can also support this by issuing
regulations which clarify compliance obligations.

Under the GDPR, supervisory authorities shall also The CPPA may investigate possible violations of the CCPA.
handle complaints lodged by data subjects.

Under the GDPR, supervisory authorities are tasked with Through the CPRA, the CPPA is further responsible
promoting public awareness and understanding of the for protecting the fundamental privacy rights of data
risks, rules, safeguards and rights in relation to processing subjects, promoting public awareness and understanding
as well as promoting the awareness of controllers and of risks, rules, safeguards, and rights in relation to the
processors of their obligations, amongst other tasks. use of personal information, amongst other tasks.

52 53
6.3. Other remedies GDPR California Privacy Laws
Fairly inconsistent
Individuals are provided with a cause of action to seek damages for privacy violations under both the GDPR, and the CCPA with its Differences (cont'd)
amendments by the CPRA. In addition, both laws allow for class or collective actions to be brought against organisations violating
the laws. written statement provided to the consumer, the consumer
may initiate an action against the business to enforce the
However, unlike the GDPR which allows for an action to be brought for any violation of the law, the CCPA is more restrictive and written statement and may pursue statutory damages for
provides a cause for action only with regard to the failure of security measures and in the context of data breaches. each breach of the express written statement, as well as
any other violation that postdates the written statement.

GDPR California Privacy Laws

Articles 79, 80, 82 Section 1798.150 of the CCPA The GDPR does not contain a similar provision. The CCPA provides for the amount of damages to be

Recitals 131, 146, 147, 149 Section 16 of the CPRA established, and outlines that damages could be in an amount
not less than $100 and not greater than $750 per consumer
Similarities per incident or actual damages, whichever is greater.

The GDPR provides individuals with a cause of action The CCPA and CPRA provide individuals with a cause of The GDPR does not contain a similar provision. This remedy is only possible when non-encrypted and non-
to seek compensation from a data controller and action to seek damages for violations of the law with regard redacted personal information or where email addresses
data processor for a violation of the GDPR. to security measures violations and data breaches. in combination with a password or security question and
answer that would permit access to the account is subject to
Under the GDPR, the data subject has the right to As detailed above, the CCPA and CPRA provide consumers an unauthorised access and exfiltration, theft, or disclosure as
lodge a complaint with the supervisory authority. The with a cause of action, where they can institute a civil a result of the business's violation of its security obligations.
supervisory authority must inform the data subject of action where their nonencrypted and nonredacted
the progress and outcome of his or her complaint. personal information is subject to an unauthorised The GDPR provides that a data controller or The CCPA/CPRA do not contain a similar provision.
access and exfiltration, theft, or disclosure as a result processor shall be exempt from liability to provide
of the business's violation of the duty to implement and compensation if it proves that it is not in any way
maintain reasonable security procedures and practices. responsible for the event giving rise to the damage.

Differences

The GDPR allows Member States to provide for the possibility The CCPA/CPRA do not contain a similar provision.
for data subjects to give a mandate for representation to a
not-for-profit body, association, or organisation that has as
its statutory objective the protection of data subject rights.

The GDPR does not contain a similar provision. Prior to initiating any action against a business for
statutory damages on an individual or class-wide basis,
businesses are provided 30 days' written notice
including a reference to the alleged violation(s). If, within
30 days and no further violation is claimed, the violation
is deemed to be 'cured', and no action is initiated.

No notice shall be required prior to an individual consumer

initiating an action solely for actual pecuniary damages
suffered as a result of the alleged violations. If a business
continues to violate this law in breach of the express

54 55