January 12, 2021

8 Things California’s New CPRA Law Has in Common With GDPR

By Adoriel Bethishou

When the European Union adopted the General Data Protection Regulation (GDPR) in April 2016, they established the gold standard for data privacy and security laws. Since its introduction, many other countries, including Canada, Japan, Brazil, and South Korea, have used GDPR as a model for their laws.

While the United States has not yet adopted an overarching federal data privacy and security law, California took the lead when it implemented the California Consumer Privacy Act (CCPA) in June 2018. CCPA adopted many important GDPR provisions but still left a significant gap with the European law.

In November 2020, California raised the bar again when voters approved Proposition 24, the California Privacy Rights Act (CPRA), which will take effect on January 1, 2023. CPRA makes major strides in closing the gap with GDPR. While there are provisions in GDPR that don’t exist in CPRA—and visa verse—The California and European laws now have a lot in common.

We suggest you consider this increasing alignment of data privacy and security laws as you plan for enhancements. For example:

If your company has been considering separate projects to achieve compliance with CPRA and GDPR, you may want to do a combined CPRA/GDPR project that allows you to save time and money by implementing both at the same time.
If you are already compliant with GDPR, the effort to comply with CPRA might be smaller than you think.

In this section, we’ll review what we feel are the eight most significant ways in which CPRA has brought California’s data privacy and security laws into alignment with GDPR (we won’t cover areas that were already aligned under CCPA.)

1. Dedicated Enforcement Agency

Both laws grant authority for enforcement and imposing non-compliance fines to dedicated, standalone government organizations.
CPRA gives the new California Privacy Protection Agency (CPPA) full administrative power, authority, and jurisdiction to implement and enforce CPRA. This is a change from CCPA, which assigns a weaker role of “oversight” to the state attorney general.
GDPR requires every European Union member state to designate a Data Protection Authority (DPA) with supervisory authority for enforcing GDPR within their jurisdiction.

2. DPIA/Risk Assessment Required

Both laws require a Data Processing Impact Assessment (DPIA) or risk assessment to identify risks associated with the handling of personal information.
CPRA requires businesses that process consumers’ personal information that presents a significant risk to consumer privacy or security to perform risk assessments on a regular basis.
GDPR requires businesses that perform processing likely to risk a data subject’s rights to perform DPIAs to identify risks on a regular basis.

3. Sensitive Personal Information

Both laws define a sub-category of personal information called Sensitive Personal Information (SPI). This sub-category is reserved for higher-risk, sensitive information about a person that could cause significant harm to the person if it were to be made public or fall into the wrong hands.
Examples of SPI include social security number, driver’s license, financial account information, geolocation data, religious beliefs, genetic data, and health information.
SPI is subject to more stringent disclosure and purpose limitation requirements.

4. Data Minimization

Both laws include data minimization provisions that require organizations to limit the collection of personal information to that which is needed to achieve the disclosed purpose for which the information is being collected.
For example, an online pet food retailer would not be allowed to collect customer social security numbers unless this personal information was somehow needed for the purpose of selling pet food.

5. Purpose Limitation

Both laws limit the use of personal information to the disclosed purpose for which the data was collected.
For example, an online pet food retailer that collects customer address information for shipping purposes would not be allowed to sell this information to third parties that intend to use it for marketing purposes.

6. Storage Limitation

Both laws limit retention of personal information to only as long as is necessary for the disclosed purpose for which the data was collected.
For example, an online pet food retailer might not be allowed to retain a customer’s email information beyond the disclosed return timeframe.

7. Right to Correction

Both laws give consumers the right to instruct a business to correct any of their personal information held by the business if the information is incomplete or inaccurate in any way.

8. Right to Data Portability

Both Laws give consumers rights to instruct a business to transmit their personal information to another entity.
CPRA allows consumers to request that their personal information be transferred to another entity. This right applies to the extent that it is possible for the business to provide the information in a structured, commonly used, machine-readable format.
GDPR allows consumers to request that their personal information be transferred from one controller¹ to another, where technically feasible.

To ensure that your company is ready for CPRA and/or GDPR, it’s helpful to view the challenge through two lenses:

What changes do we need to make to our internal processes, policies, procedures, and systems?
What do we need to do to notify our customers and partners about the upcoming changes?

Here are the steps we recommend you take to bring your organization into compliance with CPRA and/or GDPR.

Conduct a thorough data mapping exercise to understand the types of data that your organization uses, how it is protected, and for what purposes it is used. Identify personal information that you consider to be “sensitive” (SPI). If you have already mapped your data, be sure to periodically refresh this mapping to make sure it stays current. Consider eliminating any personal information you are using that is either not needed or is creating more risk than the value it adds to your organization.
Update your processes, policies, procedures, and systems to comply with CPRA/GDPR requirements.
Update your privacy notice to align with CPRA/GDPR disclosure requirements.
Update your contracts with service providers, contractors, and third parties to ensure they include the required CPRA/GDPR provisions.
Conduct a privacy impact assessment.
For CPRA, conduct a thorough risk assessment that incorporates risks related to failure to comply with CPRA requirements. For GDPR, conduct a Data Processing Impact Assessment (DPIA), which is similar to a risk assessment but has some differences.
Engage a third party to conduct a cybersecurity audit if you feel that your use of consumer PI could present a significant risk to consumers’ privacy or security.
Adopt Privacy by Design principles as you develop new products and services.

Additional Materials

Here are additional Tevora materials that can help you gain a deeper understanding of CCPA, CPRA, and GDPR:

Stay tuned for our upcoming white paper that will provide a detailed comparison of CCPA, CPRA, GDPR, and Canada’s PIPEDA.

We Can Help

If you have questions about CPRA or GDPR, or would like help implementing changes in your environment to ensure compliance with either of these laws, Tevora’s team of data privacy and security specialists can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com. Take a look at our Privacy Tracker that helps you stay up to date with every privacy regulation.

About the Author

Adoriel Bethishou is a Senior Information Security Analyst at Tevora.

[1] The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.