March 4, 2021

Tevora Data Privacy Law Comparison: CCPA, CPRA, GDPR, and PIPEDA

When the European Union adopted the General Data Protection Regulation (GDPR) in April 2016, they established the gold standard for data privacy and security laws. Since its introduction, many other countries, including Canada, Japan, Brazil, and South Korea, have used GDPR as a model for their laws.

While the United States has not yet adopted an overarching federal data privacy and security law, California took the lead when it implemented the California Consumer Privacy Act (CCPA) in June 2018. CCPA adopted many important GDPR provisions but still left a significant gap with the European law.

In November 2020, California raised the bar again when voters approved Proposition 24, the California Privacy Rights Act (CPRA), which will take effect on January 1, 2023. CPRA makes major strides in closing the gap with GDPR. While there are provisions in GDPR that don’t exist in CPRA—and visa verse—The California and European laws now have a lot in common.

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was implemented in April 2000 and amended in June 2015. While it does not set the privacy bar as high as GDPR, it does share many of GDPR’s core principles.

In this paper, we’ll compare what we feel are some of the most important provisions of these major North American and European data security laws.

In the case of the California laws, it’s important to note that any CCPA provisions that are not specifically amended with the introduction of CPRA will continue to apply after CPRA takes effect in January 2023.

CCPACPRAGDPRPIPEDA
Scope
Who does it apply to?  For-profit businesses that collect personal information from California residents and meet at least one of these criteria:Gross annual revenue greater than $25 million.Buy, receive, or sell the personal information of 50,000 or more California consumers, households, or devices.Derive 50% or more of revenue from selling consumers’ personal information.Also applies to organizations that either:Control or are controlled by a covered business.Share common branding with a covered business, such as a shared name, service mark, or trademark.Some provisions apply to service providers and third parties.For-profit businesses that collect personal information from California residents and meet at least one of these criteria:Gross annual revenue greater than $25 million.Buy, receive, or sell the personal information of 100,000 or more California consumers or households.Derive 50% or more of revenue from selling or sharing consumers’ personal information (reference to “devices” removed).Joint Ventures, which are defined as follows: “joint venture or partnership composed of businesses in which each business has at least a 40 percent interest.” Data Processors and Data Controllers, established in the EU, that process personal data in the context of activities of the EU establishment, regardless of whether data processing takes place in the EU.Also applies to Data Controllers and Data Processors not established in the EU that process EU Data Subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior.Canadian private sector organizations that collect, use, or disclose personal information during the course of commercial activity. Organizations located outside of Canada if the organization’s activity has a real and substantial connection to Canada. Includes small businesses, non-profits, and charities that are conducting “commercial activity”.  Includes businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities.PIPEDA applies across Canada, except in provinces where a substantially similar Data Protection law already exists.
When does/did the law become effective?January 1, 2020.            January 1, 2023.May 25, 2018.January 1, 2004.
Who receives protections?California consumers. Defined as California residents that are:in California for other than a temporary or transitory purpose, ordomiciled in California but currently outside State for temporary or transitory purposes.California consumers. Defined as California residents that are:in California for other than a temporary or transitory purpose, ordomiciled in California but currently outside State for temporary or transitory purposes.Individuals in the EU.Applies outside of the EU when a company sells products or services to individuals inside the EU or when EU individuals are targeted or monitored.Data Subjects. Defined as identified or identifiable persons to which personal data relates.Canadian consumers.
What information is protected?Personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.Excludes certain publicly available government records and certain information covered by other sector-specific legislation.Personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.Excludes certain publicly available government records and certain information covered by other sector-specific legislation.Personal data that relates to an identified or identifiable Data Subject.Prohibits processing of defined special categories of personal data unless a lawful justification for processing applies.Personal information—which may be factual, subjective, recorded or not—about an identifiable individual.  
Consumer Rights
Right to access personal informationConsumers have right to request disclosure of their personal information that has been collected by a business and how that information is being used.This right also applies to personal information a business has shared with third parties.Consumers have right to request information collected about them to include personal information collected over 12 months prior to the request. This only applies to information collected after January 1, 2022.Data Subjects have right to know what personal information has been collected about them, including right to receive a copy of this information.They can also request certain information about the Data Controllers’ processing of their personal information.Consumers have the right to access their personal information as well as:The purpose for which their personal information is being used.The recipients to whom their personal information has been or will be disclosed.The source of their personal information.
Right to data portabilityIn response to disclosure request from consumer, business must provide personal information in a readily useable format to enable consumer to transmit the information from one entity to another without hindrance.Consumers have right to request that their personal information be transferred to another entity. This right applies to the extent that it is technically feasible for the business to provide the information in a structured, commonly used, machine-readable format.Data Subjects have right to:Receive a copy of personal data in a structured, commonly used, and machine-readable format.Transmit the personal data to another Data Controller.Instruct one Data Controller to transmit the personal data to another Data Controller.N/A.
Right to deletion (a.k.a. “right to be forgotten”)Consumers have right to instruct a business to delete personal information a business has collected about them (some exceptions apply).Businesses must also have their service providers delete the data.When requested by a consumer, businesses must notify third parties to delete consumer personal information bought or received.Data Subjects have right to request that their personal data be erased under certain circumstances.Data Controllers must also take reasonable steps to inform other Data Controllers that process the data.N/A.
Right to correctionN/A.Consumers have right to instruct a business to correct any of their personal information held by the business if the information is incomplete or inaccurate.Data Subjects have right to request that inaccurate or incomplete information be corrected.Individuals have right to have their personal information amended (by the correction, deletion, or addition of information) when an individual successfully demonstrates the inaccuracy or incompleteness of their personal information.
Right to opt-out of automated decision makingN/A.Consumers may opt-out of the use of automated decision-making technology, including “profiling,” in connection with decisions related to their work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.Data subjects have the right to not be subject to automated decision-making, including profiling.N/A.
Requirements for Businesses and Organizations
MinorsProhibits selling the personal information of a person under the age of 16 without consent.Children aged 13 – 16 can provide consent. Parents must provide consent for children under 13.Note: The federal Children’s Online Privacy Protection Act (COPPA) provides additional protections for minors.Triples fines for violations involving personal information of children under the age of 16.Default age of consent for use of personal information is 16.Member state laws may lower age to no lower than 13.Parents must provide consent for children under consent age.Children must be given age-appropriate privacy notice.Heightened security requirements apply to Children’s personal information.Parents must provide consent for the collection, use, and disclosure of personal information of children under the age of 13.
Non-discriminationBusinesses must not discriminate against consumers that exercise their data privacy rights.Businesses may charge consumers differently to the extent that the difference reasonably relates to the value provide by the consumers’ data.Expands anti-discrimination rights to include employees, applicants, and independent contractors.Organizations must not discriminate against Data Subjects that exercise their data privacy rights.N/A.
Obligation to respond to rights requestsA business must:Comply with a verifiable consumer request.Respond within 45 days (may be extended by 45 or 90 days in certain circumstances).Inform consumer of reasons for not taking action.Not charge customer for providing requested information, unless request is unfounded or excessive.Maintains response obligations set out in CCPA.A Data Controller must:Verify identify of Data Subject before responding.Respond without undue delay, and within one month at the latest. May be extended for up to 2 more months if necessary (after notifying Data Subject).Provide reasons to Data Subject in event that Data Controller does not comply with request.Organizations must respond within 30 days.
Sensitive personal informationNo distinction made between personal information and sensitive personal information.Defines a sub-category of personal information called Sensitive Personal Information. This sub-category is reserved for higher-risk, sensitive information about a person that could cause significant harm to the person if it were to be made public or fall into the wrong hands.Businesses must limit their use of sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.Consumers may instruct a business to limit the use and disclosure of their sensitive personal information for certain secondary purposes, including disclosure to third parties.Defines a sub-category of personal information called Sensitive Personal Information. This sub-category is reserved for higher-risk, sensitive information about a person that could cause significant harm to the person if it were to be made public or fall into the wrong hands.Provides specific requirements for processing sensitive personal information. Does not provide definition of sensitive personal information, but does provide examples that include medical information, financial information, and work performance information.Imposes heightened levels of care for sensitive personal information.
Purpose limitationN/A.Businesses required to limit the collection and use of personal information to that which is needed to achieve the disclosed purpose for which the information is being collected.Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.When collecting, using, and disclosing personal information, organizations must identify the purposes for which personal information is collected at or before the time of collection.Organizations must limit the collection and use of personal information to that which is necessary for the identified purposes.
Data minimizationN/A.Businesses may not collect more personal information than is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.Personal data must be adequate, relevant, and limited to what is necessary in relation the purposes for which it is processed. Organization must collect and use the minimum amount of personal data necessary to achieve the disclosed purpose for which the personal information is needed.
Storage limitationN/A.Businesses must not retain personal information for longer than is “reasonably necessary” for each disclosed purpose.They must also disclose, at the time of collection, their retention periods for each category of PI—or if that is not possible, the criteria used to determine the retention period.Personal data must be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purpose for which the personal data are processed.Personal data may be stored for longer periods of time in certain situations such as when used for archiving, scientific or historical research, or statistical purposes.Personal information must only be retained as long as necessary for the fulfillment of those purposes behind data processing.
Cybersecurity auditN/A.Businesses that process consumers’ personal information that presents a significant risk to consumer privacy or security must perform risk assessments on an annual basis. N/A.N/A.
Risk assessment / Data Processing Impact Assessment (DPIA)Not required.Businesses that process consumers’ personal information that presents a significant risk to consumer privacy or security must perform risk assessments on a regular basis.Risk assessments must be submitted to the newly-created California Privacy Protection Agency (CPPA).Businesses that perform processing likely to risk a Data Subject’s rights must perform DPIAs to identify risks on a regular basis. N/A.
Enforcement and Penalties
Enforcement authorityEnforced by California Attorney General.New California Privacy Protection Agency (CPPA) given full administrative power, authority, and jurisdiction to implement and enforce CPRA. The European Data Protection Board (EDPB) ensures uniform application of the GDPR rules across the EU.GDPR requires every European Union member state to designate a Data Protection Authority (DPA) with supervisory authority for enforcing GDPR within their jurisdiction.Enforced by the Canadian Office of the Privacy Commissioner (OPC).
Penalties/fines$2,500 per unintentional violation.Up to $7,500 per intentional violation.No distinction between fines for violations related to a child’s personal information vs. an adult’s information.Businesses have 30-day cure period for identified violations before being fined.$2,500 per unintentional violation.Up to $7,500 per intentional violation.Fines for all violations related to the information of children under the age of 16 are $7,500 per violation, regardless of whether the violations are intentional or non-intentional.Businesses no longer have a 30-day cure period before being fined for violations.Administrative fines of up to EUR20 million or 4% of annual global revenue, whichever is greatest.EU member states may impose penalties related to GDPR violations that are not subject to administrative fines.Penalties of up to 100,000 Canadian Dollars.Amount of penalty is dependent on severity of violation.

Terms

The following are terms defined in GDPR may not be intuitively obvious to readers:

Data Subject

An individual meeting one or more of the following criteria:

  1. Located in the EU.
  2. Resident of the EU.
  3. Citizen of the EU.
  4. An EU Resident/Citizen Located Anywhere.
  5. Personal data is located in the EU.

Data Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Processor

The natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

We Can Help

If you have questions about CCPA, CPRA, GDPR, or PIPEDA, or would like help implementing changes in your environment to ensure compliance with these important laws, Tevora’s team of data privacy and security specialists can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.

Additional Materials

Privacy Tracker Tool

Top 10 Differences Between CCPA and Canada’s PIPEDA

The 8 Steps to CPRA Compliance

Christina Whiting is a Principal | Privacy, Enterprise Risk & Compliance at Tevora.

Adoriel Bethishou is an Associate Manager | Privacy at Tevora.