Legislative Updates

Understanding Privacy Legislation: CCPA, GDPR, and CPRA


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

Privacy legislation compliance CCPA CPRA GDPR

In November, Californians approved a ballot measure, Proposition 24, or the California Privacy Rights Act (CPRA) that puts California yet another step ahead of other states in terms of privacy legislation.

California already had a privacy law in place, the California Consumer Privacy Act (CCPA), adopted in 2018. This law went into effect in January 2020, and enforcement officially began in July 2020.

In addition to this, businesses need to comply with the European Union’s General Data Protection Regulation (GDPR) that went into effect in May 2018.

CCPA is one of the leading privacy laws in the US that protects consumers, but it was originally supposed to be more restrictive. However, the CPRA amendments to the CCPA implement a regulatory framework that is, in some respects, closely aligned with that of the GDPR. Therefore, with the passage of additional privacy legislation, businesses need to revise and update their compliance, or risk facing investigations and potential penalties.

Differences between CCPA and CPRA Compared to GDPR?

While the CPRA is based on many of the provisions of the CCPA, there are also differences between the two laws. Furthermore, several of the new CPRA provisions are based on GDPR principles, but it also contains unique elements that set it apart from any privacy legislation.


GDPR applies to any controller or processor that processes personal data in the context of an establishment in the European Union, offers goods and services to data subjects in the EU, or monitors the behavior of data subjects in the EU. Also, it can apply to organizations outside the borders of the EU if they meet any of the above criteria.

The CCPA applies to for-profit businesses that either have gross revenue greater than $25 million, or buy, sell or share personal information on over 50,000 consumers or households or devices. CCPA also encompasses businesses that derive 50% or more of their revenue from selling the personal information of consumers.

CPRA, on the other hand, defines businesses as those that buy, sell or share personal information on more than 100,000 consumers or households in contrast to the prior 50,000 thresholds. 

Sensitive Personal Information

The CCPA introduced one of the most comprehensive definitions of personal information of any U.S. privacy legislation. However, the CPRA adds the concept of sensitive personal information. This imposes stricter or additional obligations on businesses that collect, sell or share sensitive personal information, as opposed to just personal information.

Thus, the CPRA’s sensitive personal data categories are closer to the GDPR’s special categories of personal data, but also wider.

CCPA compliance is even more complex to achieve due to the COVID-19 pandemic. Find out how to respond to CCPA enforcement properly, and mitigate potential risks.

Consumer Rights

The GDPR provides data subjects with eight rights in respect of their personal data:

  1. The right to be informed;
  2. The right of subject access;
  3. The right to rectification;
  4. The right to be forgotten;
  5. The right to restriction of processing;
  6. The right to data portability;
  7. The right to object; and
  8. The right not to be subject to a decision based solely on automated processing.

While the CCPA provides consumers with similar rights, but with different exemptions and parameters, it does not include the right to rectification, to restrict processing, to reject automatic decision making, or to object to processing. The CPRA brings some changes to privacy legislation, as it includes an additional right for Californians to correct inaccurate personal information. This concept is similar to the GDPR’s right to rectification, which permits data subjects to rectify inaccurate personal data and to have incomplete personal data completed in some cases.

New Enforcement Agency

According to GDPR Article 51, each Member State has to establish a supervisory authority to oversee the application of the GDPR in that state. On the other hand, one of the biggest changes in the CPRA is the creation of the California Privacy Protection Agency.

The CCPA was enforced by the state’s Attorney General, who faced significant resource constraints. Under the CPRA, enforcement will be managed by a separate agency with full administrative power, authority, and jurisdiction. The law also creates a Chief Privacy Auditor to conduct audits of businesses.

Enhancing Privacy Legislation Compliance

Even though privacy legislation developments create additional obligations and responsibilities, similarities between CCPA, CPRA, and GDPR create an excellent opportunity for companies to become fully compliant. As businesses prepare for the CPRA and its provisions that will mainly become operative in 2023, they can turn to CCPA and GDPR for guidance.

It is necessary for businesses to determine if CPRA applies to them. Even if they were not subject to CCPA, they can be impacted by CPRA, and vice versa. Furthermore, if they are not covered by CPRA, businesses need to implement security frameworks, create appropriate policies, and keep data safe to prevent increasing fines. The best approach for meeting privacy legislation requirements is to integrate proper technology and ensure that businesses are current, compliant, and accessible. This allows them to simplify the process of detecting, reporting, and investigating potential breaches of personal information, as well as to respond to consumer requests promptly and in accordance with the law.

Ensure compliance with data protection laws with advanced and easy-to-use technology to prevent investigations and financially crippling fines.
The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.