What do CPRA and GDPR have in Common?

At the beginning this month the electorate of California voted to pass the California Privacy Rights Act (CPRA), legislation created to further enhance the reach of the California Consumer Privacy Act that become enforceable earlier in 2020.

The passing of the CPRA into law allocates a number of new rights to Californian citizens including:

  • The right to correct personal information
  • The right to prevent the use of sensitive personal information
  • The right to opt out of personal information being shared to third parties

When the proposed amendments were released earlier in the year California Attorney General Xavier Becerra said : “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy.”

Conveniently, for Californian-based companies that do business in the European Union, there are a number of key similarities between the CPRA and the European Union’s General Data Protection Regulation, which became enforceable back in 2018. Essentially by ensuring that they are adhering to GDPR will mean that they are also compliant with the CPRA. This means that compliance is much easier to achieve on two fronts and also emphasizes the importance of referring to expert guidance and advice in relation to the implementation of a strict compliance regime.

So what is the common ground between the CPRA and GDPR?

When the GDPR was initially passed into law it was envisaged that it would allow EU citizens the right to enforce the limitation of the use of their personal data and ensure a standard level of security being available throughout the EU. It has been relatively successful and, despite coming in for some criticism for not being strict enough a number of large fines have been sanction against large companies (including Google, Twitter and British Airways) as well as many other GDPR fines for much smaller companies.

The CPRA amendments to the CCPA that were passed will bring California’s data privacy regime more in line with that of GDPR on a number of front including

  • Similar to GDPR, the CPRA requires certain data minimization and retention standards. It states “a business shall not retain a consumer’s personal information . . . for longer than is reasonably necessary for that disclosed purpose.” GDPR forbids any company from holding personal data for “longer than is necessary for the purposes for which the personal data are processed.”
  • The introduction of the CPRA introduces a Sensitive Personal Information (SPI) classification that is very similar to the tiers of GDPR personal information.
  • Both legislative acts allocate consumers the right to have incorrect personal details that are being managed by any companies in relation to them.
  • The CPRA creates the California Privacy Protection Agency (CPPA) which will take over from the Californian Department of Justice on matters related to data privacy and has “full administrative power, authority, and jurisdiction to implement and enforce the [CCPA].” This is just like the GDPR obligation to on every member state to designate a supervisory authority to manage the policing of GDPR within that jurisdiction.

These similarities create an excellent opportunity for companies to become fully complaint, either by using an external expert consultant or by hiring someone who is a specialist in data privacy, with all the required legislative and regulatory requirements. As the CCPA was amended to the CPRA to bring it more in line with GDPR further developments like this are to be expected aroudn the world.