GDPR, CPRA and CDPA Comparison Table

General Data Protection Regulations (GDPR) California Privacy Rights Act (CPRA) Virginia Consumer Data Protection Act  (CDPA)
DATA SUBJECT Data subject is the natural person which is identified or identifiable.(Art.4) Data subject is a consumer located in California. The data subject is a Virginia resident natural person acting for an individual or household only.
CONTROLLER The companies established within  the European Union are scope of the GDPR (Art. 3/1)  In some cases, although the data controller is not established within the Union, it is considered to carry out a data processing activity within the scope of the Regulation. ( Art.3/2-a,b) For-profit businesses that collect personal information from California residents, determines the purposes in California and meet any of the following:

  • Have a gross annual revenue of over $25 million;
  • Buy, sell, or share the personal information of 100,000 or more California residents or households; or
  • Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.
CDPA will apply to any entity that operates or conducts business in the state of Virginia, or those who offer products or services to its residents. If they meet any one of the following guidelines, they are required to comply with CDPA:

  • Process the personal data of at least 100,000 Virginia residents during a calendar year or
  • Control/process the personal data of at least 25,000 consumers  and d erive at least 50% of their annual gross revenue from the sale of personal data
PROCESSOR ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller Defined as the companies which is within scope of the Act. Defined as same as GDPR.
DEFINITION OF PERSONAL DATA ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly. Information that directly or indirectly identifies, relates, explains and can reasonably be associated with a particular consumer or household. Personal data is any information that is linked to or can be linked to an identifiable person.
SENSITIVE PERSONAL DATA Sensitive personal data is defined in GDPR.

It puts health data in the category of sensitive personal data and protects them specially and processes them only with express consent.

CPRA defines sensitive personal data as personal data that is  not publicly available.

The consumer’s race or ethnicity, religion or philosophical belief, health data, sexual orientation, genetic data, precise geographic location, biometric data collected to uniquely identify the consumer, the content of a consumer’s mail, email and text messages if the intended recipient of the communication is not a business Such data are special categories of personal data.

 

The opt out approach will be applied for sensitive personal data.

The consumer’s race or ethnicity, religious belief, mental or physical health diagnosis, sexual orientation or citizenship or immigration status

Genetic or biometric data,personal data of minors and precise geolocation define as sensitive personal data.

 

The consumer’s explicit consent must be taken to process personal data as in GDPR.

DEFINITION OF SELLING PERSONAL DATA Selling of personal data are not covered by the Regulation. There is no definition of  selling personal data in GDPR. It refers to the sale and sharing of personal data. In the sharing, the Company provides a benefit to the 3rd party with behavioral advertising, no monetary  gain is provided. It is the main difference between the definition of selling and sharing of personal data. [1][1] https://www.onetrust.com/blog/ccpa-vs-cpra-what-has-changed/ Selling of personal data is also defined in CDPA. It is defined similarly as the CPRA.
DATA SUBJECT RIGHTS Right to rectification,

Right to obtain information which personal data is processed,

Right to forgotten,

Right to restriction of processing,

Right to object,

Right to data portability

 

There is no right of opt out defined in GDPR. The data subject has right to withdraw his/her consent.

 

Requests of data subjects must be fulfilled without delay and in any case, within a maximum of 1 month from the receipt of the request.

Right to rectification,

Right to obtain information which personal data is processed,

Right to deletion,

Right to opt out from selling and sharing personal data,

Right to data portability

Right to request restriction of sharing and and using of sensitive personal data

 

If rights are exercised, companies must respond to the consumer within 45 days.

 

The consumer’s right of opt out is only arise in cases of selling and sharing of personal data. CPRA provide the right of opt out via a prominent link on the home page of the companies website that says “Do not sell my personal information”. CPRA gives consumers the right to opt out of selling and/or disclosing their personal information for commercial purposes. Therefore, exercising of opt out right is only stops the sale of personal data and not affect its use.

The consumer doesn’t need to create a profile/account on website for use his/her right of opt out.

Right to obtain information which personal data is processed, Right to rectification,

Right of deletion,

Right to obtain a copy of the personal data held by a covered entity,

Right of opt out of processing of personal data for targeted advertising purposes.

 

The opt out right is more expansive in CDPA. Consumers are given the right to opt out, not only in the case of sales, but also in profiling and personalized targeted advertising for the development of decisions that have a significant impact on the consumer, legally or similarly.[1]

 

 

A response to any appeal must be provided within 45 days.

[1] https://talkingtech.cliffordchance.com/en/data-cyber/data/virginia-s-consumer-data-privacy-act.html

OBLIGATIONS OF CONTROLLER The GDPR, unlike others, includes the appointment of a Data Protection Authority, the recording of processing activity and the special provisions for international transfers. Data controller has obligations such as; doing risk assessments, auditing of the cyber security systems, minimization of data (processing of adequate, relevant and necessary number of data of consumers), doing data protection assessments, determination of clear and understandable privacy policies, specifying in privacy policies if sensitive personal data will be processed, taking all necessary administrative and technical measures. Data controller has obligations such as; have a data protection assessment regarding high-risk processing, including targeted advertising, sales, profiling and sensitive data processing by the controllers,  make a clear and understandable privacy policies (as in GDPR), to specifically specify in privacy policies if sensitive personal data will be processed, providing cyber security systems that will provide adequate protection, regular inspections of these systems, obtaining explicit consent before processing sensitive personal data, and taking all necessary technical and administrative measures.
SUPERVISORY AUTHORITY It is the competent, independent data protection authority of each Union country. California Privacy Protection Agency-CPPA Virginia Attorney General
FINES 20 million Euro or up to %4 of annual revenue/turnover (which one is the most) Fines per violation is 2500$; fine per violation is 7500$ if the violation contains personal data of a minor. Fines per violation is 7500$