GDPR and CPRA Explained
Beginning in 2016, governing bodies across the globe began to implement data privacy laws; the most well known are the CPRA (California Privacy Rights Act) and the GDPR (European General Data Protection Regulation). The first of these laws established was GDPR, which created a set of data protection rules for all EU member states. CCPA – the precursor regulation to CPRA – is a data privacy law that was passed in California in 2020; CPRA, which went into effect in January 2023, extended the protections established under CCPA. These regulations provide additional protections to consumers’ personal data similar to the EU’s GDPR. Several states in the U.S. have introduced digital privacy laws similar to California’s, including Colorado, Connecticut, Utah, and Virginia. These laws seek to protect consumers’ personal data and provide them with greater control over how it is used. If your website gets traffic from customers or clients located in these areas, your company is responsible for adhering to the CPRA or GDPR – even if you don’t “do business” in Europe!
CPRA is similar to GDPR in that it seeks to protect the privacy of individuals and their personal data, as well as provide legal means to users to “be forgotten”. Personal data is defined as any information that can identify an individual. This includes names, addresses, email addresses, phone numbers, bank information, medical information, and online identifiers like IP addresses and cookies. Some data is considered “sensitive data” – such as SSN, gender or political beliefs – and some users are considered “protected users”, such as minors or political refugees; companies face increased fines for violating CPRA if data for either category is improperly collected. Both laws require businesses to obtain consent before collecting and processing personal data, aka “accepting a cookie”, provide individuals with the right to access their data and have it deleted, and implement measures to secure the data.
CPRA also has some key differences from GDPR. The most impactful to your business is how consent is collected. Both laws require a website to provide a “clear and conspicuous” means of collecting consent; typically, this is a banner that pops up and prevents navigation to the site before getting a user response. However, CPRA only requires giving a user an opportunity to opt-out of “selling their data” (“selling” also means sharing, such as sending a remarketing audience to Google Ads). GDPR requires the user to give explicit consent. Both regulations tie enforcement to the location of the user, like where the user is sitting when they access your website. However, GDPR extends this protection to where the data is physically stored; meaning if you collect data on a person located in the EU, you cannot send that data to any server located outside the EU.
CPRA also extends the coverage and penalties allowed under CCPA. For example, CPRA expands the definition of sensitive personal information beyond what CCPAGDPR covers, and it establishes a new privacy watchdog agency to oversee and enforce the regulations. Additionally, CPRA also includes specific provisions regarding the use of personal data for targeted advertising and direct marketing, which are not present in GDPR. It’s important to note that GDPR has a broad reach and includes businesses located outside the EU that process the personal data of its citizens. In other words, if your business collects, stores, or processes personal data of EU citizens, you must comply with GDPR regardless of where the business is located.
To comply with these privacy measures, businesses must take several steps. First, they must obtain explicit consent from individuals before collecting or processing their personal data; explicit for GDPR and informed for CPRA. Consent cannot be buried in lengthy terms and conditions, and it must be easy for individuals to withdraw their consent at any time. The information provided to individuals must be transparent, comprehensive and accessible, and must provide details on what data is being collected, how it’s being used, and any third parties it will be shared with.
Additionally, businesses must implement technical and organizational measures to protect personal data from unauthorized access, loss, alteration, or destruction. This includes encrypting data, implementing access controls, and regularly testing data security. Businesses must also commit to data minimization – only collecting the data necessary for its intended purpose – and complying with individuals’ rights, including the rights to access, rectify, and erase their personal data.
Non-compliance with GDPR can result in significant fines for businesses. The maximum penalty for non-compliance is 4% of a company’s global annual revenue or €20 million, whichever is higher.
At Roots Analytics, we provide consent management options for both GDPR and CPRA. Beyond providing the means to stay compliant with both regulations, we monitor your compliance to these regulations every 24-hours to ensure that your owned digital properties, like your website, are properly gathering and storing personal data as intended.
The impact of privacy regulations on businesses is significant, but it also provides opportunities. By collecting and processing data in a more transparent and secure way, businesses can build trust with their customers and improve relationships. Implementing privacy compliance measures can also help businesses to identify and address data security weaknesses, ultimately improving overall security measures, and benefitting the business as a whole.
Roots Analytics 