GDPR vs CPRA: How California's Newest Law Compares
The CPRA (California Privacy Rights Act) amended and expanded the CCPA effective January 2023. While it brought California privacy law closer to GDPR standards by adding data minimization and purpose limitation principles, it still maintains the opt-out consent model. The CPRA also created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body.
| Feature | GDPR | CPRA |
|---|---|---|
| Geographic Scope | European Union and EEA member states | California, United States (effective January 2023) |
| Who It Applies To | Any organization processing EU residents' data | For-profit businesses meeting CCPA thresholds, now includes sharing in addition to selling |
| Consent Requirements | Opt-in: affirmative consent required before processing | Opt-out: consumers can opt out of sale and sharing of personal information |
| Cookie & Tracking Rules | Non-essential cookies require explicit prior consent | No specific cookie rules, but cross-context behavioral advertising triggers opt-out rights |
| Individual Rights | Access, rectification, erasure, portability, restriction, objection | Know, delete, correct, opt-out of sale/sharing, limit use of sensitive PI, portability |
| Maximum Penalties | Up to EUR 20 million or 4% of annual global turnover | Up to $7,500 per intentional violation, enforced by CPPA and AG |
| Enforcement Body | National Data Protection Authorities in each EU member state | California Privacy Protection Agency (CPPA) and California Attorney General |
Key Differences
The CPRA introduced several GDPR-like concepts to California law. It added data minimization requirements, meaning businesses should only collect personal information that is reasonably necessary for the disclosed purpose. It also introduced purpose limitation, requiring businesses to inform consumers about how long they will retain data and not use it beyond the original stated purpose.
A major change was the creation of the sensitive personal information category under CPRA. This includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, and biometric data. Consumers can limit the use and disclosure of sensitive information. GDPR has a similar concept with its special categories of data, though the specific categories differ slightly.
The CPRA also established the California Privacy Protection Agency (CPPA), a dedicated regulatory body with rulemaking and enforcement authority. Previously, CCPA enforcement fell solely to the California Attorney General. GDPR enforcement is handled by Data Protection Authorities in each member state, many of which have existed for decades.
How Pryvii Helps
Pryvii detects whether your website meets the newer CPRA requirements, including checking for sensitive personal information disclosures, data retention policies, and the presence of opt-out links for both sale and sharing of personal information. It compares your site against both GDPR and CPRA standards in a single scan.
Frequently Asked Questions
How is the CPRA different from the CCPA?
The CPRA expanded the CCPA by adding data minimization and purpose limitation requirements, creating a sensitive personal information category, establishing the CPPA enforcement agency, adding correction rights, and extending opt-out rights to cover sharing of data for cross-context behavioral advertising.
Does CPRA compliance mean I am also GDPR compliant?
Not necessarily. While the CPRA moved closer to GDPR, it still uses an opt-out model rather than opt-in. GDPR requires explicit consent before data processing, has broader data subject rights, and applies different legal bases for processing. You need to address each regulation separately.
What counts as sensitive personal information under CPRA?
CPRA defines sensitive personal information as Social Security numbers, driver's license numbers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, union membership, mail/email/text content, genetic data, biometric data, health information, and sexual orientation data.
Related Comparisons
Check Your Compliance
Scan your website against multiple regulations in minutes.