Foundations
Key definitions and rights
GDPR and CPRA use specific terms to describe data, people, and organizations. Knowing these definitions, along with the rights they grant individuals, is critical to designing systems that comply with both laws.
Key Definitions and Rights
GDPR and CPRA use specific terms to describe data, people, and organizations. Knowing these definitions, along with the rights they grant individuals, is critical to designing systems that comply with both laws.
Core Definitions
Personal Data (GDPR) / Personal Information (CPRA): Any information that can directly or indirectly identify an individual (e.g., name, email, IP address, geolocation).
Sensitive Data: Special categories requiring stronger protection, such as health, biometrics, race, financial details, or precise geolocation.
Data Subject (GDPR) / Consumer (CPRA): The individual whose data is being processed.
Controller (GDPR) / Business (CPRA): The entity that decides why and how personal data is processed.
Processor (GDPR) / Service Provider (CPRA): A third party that processes data on behalf of the controller/business.
Sub-Processor: A vendor or partner contracted by the processor/service provider to handle data.
Rights Under GDPR
Right of access
Right to rectification
Right to erasure (“right to be forgotten”)
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision-making and profiling
Rights Under CPRA
Right to know what personal information is collected
Right to delete personal information
Right to correct inaccurate data
Right to opt-out of selling or sharing personal information
Right to limit use of sensitive personal information
Right to non-discrimination for exercising privacy rights
Example: Customer Request
A California resident asks to see what data a company holds about them. Under CPRA, the company must provide access to collected information. If the request comes from an EU resident, GDPR requires the same, but also grants portability so the user can transfer the data to another provider.
Quick Definitions & Rights Checklist
Understand whether you act as a controller/business or processor/service provider
Identify what counts as personal and sensitive data in your systems
Implement processes for users to exercise their rights
Ensure contracts with vendors reflect proper roles and responsibilities
Document how requests are logged and fulfilled
Conclusion
Clear definitions and enforceable rights form the backbone of GDPR and CPRA. By aligning internal understanding with these legal terms, companies can build processes that honor user rights, strengthen transparency, and avoid costly missteps.