WingNews logo WingNews
top | item 46875294

(no title)

buzer | 26 days ago

If you mean what they are planning to change (as part of the omnibus) there is report by NOYB https://noyb.eu/sites/default/files/2025-12/noyb%20Digital%2...

If you mean how CCPA/CPRA differs from GDPR there are lots of things. For example you are not entitled to know actual recipients of your data, only the categories. So you cannot really know who actually received your data which then prevents you from exercising your rights against those controllers (or covered entities in CPRA language). GDPR also requires companies to usually notify you if they receive your data as controller (though there are some exceptions), in reality that's not really happening though (e.g. how many payments processors or acquiring banks have notified you about your credit card payments?).

CPRA also allows selling your personal data if you do not opt-out, in GDPR that would generally require consent (except in certain situations where you can use legitimate interest as the basis). GDPR also regulates cross-border transfers a lot more closely as the idea is that the protections & rights travel with the data.

discuss

order

disgruntledphd2|25 days ago

> mpanies to usually notify you if they receive your data as controller (though there are some exceptions), in reality that's not really happening though (e.g. how many payments processors or acquiring banks have notified you about your credit card payments?).

Depending on why they received your data, they may not be allowed to tell you about this. The Bank Secrecy Act has had a lot of weird downstream consequences.

buzer|24 days ago

Sure, but that's in connection with SARs and such (which have legal obligations are around secrecy). What I mean are the "generic" credit card payments where payment processors & banks process the personal data for things like fraud detection. That's perfectly fine legitimate interest, but that doesn't absolve them from article 14 requirements as fraud prevention doesn't have such requirements around secrecy around the fact that it even exists. They can restrict some detailed information e.g. regarding algorithm itself by relying on trade secrets, but that is different from their obligation to inform data subject that they received the information.