Purpose limitation or data use limitations, under CCPA Section 1798.100, requires that businesses ensure that they limit the use of personal information (PI) to the purposes for which it was collected.
The GDPR provides more leeway when it comes to purpose limitation. GDPR Article 5 indicates that “further processing” may be permitted when the new purposes are “not… considered… incompatible with the initial purposes.”
Data Protection Impact Assessment (DPIA) is a requirement of GDPR Article 35 that compels businesses to assess the risk and impact of their processing activities.
While the CCPA does not require businesses to conduct a DPIA, the California Consumer Privacy Act (CPRA) under Section 1798.185(a)(15) requires businesses to perform an assessment on processing activities that may expose personal data to significant risks.
Notice at Collection, under CCPA Section 1798.100, is a transparency requirement that compels businesses to inform consumers, at or before the point of collection, about the category of personal information (PI) that they collect.
This requirement is similar to the “right to be informed” requirement under GDPR Article 13.