The “right to be informed,” under GDPR Article 13, is a transparency requirement that compels businesses to inform data subjects, at the time of collection, about the personal data collected, purpose for processing the personal data, retention period of the personal data, and who the personal data will be shared with.
Data Protection Impact Assessment (DPIA) is a requirement of GDPR Article 35 that compels businesses to assess the risk and impact of their processing activities.
While the CCPA does not require businesses to conduct a DPIA, the California Consumer Privacy Act (CPRA) under Section 1798.185(a)(15) requires businesses to perform an assessment on processing activities that may expose personal data to significant risks.
Purpose limitation or data use limitations, under CCPA Section 1798.100, requires that businesses ensure that they limit the use of personal information (PI) to the purposes for which it was collected.
The GDPR provides more leeway when it comes to purpose limitation. GDPR Article 5 indicates that “further processing” may be permitted when the new purposes are “not… considered… incompatible with the initial purposes.”