Understanding CPRA: A Guide for Beginners

The California Privacy Rights Act (CPRA) is a data privacy law that was passed in California in November 2020 as an extension and expansion of the California Consumer Privacy Act (CCPA).

The CPRA introduces new privacy rights for consumers and additional obligations for businesses. The law is expected to go into effect on January 1, 2023.

Why Do We Need CPRA?

The CPRA came about to address some of the shortcomings of the CCPA and to provide Californians with more control over their personal data.

It aims to bring California’s data protection regulations more in line with the EU’s General Data Protection Regulation (GDPR).

CPRA strengthens the rights of consumers and introduces stricter obligations for businesses in handling personal data, thereby improving overall data protection.

How Does CPRA Affect Me?

If you’re a California resident, the CPRA offers you extended data protection rights. These include the right to correct inaccurate personal data, the right to opt out of automated decision-making technology in certain cases, and stronger protections for sensitive personal information.

If you’re a business that collects, processes, or sells the personal data of California residents and meets certain thresholds, you need to comply with the CPRA. It’s important to note that these obligations apply regardless of where your business is located, so long as you handle the data of California residents.

How Can I Stay Safe and Compliant?

If you’re a California resident, you should familiarize yourself with the new rights introduced by the CPRA. Ensure you exercise your data protection rights and be careful when providing personal data online.

If you’re a business, here are the steps you need to take to comply with the CPRA:

  1. Understand the scope of the CPRA: The CPRA introduces several new rights and obligations, so it’s important to familiarize yourself with them.
  2. Review and update your privacy policy: Make sure your privacy policy is up-to-date and clearly explains how you collect, use, and share personal data.
  3. Implement secure data practices: The CPRA requires businesses to implement reasonable security procedures and practices to protect personal data.
  4. Develop a process to respond to consumer rights requests: The CPRA strengthens consumer rights, including the right to access, delete, and correct their data. Businesses must be able to efficiently and effectively respond to these requests.
  5. Stay updated: The CPRA also establishes a new enforcement agency, the California Privacy Protection Agency (CPPA). Businesses should monitor updates from the CPPA for any changes to the regulations.

In Conclusion

The CPRA represents a significant step forward in the protection of consumer data rights in the United States. Whether you’re a consumer seeking to protect your personal data or a business needing to comply with these new regulations, understanding the CPRA and its implications is crucial.

CPRA FAQs for Beginners

  1. Q: Who does CPRA apply to?A: The CPRA applies to for-profit businesses that collect and process personal data of California residents and meet certain thresholds. This includes businesses with gross revenues over $25 million, those that buy, sell or share the personal information of 100,000 or more California residents or households, and those that derive 50% or more of their annual revenue from selling or sharing consumers’ personal information.
  2. Q: What types of personal data does CPRA protect?A: The CPRA protects personal information which is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
  3. Q: What are the penalties for non-compliance with CPRA?A: Under the CPRA, fines for violations involving minors under the age of 16 are tripled. For other violations, the California Attorney General can impose penalties up to $7,500 per violation.
  4. Q: What’s new in CPRA compared to CCPA?A: The CPRA introduces several new provisions, such as the creation of a dedicated enforcement agency (the CPPA), rights to correction, stronger rights to opt out of targeted advertising, and stricter consent requirements for sensitive personal information.
  5. Q: When does CPRA go into effect?A: The CPRA is expected to go into effect on January 1, 2023.

Understanding the GDPR: A Guide for Beginners

The General Data Protection Regulation, or GDPR, is a law that originated in the European Union (EU) and took effect on May 25, 2018.

It was designed to harmonize data privacy laws across all EU member states and to reshape how organizations worldwide approach data privacy.

The GDPR replaced the previous EU Data Protection Directive of 1995.

The key element of the GDPR is that it is built around the principle of privacy by default and by design. It requires organizations to handle personal data responsibly and transparently, providing individuals with significant control over their own information.

The GDPR applies to any business or organization worldwide that processes the personal data of EU residents.

Why Do We Need GDPR?

Before the GDPR, there was a patchwork of data protection laws across the EU, each with its own interpretations and implementations. These discrepancies made it difficult for companies to comply and for citizens to understand their rights.

The GDPR sought to provide a uniform set of rules to simplify the regulatory environment and bolster data protection.

With the advent of technology and the internet, our lives have increasingly moved online. This digital shift has allowed organizations to gather vast amounts of data about us. Such data, when mishandled or misused, can lead to significant privacy breaches.

The GDPR aims to protect against such threats by empowering individuals to control how their personal data is used.

How Does GDPR Affect Me?

If you’re an individual residing in the EU, the GDPR provides you with several rights:

  1. Right to be Informed: Organizations must tell you what data is being collected, how it’s being used, how long it will be kept, and whether it will be shared with any third parties.
  2. Right to Access: You have the right to request access to the data collected from you.
  3. Right to Rectification: You can request to have inaccurate data amended.
  4. Right to Erasure (or ‘Right to be Forgotten’): In certain circumstances, you can request for your data to be deleted.
  5. Right to Restrict Processing: You can ask to restrict the processing of your data.
  6. Right to Data Portability: You can ask for your data to be transferred to another organization or to you directly.
  7. Right to Object: You can object to the processing of your data for certain purposes, such as direct marketing.
  8. Rights Related to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling.

If you’re a business, especially one operating within the EU or dealing with the personal data of EU citizens, you need to comply with these regulations or risk severe penalties. Businesses need to ensure they have adequate data handling and data protection measures in place.

  1. Table: GDPR Fines by Year (up to 2021)
    Year Number of Fines Total Value of Fines (€)
    2018 12 460,000
    2019 190 417,000,000
    2020 331 171,320,000
    2021* 265 273,830,000

    *Data for 2021 is up to September.

  2. Top 5 Countries by GDPR Fines (up to 2021)
    Country Number of Fines Total Value of Fines (€)
    Italy 68 69,328,716
    Germany 61 69,080,000
    France 23 54,431,300
    Spain 172 29,521,400
    UK 23 44,221,000
  3. Top 5 Violations Resulting in Fines (up to 2021)
    Violation Type Number of Fines
    Non-compliance with data subject rights 281
    Insufficient legal basis for data processing 215
    Insufficient technical and organizational measures to ensure data security 145
    Non-compliance with general data processing principles 105
    Data breach notification obligations 94

Please note that the numbers and fines are indicative and vary greatly by case. Also, the categories of violation types may differ slightly among sources.

How Can I Stay Safe and Compliant?

If you’re an individual, the key to staying safe is understanding your rights under GDPR and being proactive. Carefully read privacy policies and terms of service before sharing your personal data. Use the rights granted to you by the GDPR, such as the right to access, rectify, or erase your data.

If you’re a business, here are some steps you can take to comply with GDPR:

  1. Understand the Law: This might seem obvious, but understanding the nuances of the GDPR is crucial. Not all businesses are affected equally.
  2. Hire a Data Protection Officer (DPO): If you’re a public authority, or if your core activities require large-scale monitoring or processing of sensitive data, GDPR mandates the appointment of a DPO.
  3. Implement Data Protection by Design and Default: Incorporate data protection measures from the start of any system design, not as an addition.
  4. Conduct Data Protection Impact Assessments: If your business is involved in high-risk processing, you’re required to conduct a Data Protection Impact Assessment (DPIA).
  5. Maintain Documentation: Record your processing activities and maintain a clear policy on data retention periods.
  6. Be Prepared for Data Breaches: You must notify the appropriate supervisory authority of a data breach within 72 hours of becoming aware of it.
  7. Respect User Rights: Make sure systems are in place to respect the new user rights under GDPR, including the right to be forgotten and the right to data portability.

In Conclusion

The GDPR is not just another regulation. It represents a shift in how we view and handle data privacy.

By understanding the principles behind it and your rights and responsibilities under it, you can make the most of this law, whether you’re an individual wanting to protect your personal information or a business seeking to respect and protect your customers’ data.

  1. Q: What types of personal data does the GDPR protect?A: The GDPR protects any information that can be used to directly or indirectly identify a person. This can range from names and email addresses to more complex data like IP addresses, genetic data, or even mental, economic, cultural, or social identity information.
  2. Q: Who does GDPR apply to?A: The GDPR applies to all EU-based organizations, whether commercial business, charity, or public authority, that collect, store, or process the data of EU residents. It also applies to non-EU organizations that offer goods or services to, or monitor the behavior of, EU residents.
  3. Q: What is ‘processing’ in the context of GDPR?A: ‘Processing’ refers to any operation performed on personal data. It includes collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
  4. Q: What is the role of a Data Protection Officer (DPO)?A: A DPO ensures that an organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the GDPR. Their tasks include informing and advising the organization and its employees about their obligations, monitoring compliance, providing advice regarding data protection impact assessments, and cooperating with supervisory authorities.
  5. Q: What happens if a company doesn’t comply with the GDPR?A: Organizations can face hefty fines for GDPR non-compliance. These fines can be up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher.
  6. Q: How does the ‘Right to be Forgotten’ work?A: The ‘Right to be Forgotten’ or the ‘Right to Erasure’ means that the data subject can request the deletion of their personal data from an organization’s records. The organization must comply unless there’s a legitimate reason for retaining the data, such as for compliance with a legal obligation or for reasons of public interest.
  7. Q: What is a Data Processing Agreement (DPA)?A: A DPA is a legally binding contract that states the rights and obligations of the data controller (the entity determining the purposes and means of processing data) and the data processor (the entity processing data on behalf of the controller) in terms of data processing. The GDPR requires a DPA whenever a data controller outsources data processing to an external data processor.
  8. Q: How does GDPR affect businesses outside of the EU?A: GDPR has a global reach. It applies to any organization, regardless of its location, that processes the personal data of EU residents. This means businesses outside the EU must also comply with GDPR if they offer goods or services to, or monitor the behavior of, EU residents.

I hope this deep-dive Q&A helps further your understanding of the GDPR.


YouTube’s Treasure Trove: A Deep Dive into the Personal Data Collected by YouTube

As one of the most popular video-sharing platforms globally, YouTube has managed to amass an incredible user base.

With over 2 billion logged-in monthly users, it comes as no surprise that the platform has also gathered an immense amount of personal data. But what kind of information does YouTube collect, and how is it used?

In this friendly-toned deep dive, we’ll explore the various types of data YouTube collects from its users and shed light on some examples.

Here’s a table that categorizes the data YouTube collects from its users and the level of sensitivity associated with each category:

Data Category Examples Level of Sensitivity
User-Provided Information Name, email address, phone number, date of birth High
Device Information Hardware model, operating system, unique device identifiers, mobile network information Medium
Usage Information Videos watched, search queries, video interactions (likes, dislikes, comments, shares, subscriptions), duration and frequency of visits, interaction with ads Medium
Location Information IP address, GPS data, device sensor data Medium
Cookies and Similar Technologies Language preferences, saved settings, browsing history Low

Please note that the level of sensitivity is subjective and may vary depending on individual perceptions and the context in which the data is used.

And if this scares you, maybe look into getting a VPN and protect your data – I use NordVPN, super cheap, super safe!

1: Types of Data Collected by YouTube

1.1 User-Provided Information When you create a YouTube account or use any Google services, you’ll typically provide some personal information such as your name, email address, phone number, and date of birth. This information allows YouTube to create and maintain your account, as well as provide you with a personalized experience.

1.2 Device Information YouTube collects data about the devices you use to access the platform, including hardware model, operating system, unique device identifiers, and mobile network information. This information helps YouTube optimize the user experience for different devices and provide relevant content based on your device’s capabilities.

1.3 Usage Information As you interact with YouTube, the platform collects information about your activity, such as:

  • Videos you watch
  • Your search queries
  • Your video interactions (likes, dislikes, comments, shares, and subscriptions)
  • The duration and frequency of your visits
  •  Your interaction with ads

This data enables YouTube to analyse trends, improve its services, and offer personalized content and recommendations.

1.4 Location Information YouTube may also gather information about your geographical location through various means, such as IP addresses, GPS, or other sensors in your device. This information is used to provide location-based services, such as localized content and targeted advertisements.

1.5 Cookies and Similar Technologies Like most websites, YouTube uses cookies and similar technologies to collect and store information about your preferences and interests. This allows the platform to remember your settings, such as language preferences, and provide a more seamless experience.

2: Examples of Personal Data Collected by YouTube

Here are some examples of the personal data YouTube may collect from its users:

Data Category Examples
User-Provided Information Name, email address, phone number, date of birth
Device Information Hardware model, operating system, unique device identifiers, mobile network information
Usage Information Videos watched, search queries, video interactions (likes, dislikes, comments, shares, subscriptions), duration and frequency of visits, interaction with ads
Location Information IP address, GPS data, device sensor data
Cookies and Similar Technologies Language preferences, saved settings, browsing history

3: How YouTube Uses Personal Data

3.1 Personalization and Recommendations YouTube uses the personal data it collects to provide you with a more personalized experience. This includes tailoring video recommendations based on your watch history, search queries, and video interactions. It also helps YouTube suggest relevant channels for you to subscribe to, ensuring you get content that matches your interests.

3.2 Targeted Advertising YouTube’s parent company, Google, generates a significant portion of its revenue from advertising. By collecting personal data, YouTube can provide targeted ads to its users based on their interests, location, and demographics. This approach makes the ads more relevant and useful, which benefits both users and advertisers.

3.3 Security and Fraud Prevention The personal data collected by YouTube also plays a crucial role in maintaining the platform’s security. By analyzing user activity and patterns, YouTube can identify and prevent potential security threats, such as hacking attempts or fraudulent activities.

3.4 Improving Services YouTube continually works on improving its platform and services. To do this effectively, it relies on the data collected from its users. By understanding user behavior, preferences, and trends, YouTube can make informed decisions on new features and optimizations.

3.5 Legal Compliance In some cases, YouTube may use personal data to comply with legal obligations, such as responding to lawful requests for information from law enforcement agencies or regulatory bodies.


YouTube’s vast user base and extensive data collection practices may seem overwhelming. However, understanding what personal data is collected and how it is used can help users make more informed decisions about their online privacy.

YouTube primarily collects data to enhance user experiences, provide targeted advertising, maintain security, improve its services, and comply with legal obligations.

As a user, it’s essential to be aware of the privacy settings available on YouTube and other online platforms.

You can manage your privacy settings and control the data you share by accessing your Google Account settings. Additionally, you can limit the information collected by using privacy-focused browsers, virtual private networks (VPNs), or even browsing YouTube in incognito mode.

In conclusion, while YouTube does collect a considerable amount of personal data, it’s crucial to understand that this data collection primarily aims to provide a better user experience.

By staying informed and making use of privacy tools, you can enjoy the benefits of YouTube while maintaining control over your personal information.

Q1: How can I manage the personal data collected by YouTube?

A1: You can manage your personal data by accessing your Google Account settings. From there, you can control the data you share, review your activity, and update your privacy settings.

Q2: What are the privacy settings available on YouTube, and how can I adjust them?

A2: You can adjust your privacy settings by visiting your Google Account settings. Some options include controlling your ad personalization, managing your YouTube history (watch and search), and choosing your data sharing preferences with Google.

Q3: Can I use YouTube without providing any personal information? A3: Yes, you can use YouTube without signing in. However, you’ll have limited access to features, and your experience will not be personalized based on your interests.

Q4: How does YouTube handle the data of children or users under the age of 13?

A4: YouTube has a separate platform called YouTube Kids, designed for children. YouTube Kids has stricter data collection policies and complies with the Children’s Online Privacy Protection Act (COPPA). Content creators must designate whether their content is made for children, and data collection is limited for such content.

Q5: How long does YouTube retain my personal data?

A5: YouTube retains your personal data for varying durations depending on the type of data and its purpose. In general, YouTube retains your data for as long as your account is active, and for a reasonable period afterward to comply with legal obligations, enforce its terms of service, and resolve disputes. Some data, such as search history and watch history, can be deleted by the user at any time. If you choose to delete your account, YouTube will start the process of removing your data from its systems, but it may take some time to complete. Keep in mind that specific legal obligations might require YouTube to retain certain data for a longer period.

Q6: Can I request YouTube to delete my personal data?

A6: Yes, you can request the deletion of your personal data by visiting your Google Account settings. You can delete specific data or your entire account, which will remove your personal information from YouTube’s servers.

Q7: Are there any alternative video-sharing platforms with less data collection?

A7: There are several alternative video-sharing platforms with varying data collection policies. Some examples include Vimeo, Dailymotion, and PeerTube. However, it’s essential to review their privacy policies and data collection practices before using them.

Q8: How can I limit targeted advertising on YouTube?

A8: You can limit targeted advertising on YouTube by turning off ad personalization in your Google Account settings. This will prevent YouTube from using your personal data to show you personalized ads.

Q9: Does YouTube share my personal data with third parties, and if so, under what circumstances?

A9: YouTube may share your personal data with third parties in specific situations, such as with your consent, for external processing by trusted service providers, or for legal reasons (e.g., in response to a lawful request from a law enforcement agency).

Q10: What are some additional steps I can take to protect my privacy while using YouTube and other online platforms?

A10: You can use privacy-focused browsers (e.g., Brave or Firefox), enable browser extensions that block trackers and ads, use virtual private networks (VPNs) to mask your location and IP address, and browse YouTube in incognito mode to limit the collection of your personal data.

Q11: How can I access and download the personal data that YouTube has collected about me?

A11: You can access and download your personal data through Google’s “Takeout” service. Visit takeout.google.com, sign in to your Google Account, and select the data you wish to download. Once you’ve made your selection, click “Next” and choose a file type and delivery method to receive your data.

Q12: Can I opt-out of certain types of data collection on YouTube?

A12: While you can’t opt-out of all data collection on YouTube, you can manage your privacy settings and limit specific types of data collection, such as ad personalization and YouTube watch/search history. Visit your Google Account settings to control the data you share with YouTube and other Google services.

These questions and answers cover various aspects of YouTube’s personal data collection practices, privacy settings, data management, and alternative options for users who are concerned about their privacy.

Remember – If you want to look after your data, maybe look into getting a VPN – I use NordVPN, super cheap, super safe!