Data Subject Rights Across GDPR, CCPA/CPRA, and FERPA
The General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and its successor the California Privacy Rights Act (CPRA), and the Family Educational Rights and Privacy Act (FERPA) represent three distinct regulatory frameworks governing data subject rights, each with different scopes, enforcement mechanisms, and compliance timelines. While GDPR applies globally to organizations processing EU residents' data, the CCPA/CPRA specifically targets California residents, and FERPA restricts disclosure of student educational records. Understanding these distinctions is critical for multinational enterprises and organizations handling sensitive personal or educational information.
The fundamental difference in rights architecture reflects each regulation's policy objectives. GDPR (Articles 12-22) grants individuals comprehensive rights including access, rectification, erasure ('right to be forgotten'), restriction of processing, data portability, and objection to automated decision-making. The CCPA/CPRA (California Civil Code §1798.100-1798.120) provides overlapping but narrower rights: access, deletion, opt-out of sale/sharing, and opt-in for sensitive personal information, with the CPRA adding correction and limited opt-out of profiling. FERPA (20 U.S.C. §1232g and 34 CFR Part 99) grants parents and eligible students only access and amendment rights to educational records, with no deletion or portability rights, reflecting its narrower focus on transparency in educational institutions.
Notification and enforcement timelines diverge significantly across these regimes. GDPR mandates breach notification within 72 hours of discovery (Article 33) and requires Data Protection Authorities (DPAs) to complete investigations within 3 months, with potential extensions. The CCPA requires notification without unreasonable delay (California Civil Code §1798.150), while the CPRA tightens this to 45 days (effective 2023). FERPA contains no specific breach notification requirement in the statute itself, though the Department of Education's interpretive guidance and state laws often impose similar 30-day notification standards. Response times for data subject requests also differ: GDPR requires responses within 30 days with one 30-day extension (Article 12(3)), CCPA/CPRA within 45 days with one 45-day extension (§1798.100(d)), and FERPA within 45 days (34 CFR §99.37).
Penalties and enforcement mechanisms reflect each regulation's enforcement architecture. GDPR violations carry administrative fines up to €20 million or 4% of annual global revenue for procedural violations, and €20 million or 4% for substantive rights violations (Article 83), enforced by national DPAs with private right of action. The CCPA imposed civil penalties up to $7,500 per intentional violation, enforceable by the California Attorney General and CPRA creates a new California Privacy Protection Agency with authority to impose $2,500-$7,500 per violation. FERPA violations result in potential loss of federal education funding under 20 U.S.C. §1232g(f), with enforcement by the Department of Education's Family Policy Compliance Office—a significantly less severe civil penalty framework than GDPR or CCPA, though private rights of action exist in limited circumstances.
For multinational enterprises and educational institutions, the most critical compliance consideration involves the hierarchy of rights and obligations. Organizations must implement GDPR-level protections as the global baseline for EU residents, layer CCPA/CPRA requirements for California residents (including establishing opt-out mechanisms and maintaining data processing inventories), and maintain FERPA compliance through separate access and amendment protocols for student records. The absence of a private right of action under GDPR (limited to member state law interpretations) contrasts sharply with the explicit private rights under CCPA §1798.150 (statutory damages of $100-$750 per consumer per incident) and FERPA's equitable remedies, requiring distinct risk management approaches for each jurisdiction.