The two most important statutes regarding data privacy and compliance are the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The GDPR came into force on May 25, 2018. and applies to every member state in the European Union (EU) and those who have contact with EU citizens. EU member states may legislate higher protections in certain areas.
The CCPA took effect on January 1, 2020. and is one of the strictest data privacy laws in the USA.
It secures new privacy rights for California consumers. The two statutes are very similar, but separate legal frameworks with different scopes, definition, and requirements.
A business that complies with GDPR and is subject to CCPA may have additional obligations under the CCPA.
While CCPA incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the CCPA requirements are more specific than those of the GDPR or where there are substantial differences.
For example, the GDPR does not include a specific right to opt-out of personal data sales.
Under CCPA, businesses must generally enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties.
In general, if a company took steps needed to comply with GDPR, then it is most of the way there for the CCPA.
The CCPA gives consumers more control over the personal information that businesses collect about them.
As with GDPR, entities do not have to be based in California or have a physical presence there to comply with the law. The CCPA does not apply to non-profit or government entities.
Businesses collecting personal information must give consumers certain notices explaining their privacy practices.
This includes the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information.
If a business sells the personal information it collects, then the notice at collection must include a “Do Not Sell” section. The notice must also contain a link to the business’s privacy policy, where consumers can get a fuller description of the business’s privacy practices and of their privacy rights.
The notice must be provided at or before the point at which the business collects consumers’ personal information.
A business must make its privacy policy available to consumers on its website.
A business must designate at least two methods for consumers to submit a request for deletion of personal information, such as, an email address, website form, or hard copy form and mailing address.
If a request for deletion is submitted by a consumer, a business has 45 days to respond to the request and can ask for a 45-day extension.
Privacy statements disclose how a busines collects personal information from consumers. It also explains how that information is used, managed, and protected by the collecting entity.
The Privacy Policy is a written statement that gives a broad picture of a business’s online and offline practices for the collection, use, sharing, and sale of consumers’ personal information.
The CCPA requires business privacy policies to include information on consumers’ privacy rights including: The Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination, and how to exercise them.
Personal information is any information that can identify a living person and generally includes information such as names and email addresses, or computer IP addresses, but it can also mean disclosing that a website uses cookies.
Personal information does not include publicly available information that is from government records, such as professional licenses and public real estate or property records.
Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue is not resolved, there is a fine of up to $7,500 per record.
CCPA also provides for a private right of action, and it allows class action lawsuits for damages.
Consumers may file a lawsuit against a business if personal information, including their name, isstolen in nonencrypted and nonredacted form due to a business’s lack of security measures.
Consumers can bring a cause of action for monetary damages that they suffered from the breach or statutory damages of up to $750 per violation.
A business has 30 days from receipt of written notice by the consumer to cure the violation.
If a business cures the violation in the 30-day period and provides a written notice to the consumer stating that the violation has been cured and will not happen again, the consumer is barred from suing for statutory damages, unless the violations continue.
The Attorney General can also file an action against a busines for violation of the CCPA reported by consumers and other information leading to a pattern of misconduct.
On August 24, Attorney Eyal Khayat, Partner of Lipa Meir & Co., an Israeli law firm in Yingke’s global legal services network, was invited to participate in the Anhui Hefei Science & Technology and Economic & Trade Exchange Conference held in Tel Aviv, Israel. During this exchange, the Mayor of Hefei highlighted the trend of […]
Read MoreOn July 18, local time, the BRICS+ Political Parties Dialogue, hosted by the African National Congress (ANC) of South Africa, opened in Johannesburg on the theme of “BRICS and Africa: Partnership for Mutually Accelerated Growth, Sustainable Development, and Inclusive Multilateralism”. ANC Deputy Chairman and South African Deputy President Mashatile attended and delivered a speech. Liu […]
Read More