The two most important statutes regarding data privacy and compliance are the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The GDPR came into force on May 25, 2018. and applies to every member state in the European Union (EU) and those who have contact with EU citizens. EU member states may legislate higher protections in certain areas.
The CCPA took effect on January 1, 2020. and is one of the strictest data privacy laws in the USA.
It secures new privacy rights for California consumers. The two statutes are very similar, but separate legal frameworks with different scopes, definition, and requirements.
A business that complies with GDPR and is subject to CCPA may have additional obligations under the CCPA.
While CCPA incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the CCPA requirements are more specific than those of the GDPR or where there are substantial differences.
For example, the GDPR does not include a specific right to opt-out of personal data sales.
Under CCPA, businesses must generally enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties.
In general, if a company took steps needed to comply with GDPR, then it is most of the way there for the CCPA.
The CCPA gives consumers more control over the personal information that businesses collect about them.
As with GDPR, entities do not have to be based in California or have a physical presence there to comply with the law. The CCPA does not apply to non-profit or government entities.
Businesses collecting personal information must give consumers certain notices explaining their privacy practices.
This includes the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information.
The notice must be provided at or before the point at which the business collects consumers’ personal information.
A business must designate at least two methods for consumers to submit a request for deletion of personal information, such as, an email address, website form, or hard copy form and mailing address.
If a request for deletion is submitted by a consumer, a business has 45 days to respond to the request and can ask for a 45-day extension.
Privacy statements disclose how a busines collects personal information from consumers. It also explains how that information is used, managed, and protected by the collecting entity.
The CCPA requires business privacy policies to include information on consumers’ privacy rights including: The Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination, and how to exercise them.
Personal information does not include publicly available information that is from government records, such as professional licenses and public real estate or property records.
Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue is not resolved, there is a fine of up to $7,500 per record.
CCPA also provides for a private right of action, and it allows class action lawsuits for damages.
Consumers may file a lawsuit against a business if personal information, including their name, isstolen in nonencrypted and nonredacted form due to a business’s lack of security measures.
Consumers can bring a cause of action for monetary damages that they suffered from the breach or statutory damages of up to $750 per violation.
A business has 30 days from receipt of written notice by the consumer to cure the violation.
If a business cures the violation in the 30-day period and provides a written notice to the consumer stating that the violation has been cured and will not happen again, the consumer is barred from suing for statutory damages, unless the violations continue.
The Attorney General can also file an action against a busines for violation of the CCPA reported by consumers and other information leading to a pattern of misconduct.