Cyber-Privacy: U.S. & EU Privacy Laws: CCPA, CPRA, and GDPR in the Age of AI

Mr. Long is experienced in Cyberlaw and technology matters, and has represented insurance and tech companies. Mr. Long has successfully resolved IP infringement matters, including IP insurance coverage litigation concerning bad faith coverage claims.

Data privacy is no longer just a compliance issue—it’s a critical trust factor between businesses and consumers. Whether you’re running an online store, managing customer data, or using AI-driven analytics, understanding privacy laws is essential to staying ahead of lawsuits, fines, and reputation damage.

But with California’s CCPA and CPRA, Europe’s GDPR, and the rise of AI regulation and de-regulation trends in the U.S., navigating this legal landscape can feel overwhelming. Let’s break it down into clear, actionable insights so you can protect your business, earn consumer trust, and understand basic principles to help stay compliant. Disclaimer: Consult with an attorney licensed in your jurisdiction for your specific case; this is not legal advice for your specific situation and is only generalized information.

GDPR (General Data Protection Regulation)European Union (and global businesses handling EU data)Any EU citizen or residentStrictest data privacy law globally, requiring clear consent, consumer rights, and strong security.
CCPA (California Consumer Privacy Act)California, USACalifornia residentsIntroduced consumer data rights, but mostly focused on large businesses selling data.
CPRA (California Privacy Rights Act)California, USACalifornia residentsStrengthens CCPA with AI restrictions, expanded rights, and stricter enforcement.

If you do business online, collect user data, or use AI for ads and recommendations, these laws may still affect you—even if you’re outside California or the EU.

  • Up to 4% of annual global revenue OR €20 million—whichever is higher.
  • Strict data security rules (encryption, breach notifications).
  • $2,500 per accidental violation.
  • $7,500 per intentional violation.
  • $750 per person in private lawsuits for data breaches.

Effective Dates & Major Changes

CCPA: January 1, 2020. First major U.S. privacy law.

CPRA: January 1, 2023. Strengthens CCPA (removes loopholes, expands AI regulation).

GDPR: May 25, 2018. The world’s most comprehensive privacy law.

If you’re not compliant with these laws, you risk massive fines, lawsuits, and reputational damage.

Who Needs to Follow These Laws?

CCPA (California) Applies to Businesses That:

  • Have $25 million+ in annual revenue, OR
  • Buy/sell/share data of 50,000+ Californians, OR
  • Make 50%+ of revenue from selling personal data.

CPRA Expands the Rules:

  • Now applies to businesses collecting 100,000+ records (up from 50,000).
  • Covers “sharing” (not just selling) of consumer data—especially for behavioral advertising.
  • Eliminates the 30-day grace period before fines kick in.
  • Requires stricter AI transparency—businesses must disclose automated decision-making.

GDPR (Europe) Applies If You:

  • Process personal data of any EU citizen, even if you’re based elsewhere.
  • Track EU visitors (cookies, ads, analytics).
  • Sell goods/services to EU consumers.

If your business is digital-first, global, or data-driven, you must comply. Even if you’re outside California or the EU, these laws apply to your online activities.

California’s CCPA & CPRA together recognize:

  • Right to Access: To access a copy of personal data held by companies.
  • Right to Knowledge of Sale: What data is collected & how it’s used.
  • Right to Equal Pricing and Service (based on the consumer’s data): No “privacy penalty” for opting out.
  • Right to Object / Opt Out: Stop businesses from selling or sharing data. CPRA applies to the act of sharing without monetary exchange or exchange of something of value including behavioral advertising.
  • Right to Correct (CPRA) also known as the Right to Rectification
  • Right to Limit Use and Disclosure of Sensitive Personal Information (including SSN, driver license numbers, biometric information, precise geolocation, and racial and ethnic origin) (also CPRA).
  • CPRA applies to Contractors (entities to whom a business makes available a consumer’s personal Information for a business purpose pursuant to a written contract with the business).
  • CPRA removes the CPRA’s 30-day cure period for violations.
  • CPRA also adds AI accountability — Consumers can opt out of automated decision-making, requiring businesses to be transparent about how AI impacts them.

The GDPR is much stricter concerning companies’ use of AI, consent, and profiling as it impacts consumers:

  • Right to Access
  • Right to Object
  • Right to Be Informed
  • Right to Rectify
  • Right to Delete or “Be Forgotten”
  • Right to Restrict Processing
  • Right to Data Portability
  • Right to Not Be Subject to Automated Decision

Users can request that a business subject to the GDPR give users access to:

  • What information is collected on them
  • What information is shared or sold
  • Who that information may be shared with or sold to

GDPR and CCPA Compared:

  • Penalties under the GDPR can be up to up to 4% of company’s annual revenue 20 million euros.
  • Penalties under the CCPA are $750 for each violation, per person.
  • The GDPR requires user consent if processing sensitive information e.g. race, ethnicity, religion, political history, medical history, financial history, or sexuality.
  • The CCPA requires consent to sell data of users under age 16.
  • The CCPA requires right to withdraw consent to sale of data at any time. This also requires “Do Not Sell My Personal Information” posted on the homepage and privacy policy so users can opt out of the sale of data.
  • The GDPR requires keeping data encrypted, confidential and accessible; notifying users of data breach; and performing Data Protection Impact Assessment (DPIA) before processing personal data.
  • CCPA lawsuits can be brought by the Attorney General’s Office for breach of privacy if company data is mishandled or infiltrated.
  • Private right of action requires notice of at least 30 days under California Civil Code § 1798.150.

AI Regulation in the U.S. & EU

Privacy laws are evolving faster than ever due to AI, facial recognition, and predictive algorithms.

CPRA’s AI Impact (California)

  • Requires transparency in AI decision-making (e.g., how algorithms impact credit approvals, hiring, pricing).
  • Consumers must be able to opt out of AI profiling.
  • Expanded data rights for minors (strictest in the U.S.).

EU AI Act (Stricter than CPRA)

  • GDPR already restricts AI decision-making with no human oversight.
  • The EU AI Act (expected 2024) will ban certain AI uses (like social scoring).
  • Businesses using AI must prove fairness & transparency.