Cyber-Privacy: CCPA / CPRA & GDPR

Mr. Long is experienced in Cyberlaw and technology matters, and has represented insurance and tech companies. Mr. Long has successfully resolved IP infringement matters, including IP insurance coverage litigation concerning bad faith coverage claims.

The California Consumer Privacy Act (CCPA) effective date is January 1, 2020 in the United States; the California Privacy Rights and Enforcement Act (CPRA) effective date will be January 1, 2023 in the United States; and the General Data Protection Regulation (GDPR) effective date is May 25, 2018 in the European Union (EU).

What companies are subject to the CCPA?

Any company that does business in California having over $25 million in annual gross revenues; buys, receives, or sells data of over 50,000 California consumers (including devices), and makes at least half its revenue from the sale of California consumer data — can be subject to the CCPA.

What companies are subject to the CPRA?

Any company that does business in California having over $25 million in annual gross revenues; buys, sells or shares data of over 100,000 California residents or households, and makes at least half its revenue from the sale or sharing of California consumer data — can be subject to the CPRA.

The CCPA recognizes:

  • Right to Access
  • Right to Knowledge of Sale
  • Right to Equal Pricing and Service (based on the consumer’s data)
  • Right to Object

The CPRA recognizes the above and adds the following:

  • Right to Rectification
  • Right to Limit Use and Disclosure of Sensitive Personal Information (including SSN, driver license numbers, biometric information, precise geolocation, and racial and ethnic origin).
  • Applies to Contractors (entities to whom a business makes available a consumer’s personal Information for a business purpose pursuant to a written contract with the business).
  • Removes the 30-day cure period for violation, unlike the CCPA.
  • Applies to the act of sharing without monetary exchange or exchange of something of value including behavioral advertising.

The GDPR recognizes:

  • Right to Access
  • Right to Object
  • Right to Be Informed
  • Right to Rectify
  • Right to Delete or “Be Forgotten”
  • Right to Restrict Processing
  • Right to Data Portability
  • Right to Not Be Subject to Automated Decision

Users can request that a business subject to the GDPR give users access to:

  • What information is collected on them
  • What information is shared or sold
  • Who that information may be shared with or sold to

GDPR and CCPA Compared:

  • Penalties under the GDPR can be up to up to 4% of company’s annual revenue 20 million euros.
  • Penalties under the CCPA are $750 for each violation, per person.
  • The GDPR requires user consent if processing sensitive information e.g. race, ethnicity, religion, political history, medical history, financial history, or sexuality.
  • The CCPA requires consent to sell data of users under age 16.
  • The CCPA requires right to withdraw consent to sale of data at any time. This also requires “Do Not Sell My Personal Information” posted on the homepage and privacy policy so users can opt out of the sale of data.
  • The GDPR requires keeping data encrypted, confidential and accessible; notifying users of data breach; and performing Data Protection Impact Assessment (DPIA) before processing personal data.
  • CCPA lawsuits can be brought by the Attorney General’s Office for breach of privacy if company data is mishandled or infiltrated.
  • Private right of action requires notice of at least 30 days under California Civil Code § 1798.150.