California and Europe Lead the Way on Data Privacy – More States to Follow

You may have heard that the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020.  The CCPA is the first major attempt by a state government in the United States to regulate the use of consumer personal information.  Following California’s lead, other states have started considering similar data privacy laws.  The CCPA has been compared to the European Union General Data Protection Regulation (GDPR) that became effective in 2018.  While the CCPA has some similarities to the GDPR, significant differences between the two laws mean that compliance with one of the laws will not necessarily equate compliance with the other.  It is important for businesses subject to either or both of those laws to be aware of what is needed to be in compliance.  Businesses not subject to California and European data privacy laws should nevertheless pay attention to data privacy concerns because it is likely similar laws will be passed throughout the country over the coming years.  Legislation is pending in several state legislatures, including Illinois, with similarities to the CCPA and GDPR. 

An important difference between the CCPA and GDPR is the geographic reach and scope of each law.  The GDPR applies to any individual or entity that collects personal information from anyone in the European Union.  The GDPR makes no exceptions for the location of the business collecting the information, the size of the business, or the type of business collecting the information.  The CCPA, on the other hand, does not apply to non-profit organizations not operated for the profit or financial benefit of shareholders.  Furthermore, a for-profit business will not be subject to the CCPA unless it or its subsidiary does business in California and generates at least $25 million in annual gross revenues; or collects personal information of 50,000 or more California residents; or derives 50% or more of its revenues from selling personal information of California residents.  Unlike the GDPR, the CCPA is limited in geographic scope and exempts businesses that do not exceed revenue and activity thresholds.

The GDPR and CCPA give consumers broad rights to their personal information.  Both laws allow consumers to request disclosure of the personal information that the business holds, to receive copies of the personal information, and to request deletion of that information.  Consumers can also request that the business not sell that information to third parties or cease using it.  Consumer rights to personal information are broader under the GDPR because the GDPR allows consumers to request correction of their personal information and to be notified of any automated processing of that information.  The GDPR also places restrictions on how personal information can be transferred, especially if it is transferred outside of the European Economic Area.   

The CCPA places a strong emphasis on consumer disclosures.  The CCPA expressly requires businesses to provide certain disclosures and to provide them in specific ways.  For example, businesses subject to the CCPA must notify consumers that they have the right to “opt-out” of the sale of their personal information by providing a clear and conspicuous link on the business’s homepage titled “Do Not Sell My Personal Information.”  The CCPA further specifies disclosures that must be made to the consumer at the time the business collects personal information and what information must be in the business’s privacy policies.

In terms of remedies and enforcement, the GDPR authorizes EU state supervisory authorities to impose fines of up to €10 million or 2% of annual global revenues, whichever is higher, for violating the GDPR.  The CCPA may be enforced by the California Attorney General, including fines of up to $2,500 for each violation and up to $7,500 for each intentional violation.  In addition, individual consumers may seek monetary or injunctive relief if their personal information is disclosed, stolen, or accessed without authorization as a result of the business’s failure to implement and maintain reasonable security procedures and practices.

At first glance, the GDPR and CCPA may seem similar, but both laws vary in significant ways.  A business that is subject to the GDPR and CCPA should carefully review both laws and evaluate its data processing policies and practices to make sure it is in compliance with all applicable laws.  Because data privacy concerns have attracted the attention of state legislatures, all businesses should make data privacy a priority so that they will be in a position to comply with new requirements when they become effective.  Neglecting to comply with these laws could come at a steep cost.   

This article is provided for general information and should not be relied upon as legal advice for a specific situation. If you are in need of specific advice or legal representation, please do not hesitate to contact us.

©2020 Bea & VandenBerk