CCPA GDPR Chart PDF

Resource ID: w-016-7418
CCPA and GDPR Comparison Chart

LAURA JEHL AND ALAN FRIEL, BAKERHOSTETLER LLP,
WITH PRACTICAL LAW DATA PRIVACY ADVISOR
Search the Resource ID numbers in blue on Westlaw for more.
A Chart comparing some of the key The CCPA grants California resident’s new rights regarding their
personal information and imposes various data protection duties
requirements of the California Consumer Privacy on certain entities conducting business in California. While it
Act (CCPA) and the EU General Data Protection incorporates several GDPR concepts, such as the rights of access,
portability, and data deletion, there are several areas where the
Regulation (GDPR). CCPA requirements are more specific than those of the GDPR or
where the GDPR goes beyond the CCPA requirements.
The EU General Data Protection Regulation (Regulation (EU) This Chart provides a high-level comparison of key requirements
2016/679) (GDPR) took effect on May 25, 2018 and replaced the under the CCPA and the GDPR. It is not a comprehensive list of all
EU Directive and its member state implementing laws. On June 28, measures required under the CCPA or the GDPR.
2018, California became the first U.S. state with a comprehensive For an overview of the CCPA, see Practice Note, California Privacy
consumer privacy law when it enacted the California Consumer and Data Security Law: Overview: General Data Protection and the
Privacy Act of 2018 (CCPA), which becomes effective January 1, California Consumer Privacy Act (6-597-4106) and Article, Expert Q&A:
2020, with some exceptions (Cal. Civ. Code §§ 1798.100-1798.199). The California Consumer Privacy Act of 2018 (CCPA) (W-015-6908).
Given their comprehensiveness and broad reaches, each law
may have significant impact on entities that collect and process For an overview of the GDPR, see Practice Note, Overview of EU
personal data. General Data Protection Regulation (W-007-9580).
Practical Law Resources

CCPA GDPR Comparison and Citations
Who is Regulated? Any for-profit entity doing business Data controllers and data The scope and territorial CCPA
in California, that meets one of the processors: reach of the GDPR is
following: much broader. Cal. Civ. Code § 1798.140(c).
Established in the EU
Has a gross revenue greater than that process personal Boxes, CCPA Definitions
Substantially different in
$25 million. data in the context parties regulated. and CCPA Exceptions to
Annually buys, receives, sells, or of activities of the Extraterritorial Applications.
shares the personal information EU establishment,
regardless of whether Practice Note, California
of more than 50,000 consumers,
the data processing Privacy and Data Security
households, or devices for
takes place within Law: Overview: CCPA Scope
commercial purposes.
the EU. (6-597-4106).
Derives 50 percent or more of
its annual revenues from selling Not established in the GDPR
consumers’ personal information. EU that process EU
data subjects’ personal Article 3.
The law also applies to any entity that data in connection Practice Note, Determining
either: with offering goods the Applicability of the
Controls or is controlled by a covered or services in the EU, GDPR (W-003-8899).
business. or monitoring their
behavior.
Shares common branding with a
covered business, such as a shared
name, service mark, or trademark.
© 2018 Thomson Reuters. All rights reserved.


Parts of the CCPA apply specifically to:
Service providers.
Third parties.
Who is Protected? Consumers, defined as California Data subjects, defined as Substantially different in CCPA
residents that are either: identified or identifiable approach, but similarly
persons to which personal broad in effect. Cal. Civ. Code § 1798.140(g)
In California for other than a
data relates. and Cal. Code Regs. tit. 18,
temporary or transitory purpose. Both laws focus on §17014.
Domiciled in California but are information that relates
currently outside the State for a to an identifiable natural Practice Note, California
temporary or transitory purpose. person, however the Privacy and Data Security
definitions differ. Law: Overview: CCPA Scope
Consumers include: (6-597-4106).
Customers of household goods and Both have potential
extraterritorial effects GDPR
services.
that businesses located Article 4(1).
Employees.
outside the jurisdiction
Business-to-Business transactions. must consider. Practice Note, Overview of
EU General Data Protection
Regulation: Identifiability
(W-007-9580).
What Information is Personal information that identifies, Personal data is any Substantially similar. CCPA
Protected? relates to, describes, is capable of being information relating to an However, the CCPA
associated with, or may reasonably identified or identifiable definition also includes Cal. Civ. Code §§ 1798.140(o)
be linked, directly or indirectly, with a data subject. information linked at the and 1798.145(c)-(f).
particular consumer or household. household or device level. Boxes, Categories of Personal
The GDPR prohibits
The statutory definition includes a processing of defined Information Under the CCPA
list of specific categories of personal special categories of and Information Excluded
information. personal data unless a From the CCPA’s Personal
lawful justification for Information Definition.
Personal information does not include processing applies.
certain publicly available government Practice Note, California
records. The CCPA also excludes certain Privacy and Data Security
personal information covered by other Law: Overview: Personal
sector specific legislation from its Information under CCPA
coverage scope. (6-597-4106).
GDPR
Articles 4(1) and 9(1).
Practice Note, Overview of
EU General Data Protection
Regulation: Personal Data and
Data Subjects (W-007-9580)
and Special Categories of
Personal Data (W-007-9580).
Anonymous, The CCPA does not restrict a business’s Pseudonymous data is The CCPA and GDPR CCPA
Deidentified, ability to collect, use, retain, sell, or considered personal data. pseudonymization
Pseudonymous, or disclose a consumer information that is definitions are very similar Cal. Civ. Code §§ 1798.140(a),
Aggregated Data deidentified or aggregated. Anonymous data is not and both require technical (h), (o), (r), and 1798.145(a)(5).
considered personal data. controls to prevent
However, the CCPA establishes a high Practice Note, California
reidentification to qualify. Privacy and Data Security
bar for claiming data is deidentified or
aggregated Law: Overview: Personal
Information under CCPA
(6-597-4106).
2 © 2018 Thomson Reuters. All rights reserved.


Pseudonymous data may qualify as While the GDPR does The CCPA GDPR
personal information under the CCPA not mention deidentified primarily discusses
because it remains capable of being data, the CCPA definition pseudonymization in the Article 4(5).
associated with a particular consumer is similar to GDPR’s context of using personal Practice Note, Anonymization
or household. However, the statute concept of anonymous information collected and Pseudonymization under
does not clearly categorize or exclude data. from a consumer for other the GDPR (W-007-4624).
pseudonymous data as personal purposes, for research. It
information. does not appear to help
businesses generally
avoid the CCPA’s
requirements.
At this point, it is unclear
how different the position
under the GDPR is.
Privacy Notice / Businesses must inform consumers Data controllers must Similar disclosure CCPA
Information Right about: provide detailed requirements, but
information about its differences in the specific Cal. Civ. Code §§ 1798.100(a)-
The personal information categories
personal data collection information required and (b), 1798.105(b), 1798.110,
collected. 1798.115, 1798.120(b), 1798.130,
and data processing the delivery methods.
The intended use purposes for each and 1798.135.
activities. The notice
category. must include specific The CCPA notice
requirements on personal Practice Note, California
Further notice is required to: information depending Privacy and Data Security Law:
on whether the data is information disclosed or
Collect additional personal sold to third parties only Overview: Consumer Rights
collected directly from under the CCPA (6-597-4106)
information categories. covers the 12 months
the data subject or a third and CCPA Business
Use collected personal information party. preceding the request.
Obligations (6-597-4106).
for unrelated purposes.
GDPR
The CCPA requires that businesses
provide specific information to Articles 13-14.
consumers and establishes delivery
requirements. Practice Note, Data Subject
Rights under the GDPR:
Third parties must also give consumers Personal Data Collected
explicit notice and an opportunity to Directly from a Data Subject
opt out before re-selling personal (W-006-7553) and Personal
information that the third party acquired Data Collected from a Third
from another business. Party (W-006-7553).
Security The CCPA does not directly impose data The GDPR requires Substantially similar CCPA
security requirements. However, it does data controllers and in statutory approach
establish a right of action for certain data processors to take though reasonable Cal. Civ. Code § 1798.150(a)(1).
data breaches that result from violations appropriate technical and security measures Practice Note, California
of a business’s duty to implement and organizational measures may vary to some Privacy and Data Security Law:
maintain reasonable security practices to ensure a level of extent according to Overview: CAG Enforcement
and procedures appropriate to the risk security appropriate to an organization’s and Private Actions under the
arising from existing California law. the risk. circumstances and CCPA (6-597-4106).
regulator interpretation.
GDPR
Article 24(1).
Practice Note, Data security
under the GDPR (GDPR and
DPA 2018) (UK) (W-013-5138).
© 2018 Thomson Reuters. All rights reserved. 3


Opt-Out Right for Businesses must enable and comply The GDPR does not Substantially different. CCPA
Personal Information with a consumer’s request to opt-out of include a specific right to
Sales the sale of personal information to third opt-out of personal data Cal. Civ. Code §§ 1798.120 and
parties, subject to certain defenses. sales. 1798.135(a)-(b).
Must include a “Do Not Sell My However, the GDPR does GDPR
Personal Information” link in a clear contain other rights a Practice Note, Overview of
and conspicuous location on a website data subject may use to EU General Data Protection
homepage. obtain a similar result in Regulation: Processing for
certain circumstances. For Direct Marketing Purposes
Must not request reauthorization to example, it does permit
sell a consumer’s personal information (W-007-9580) and Lawfulness
data subjects, at any of Processing (W-007-9580).
for at least 12 months after the person time, to:
opts-out.
Opt-out of processing
data for marketing
purposes.
Withdraw consent for
processing activities.
This allows data subjects
to opt-out of third-party
sales that support
marketing purposes or
rely on consent for their
legal processing basis.
Children The CCPA prohibits selling personal The GDPR’s default Substantially different CCPA
information of a consumer under 16 age for consent is 16, requirements, other than
without consent. although individual ages involved. Cal. Civ. Code § 1798.120(c)-(d).
member state law may Practice Note, California
Children aged 13 – 16 can directly lower the age to no lower The CCPA only requires
provide consent. Children under 13 parental consent for Privacy and Data Security Law:
than 13. The person with Overview: Consumer Rights
require parental consent. parental responsibility personal data sales, while
GDPR’s parental consent Under the CCPA (6-597-4106).
Importantly, protections provided by must provide consent
for children under the requirement applies to GDPR
the federal Children’s Online Privacy all processing consent
Protection Act (COPPA) still apply on top consent age.
requests. Article 8(1).
of the CCPA’s requirements. Children must receive an
age appropriate privacy Practice Note, Overview of
notice. EU General Data Protection
Regulation: Children’s consent
Children’s personal data (W-007-9580).
is subject to heightened
security requirements.
Right of Disclosure or Consumers have a right to request Data subjects have a right Broadly similar rights of CCPA
Access disclosure of their personal information, to access their personal disclosure/access.
and to receive additional details data, including receiving Cal. Civ. Code §§ 1798.100(d),
regarding the personal information a a copy and to obtain The CCPA’s right is 1798.110, 1798.115.
business collects and its use purposes, certain information about only to obtain a written
disclosure of the Practice Note, California
including any third parties with which it the data controller’s Privacy and Data Security Law:
shares information. processing. information. The GDPR
allows broader access, Overview: Consumer Rights
which is not limited to a Under the CCPA (6-597-4106).
written disclosure in a GDPR
portable format.
Article 15.
Practice Note, Data Subject
Rights Under the GDPR:
Personal Data Access Right
(W-006-7553).


Right of Data In response to a request for disclosure, The GDPR includes Broadly similar rights. CCPA
Portability a business must provide personal a new right to data
information in a readily useable format portability to: The GDPR provides a Cal. Civ. Code §§ 1798.100(d)
to enable a consumer to transmit the specific right to request a and 1798.130(a)(2).
Receive a copy of the
information from one entity to another data controller to transfer
personal data in a their personal data to Practice Note, California
entity without hindrance. structured, commonly Privacy and Data Security Law:
another data controller.
used and machine- Overview: Consumer Rights
readable format. Under the CCPA (6-597-4106)
Transmit the personal
GDPR
data to another data
controller (including Article 20.
directly by another
data controller where Practice Note, Data Subject
possible). Rights Under the GDPR: Data
portability right (W-006-7553).
Right to Deletion / A consumer has the right to deletion Data subjects have the Similar data deletion CCPA
Erasure (The Right to of personal information a business has right to request erasure rights.
be Forgotten) collected, subject to certain exceptions. of personal data under six Cal. Civ. Code § 1798.105.
circumstances (the right The GDPR right only
The business must also instruct its applies if the request Practice Note, California
to be forgotten). Privacy and Data Security Law:
service providers to delete the data. meets one of six specific
Data controllers must conditions while the CCPA Overview: Consumer Rights
also take reasonable right is broad. Under the CCPA (6-597-4106)
steps to inform any other GDPR
data controllers also However, the CCPA also
processing the data. allows business to refuse Article 17.
the request on much
broader grounds than the Practice Note, Data Subject
GDPR. Rights under the GDPR:
Personal data erasure right
The GDPR’s obligation to (”Right to be forgotten”)
inform downstream data (W-006-7553).
recipients of the person’s
deletion request is also
broader.
Right of rectification None. The GDPR grants data Substantially different. GDPR
subjects the right to:
Article 16.
Correct inaccurate
personal data. Practice Note, Data Subject
Complete incomplete Rights under the GDPR:
personal data. Personal Data Rectification
Right (W-006-7553).
Right to Restrict None, other than the right to opt-out of Right to restrict Substantially different. CCPA
Processing personal information sales. processing of personal
data, under certain Cal. Civ. Code § 1798.120.
circumstances. GDPR
Article 18.
Rights under the GDPR: Data
Processing Restriction Right
(W-006-7553).
Right to Object to None, other than the right to opt-out of Right to object to Substantially different. CCPA
Processing personal information sales. processing for profiling,
direct marketing, and Cal. Civ. Code § 1798.120.
statistical, scientific, GDPR
or historical research
purposes. Article 21.
Rights under the GDPR: Data
Processing Objection Right
(W-006-7553).


Right to Object None. Data subjects have the Substantially different. GDPR
to Automated right to not be subject
Decision-Making to automated decision- Article 22.
making, including Practice Note, Data Subject
profiling, which has Rights under the GDPR:
legal or other significant Automated Decision-
effects on the data Making Objection Right
subject, subject to certain (W-006-7553).
exceptions.
Non-Discrimination A business must not discriminate It is implicit in the GDPR Similar idea, different CCPA
against a consumer because they that organizations cannot obligations.
exercised their rights. discriminate against Cal. Civ. Code § 1798.125.
a data subject that
However, a business may charge exercises his rights, for
differently if that difference reasonably example by references
relates to the value provided by the prohibiting processing
consumer’s data. that adversely affects the
Businesses may also offer financial rights and freedoms of
incentives if they are disclosed in terms data subjects.
or online privacy policy, and require
opt-in consent.
Responding to A business must: A data controller must: Substantially similar. CCPA
Rights Requests Comply with a verifiable consumer Verify the identity of
Cal. Civ. Code §§ 1798.100(c)-
request (as defined in Cal. Civ. Code a data subject before (d), 1798.105(c), 1798.110(b),
§ 1798.140(y)). responding to a 1798.115(b), 1798.130(a)(2), (b),
Respond within 45 days after receipt, request. 1798.140 (y), and 1798.145(g).
potentially extendable once for Respond to requests
another 45 or 90 days on customer without undue delay GDPR
notification. and at the latest
Article 12.
Inform the consumer of the reasons within one month.,
for not taking action. extendable for up to Practice Note, Data Subject
two more months if Rights Under the GDPR:
Provide the information free of
necessary after data Responding to Data Subject
charge, unless the request is subject notice.
manifestly unfounded or excessive. Requests (W-006-7553).
Give reasons if the
Consumers may only make most data controller does
information requests twice a year and not comply with any
only for a 12-month look-back. There requests.
are no limits on deletion and do not sell
requests. Requests do not have to
be free to data subjects.
Penalties (Private The CCPA establishes a narrow The GDPR establishes a Substantially different CCPA
Rights of Action) private right of action for certain data private right of action for in scope, but violations
breaches involving a sub-set of personal material or non-material of either may potentially Cal. Civ. Code § 1798.150.
information. However, the CPPA grants damage caused by a result in significant Practice Note, California
companies a 30-day period to cure data controller or data economic liability. Privacy and Data Security Law:
violations, if possible. processors breach of the Overview: CAG Enforcement
GDPR. and Private Actions Under the
Consumers may seek the greater of
actual damages or statutory damages CCPA (6-597-4106).
ranging from $100 to $750 per GDPR
consumer per incident.
Article 82.
Courts may also impose injunctive or
declaratory relief. Practice Note, GDPR and DPA
2018: enforcement, sanctions
and remedies (UK): Remedies,
liability and penalties
(W-005-2487).


Penalties (Civil Fines) The California AG may bring actions for Administrative fines can Approach to calculating CCPA
civil penalties of $2,500 per violation, or reach EUR20 million fines differs, but violations
up to $7,500 per violation if intentional. or 4% of annual global of either may potentially Cal. Civ. Code §1798.155.
However, the CCPA also grants revenue, whichever is result in significant Practice Note, California
businesses a 30-day cure period for highest. economic liability. Privacy and Data Security Law:
noticed violations. Overview: CAG Enforcement
EU Member States
can impose their own and Private Actions Under the
penalties applicable to CCPA (6-597-4106).
infringements of the GDPR
GDPR that are not subject
to administrative fines Article 83-84.
under Article 83, GDPR.
Practice Note, GDPR and
DPA 2018: enforcement,
sanctions and remedies (UK)
(W-005-2487).
CCPA DEFINITIONS
CCPA. However, the third party definition excludes personal
The CCPA has a long list of defined terms (Cal. Civ. Code information recipients who obtain the data:
§1798.140). This box discusses certain defined terms used in Directly from the business.
this Chart. For the definition of personal information, see Box,
For a business purpose.
Personal Information Categories Under the CCPA.
Under a written contract that contains specific clauses.
Controls means:
Ownership of or the power to vote more than 50 percent of
To qualify for the exclusion, the business’s written contract with
the outstanding shares of any class of voting security of a the recipient must:
business. Prohibit the recipient from:
Control in any manner over the election of a majority of the zz selling the personal information;
directors or of individuals exercising similar functions. zz retaining, using, or disclosing the personal information for any
The power to exercise a controlling influence over the purpose other than for the specific purpose of performing the
management of a company. services specified in the contract, including retaining, using, or
(Cal. Civ. Code § 1798.140(c)(2).) disclosing the personal information for a commercial purpose
other than providing the services specified in the contract; and
Common branding means a shared name, service mark, or zz retaining, using, or disclosing the information outside of the
trademark. direct business relationship between the recipient and the
(Cal. Civ. Code § 1798.140(c)(2).) business.
Include a certification that the recipient understands the
Service provider means a sole proprietorship, partnership, restrictions and will comply with them.
limited liability company, corporation, association, or other legal
entity that is organized or operated for the profit or financial (Cal. Civ. Code § 1798.140(w).)
benefit of its shareholders or other owners that:
Processes information on behalf of a business.
Receives personal information from a business;

CCPA EXCEPTIONS TO EXTRATERRITORIAL
zz for a business purpose only; and APPLICATIONS
zz under a written contract, which prohibits the service The CCPA does prevent collections or sales of a California
provider from retaining, using, or disclosing the personal resident’s (consumer’s) personal information if every aspect of
information for any purpose other than for performing the the commercial conduct takes place wholly outside California.
services specified in the contract or as otherwise permitted To qualify the business must:
by this title.
Collect the personal information while the consumer is
(Cal. Civ. Code § 1798.140(v).) outside of California.
Third party means a person or entity other than the business Ensure no part of the consumer’s personal information sale
collecting personal information from consumers under the occurs in California.

Not sell personal information collected while the consumer sexual orientation (see State Q&A, Anti-Discrimination Laws:
was in California. California).
Commercial information, including records of:
The CCPA exception does not permit a business to store,
including on a device, personal information about the consumer zz personal property;
while present in California, and then collect that personal zz products or services purchased, obtained, or considered; or
information when the consumer or stored personal information zz other purchasing or consuming histories or tendencies.
is later outside of California.
Biometric information.
(Cal. Civ. Code § 1798.145(a)(6).) Internet or other electronic network activity information,
including:
zz browsing history;
zz search history; or
PERSONAL INFORMATION CATEGORIES UNDER
THE CCPA zz information regarding a consumer’s interaction with an
internet website, application, or advertisement.
The CCPA defines personal information more broadly than
Geolocation data.
California’s other laws. It includes any information that directly
or indirectly identifies, describes, relates to, is capable of being Audio, electronic, visual, thermal, olfactory, or similar
associated with, or can reasonably link to a particular consumer information.
or household. The statutory definition includes eleven specific Professional or employment-related information.
categories that businesses must use when providing their
Education information, defined as nonpublic personally
required disclosures. Those categories are:
identifiable information under the Family Educational Rights and
Identifiers, such as: Privacy Act (FERPA) (20 U.S.C. § 1232g and 34 C.F.R. Part 99).
zz real name; Inferences drawn from any of these personal information
zz an alias; categories to create a profile about a consumer reflecting the
zz postal address; consumer’s:
zz email address; zz preferences;
zz unique personal or online identifier; zz characteristics;
zz internet protocol (IP) address; zz psychological trends;
zz account name; zz predispositions;
zz social security number (SSN); zz behavior;
zz driver’s license or passport number; or zz attitudes;
zz other similar identifiers. zz intelligence;
Personal information categories described in the California
zz abilities; or
Customer Records statute (Cal. Civ. Code § 1798.80(e)), which zz aptitudes.
in addition to the identifiers described above, also lists a
person’s:
zz signature.
zz physical characteristics or description; INFORMATION EXCLUDED FROM THE CCPA’S
zz state identification card number;
PERSONAL INFORMATION DEFINITION
zz insurance policy number. Personal information does not include “publicly available”
information. However, the CCPA narrowly defines the “publicly
zz education.
available” term to only mean information lawfully made
zz employment or employment history. available from federal, state, or local government records.
zz bank account number, credit card number, debit card
The publicly available term does not include:
number, or any other financial information.
Data used for a purpose not compatible with the public
zz medical information or health insurance information.
recordkeeping purpose that caused the government entity to
Characteristics of protected classifications under California maintain or make the data available.
or federal law, like race, religion, gender, national origin, or

CCPA
CCPA and
and GDPR
GDPR Comparison
Comparison Chart
Chart
Biometric information collected without the person’s

knowledge.
Deidentified or aggregate consumer data.
(Cal. Civ. Code §1798.140(o)(2).)

The CCPA does not apply to:
Medical information or protected health information governed
by California and federal health information privacy laws.
Clinical trial information subject to the Federal Policy for the
Protection of Human Subjects (the Common Rule).
Personalinformation regulated by the Fair Credit Reporting
Act (FCRA).
(Cal. Civ. Code §1798.145(c)-(d).)
Only one CCPA section providing a private right of action
for certain data breaches applies to personal information
governed by:
The Gramm-Leach-Bliley Act (GLBA) or California Financial
Information Privacy Act.
Driver’s Privacy Protection Act of 1994.
The CCPA’s other provisions do not. (Cal. Civ. Code

1798.145(e)-(f).)
ABOUT PRACTICAL LAW

Practical Law provides legal know-how that gives lawyers a better starting
point. Our expert team of attorney editors creates and maintains thousands of
up-to-date, practical resources across all major practice areas. We go beyond
primary law and traditional legal research to give you the resources needed to
practice more efficiently, improve client service and add more value.
If you are not currently a subscriber, we invite you to take a trial of our online
services at legalsolutions.com/practical-law. For more information or to
schedule training, call 1-800-733-2889 or e-mail referenceattorneys@tr.com.
11-18
© 2018 Thomson Reuters. All rights reserved. Use of Practical Law websites and services is subject to the
Terms of Use (http://static.legalsolutions.thomsonreuters.com/static/agreement/westlaw-additional-terms.pdf)
and Privacy Policy (https://a.next.westlaw.com/Privacy).

CCPA GDPR Chart PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCPA GDPR Chart PDF

Uploaded by

Copyright:

Available Formats

Resource ID: w-016-7418

CCPA and GDPR Comparison Chart

Search the Resource ID numbers in blue on Westlaw for more.

Practical Law Resources

© 2018 Thomson Reuters. All rights reserved.

Practical Law Resources

2 © 2018 Thomson Reuters. All rights reserved.

Practical Law Resources

© 2018 Thomson Reuters. All rights reserved. 3

Practical Law Resources

4 © 2018 Thomson Reuters. All rights reserved.

Practical Law Resources

© 2018 Thomson Reuters. All rights reserved. 5

Practical Law Resources

6 © 2018 Thomson Reuters. All rights reserved.

Practical Law Resources

Receives personal information from a business;

© 2018 Thomson Reuters. All rights reserved. 7

8 © 2018 Thomson Reuters. All rights reserved.

Biometric information collected without the person’s

(Cal. Civ. Code §1798.140(o)(2).)

The CCPA’s other provisions do not. (Cal. Civ. Code

ABOUT PRACTICAL LAW

You might also like

Receives personal information from a business;

Biometric information collected without the person’s