The California

Consumer Protection Act

& The General Data
Protection Regulation
California Consumer Protection
Act (“CCPA”) - Cal. Civ. Code §
1798.100 et seq.

 The CCPA, which became effective in January

2020, creates a series of consumer privacy rights
and business obligations regarding the collection
and sale of personal information.
Who does the CCPA apply to?
 The CCPA applies to any business that operates for profit and collects personal information
from one or more California residents and satisfies at least one of the following business
thresholds, could be subject to the CCPA:
 Has gross annual revenue in excess of $25 million; or
 Annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more
California consumers, households, or devices; or
 Derives 50% or more of its annual revenue from selling personal information.
What must business do to
comply with CCPA?
 The CCPA requires businesses to give consumers
certain information in a “notice at collection.”
• A notice at collection must list the categories of personal information
businesses collect about consumers and the purposes for which they
use the categories of information.
• Notice must be provided at or before the point at which the business collects
your personal information (i.e., notice at collection).
o Example, provide link to Privacy Policy/Notice in the homepage or settings
menu.

 Businesses face fines of up to $2,500 per violation of the CCPA.

For intentional violations, businesses can be fined up to $7,500
per violation.
Who has rights under the
CCPA?
 Only California residents have rights under the CCPA.
 A California resident is a natural person (as opposed to a business entity) who
resides in California, even if the person is temporarily outside of the state.
 California residents cannot bring suit under the CCPA (except in cases of data
breaches of nonencrypted data) but may file complaint with the California
Privacy Protection Agency (“Agency”).
 California Attorney General can sue a business under the CCPA based on
complaints and patterns of misconduct.
What is considered Personal Information
under the CCPA?
 Personal information:
Information that identifies, relates to, or could reasonably be linked with a
California resident or its household. Examples:
◦ name,
◦ social security number,
◦ email address,
◦ records of products purchased,
◦ internet browsing history,
◦ geolocation data,
◦ fingerprints,
◦ inferences from other personal information that could create a profile about
your preferences and characteristics.
Rights under the CCPA
 California residents have the following privacy rights under the
CCPA:
 The right to opt-out of the sale of their personal information;
 The right to know about the personal information a business collects about them
and how it is used and shared;
 The right to delete personal information collected from them; and
 The right to non-discrimination for exercising their CCPA rights.
Rights under the CCPA
 Right to opt-out:
 California residents (“CR”) may request that a businesses stop selling
his personal information (“opt-out”).
 Businesses that sell personal information are subject to the CCPA's
requirement to provide a clear and conspicuous “Do Not Sell My
Personal Information” link on their website that allows CR to
submit an opt-out request.
 Businesses must wait at least 12 months before asking CR to opt
back into the sale of personal information.
 Exception to right to pot out: certain medical information or
consumer credit reporting information (these types of PI is governed
by other legislation).
Rights under the CCPA
 Right to know:
 California residents (“CR”) may request that businesses disclose to them what
personal information they have collected, used, shared, or sold about them, and
why they collected, used, shared, or sold that information. Specifically:
 The categories of personal information collected.
 Specific pieces of personal information collected.
 The categories of sources from which the business collected personal
information.
 The purposes for which the business uses the personal information.
 The categories of third parties with whom the business shares the personal
information.
 The categories of information that the business sells or discloses to third
parties.
 Business must respond w/in 45 days. Deadline can be extended by another 45 days.
Rights under the CCPA
 Right to Delete:
 CR may request that businesses delete personal information they collected from
them and to tell their service providers to do the same.
 Business must respond w/in 45 days. Deadline can be extended by another 45
days.
 There are many exceptions that allow businesses to keep personal information:
 To complete transaction, provide a reasonably anticipated product or service,
or for certain warranty and product recall purposes.
 To comply with legal obligations, exercise legal claims or rights, or defend
legal claims.
 If the personal information is certain medical information, consumer credit
reporting information, or other types of information exempt from the CCPA.
Rights under the
CCPA
 Right to Non-Discrimination:
 Businesses cannot deny goods or services, charge a CR a
different price, or provide a different level or quality of goods
or services just because the CR exercised its rights under the
CCPA.
California Privacy Rights Act (“CPRA”)
 Amendments to the CCPA which take effect on January 1,
2023. Updates the circumstances in which the CCPA
applies to a business. CCPA applies if business:
 Has gross annual revenue in excess of $25 million in the preceding
calendar year (measured on January 1 of the calendar year).
 Annually buys, sells, or shares the personal information of 100,000
California consumers or households.
 Derives 50% or more of its annual revenue from selling or sharing
personal information.
The General Data Protection
Regulation (“GDPR”)
 The General Data Protection Regulation is a
European data protection law that governs the
processing of personal data on individuals inside
the European Union.
 Went into effect May 25, 2018.
Who must comply with the GDPR? (Art. 3 GDPR)

 The GDPR applies to:

 organizations that are based in the EU that process personal data of EU residents even if
the data are being stored or used outside of the EU; or
 to organizations that are not in the EU if : 1) the organization offers goods or services to
people in the EU, or 2) the organization monitors the online behavior of EU residents.
• If your company is not in the EU but you cater to EU customers, GDRP will likely apply to you.
• If your organization uses web tools that allow you to track cookies or the IP addresses of people
who visit your website from EU countries, then you likely fall under the scope of the GDPR.
What information is protected
under the GDPR?
 It protects “personal data”.
• “Personal Data” is defined as “any information relating to an identified or
identifiable natural person (‘data subject’).
• Examples: identifiers such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that
natural person.”
Important terms used in
the GDPR
 Data subjects
 refers to an identifiable natural person whose data is collected.

 Data controllers
 Refers to a natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of
the processing of personal data;
 Data processors
 Refers to a natural or legal person, public authority, agency or other body
which processes personal data on behalf of the controller;
What must a company do process data under GDPR? (Art. 6
GDPR)

• Must have legal basis for processing personal data. This means that an organization must have
the user’s consent prior to having their personal data collected and processed; or meet any of the
remaining legal bases in article 6 of the GDPR (e.g., required by law, contract, etc.).
• Must provide clear information about the organization’s data processing practices in its
privacy policy.
• Must implement appropriate technical and organizational measures to protect the security of
data.
• Must designate someone responsible for ensuring GDPR compliance across your organization.
• Must notify individuals their rights under the GDPR.
 Right to be informed – gives individuals the
right to be informed about the collection and
use of their personal data.
Rights of
Right of access - gives individuals the right to
individuals request access (or copies) to any of their
under the personal information that a data controller is
processing.
GDPR (Art.
12-23) Right of rectification - gives individuals the
right to have personal data rectified if it is
inaccurate or incomplete.
 Right of erasure - gives individuals the power to get their personal data
erased in some circumstances.

Rights of
Right to restrict processing - gives individuals the right to restrict (or
limit) the processing of your personal data in certain circumstances

individuals Right to data portability - allows individuals to request a copy of their

personal information in a "commonly used and machine-readable format"

under the so that they can transmit this data to another organization "without
hindrance."

GDPR (Art. Right to object to processing - gives individuals the right to object to the
processing of their personal data at any time.

12-23) Rights in relation to automated decision making and profiling -

individuals "have the right not to be subject to a decision" based solely on
automated processing.
Penalties under the
GDPR (Art. 77-84)
Depending on the violation, the range can go from:

• 2% of firm’s worldwide annual revenue or €10 million,

whichever is higher.

• 4% of firm’s worldwide annual revenue or €20 million,

whichever is higher.
FIN