Second Verse, Different from the First.

11
Comparing California’s Consumer Protection Act with
the European Union’s GDPR
© September 2018 Judy Selby and Alison Bird. All rights reserved.

22
General Data Protection Regulation (GDPR) and the
California Consumer Protection Act (CCPA)
This article was written by Judy Selby and Alison Bird. Judy Selby, founder of Judy Selby Consulting LLC, provides regulatory compliance and cyber insurance consulting services. She can be
reached at judyselbyconsulting@gmail.com. Alison Bird is a partner of Turinas & Bird LLC . Her legal practice focuses on corporate law and privacy compliance. She can be reached as
alison.bird@turinasbird.com. This article is for informational purposes only and not for the purpose of providing legal advice.
In May of 2018, the EU’s groundbreaking privacy and cyber security regulation, the General Data Protection
Regulation (GDPR), went into effect. The GDPR covers virtually every aspect of how companies handle protected
data and empowers individuals with a wide range of rights over their data. Implementing these sweeping GDPR
requirements has proved to be strategically and operationally challenging for affected businesses, with few
expecting to have achieved full compliance by the Regulation’s May 25, 2018, effective date.
Just as companies were catching their collective breath after racing toward the GDPR deadline, Governor Jerry
Brown of California signed the hastily enacted and similarly groundbreaking California Consumer Protection Act
(CCPA). The Governor later approved certain CCPA updates. Like the GDPR, the CCPA also vests individuals with
more control over their protected data. Although the CCPA is expected to be further clarified prior to its January 1,
2020, effective date, it also promises to create challenging strategic and operational hurdles for covered businesses.
While there are a number of similarities between GDPR and CCPA — some commentators actually refer to CCPA as
“GDPR light” — understanding the specific areas of overlap as well as the differences between the two standards
can help companies more efficiently and effectively work towards ongoing compliance with both.

33
Major requirements of the GDPR and the CCPA and the
important differences between them
This article was written by Judy Selby and Alison Bird. Judy Selby, founder of Judy Selby Consulting LLC, provides regulatory compliance and cyber insurance consulting services. She can be reached
at judyselbyconsulting@gmail.com. Alison Bird is a partner of Turinas & Bird LLC . Her legal practice focuses on corporate law and privacy compliance. She can be reached as alison.bird@turinasbird.com. This
article is for informational purposes only and not for the purpose of providing legal advice.
California Consumer Privacy Act of 2018 General Data Protection Regulation
Who is Regulated A for-profit entity with:
• gross revenues greater than $25 million;
• annually buys, receives, sells the personal information of 50,000 or more
consumers, households or devices; or
• derives 50% or more of its annual revenue from selling consumers’ personal
information. [1798.140(c)]
Any party
• processing personal data
• in the Union;
• offering goods or services to data subjects in the Union;
• monitoring the behavior of data subjects in the Union. [Article 3]
Who is Protected? Natural persons who are California residents. [1798.140(g)] An identified or identifiable natural person (a “data subject”) in the European
Union. [Article 3.2]
What Data is
Protected?
“Personal Information” (“PI”), which is broadly defined to include Information
that identifies, relates to, describes, or is capable of being associated with or
could reasonably be linked, directly or indirectly, with a particular consumer or
household including identifiers such as a real name, alias, online identifier, IP
address, email address, account name, commercial information, internet or
other electronic network activity information, such as browsing history, search
history, products and services purchased, and information regarding a
consumer’s interaction with an Internet Web site, application, or advertisement.
Publicly available information is excluded. [1798.140(o)]
“Personal Data” which is defined as any information relating to a data subject who
can be identified, directly or indirectly, by reference to an identifier such as a name,
an identification number, location data, an on-line identifier or to one or more
factors specific to the physical, physiological, genetic, genetic, mental, economic,
cultural or social identity of that natural person. [Article 4(1)]
Special Categories
of Data?
No. Yes. Special categories of personal data are:
• personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership;
• genetic data;
• biometric data;
• health data;
• data concerning sex life or sexual orientation. [Article 9]

44
important differences between them (cont’d)
Consumer’s Rights
and Choices
• Right to request:
o Information on categories of PI collected, sold or disclosed.
o Sources from whom the PI is collected.
o Categories of third parties to whom the PI is sold.
o Information on specific pieces of PI collected.
o Business or commercial purpose for selling or disclosing PI.
• Right to request PI deletion.
• Right to opt out of sale (with a right to equal service and price). [1798.100,
105, 110, 115, 120]
• Right to know whether data is being processed and if so::
• The purpose of processing.
• Categories of data collected.
• The data retention policy.
• The existence of automated decision making including profiling).
• Right to correct data.
• Right to have data erased.
• Right to restrict processing in specific situations.
• Right to move data.
• Right to get a copy of the data being processed (with certain limitations).
• Right to object to automated individual decision-making. [Articles 15-22]
Response to
consumer request
• 45 days (which may be extended in certain circumstances) to disclose and
deliver the requested information following a verified request.
• Covers only the 12-month period preceding the request.
• Must be free of charge.
• Not required to provide PI to a consumer more than twice in a 12-month
period. [1798.130(2)]
• One month to respond.
• Must be free of charge.
• reasonable fee or denial of request permitted when request is unfounded,
excessive, or repetitive. [Article 12]
When can a
business refuse a
deletion request?
• When necessary to complete a transaction for which the PI was collected.
• As reasonably contemplated in connection with the ongoing relationship or
internal business purposes.
• For security, crime prevention, and functionality purposes.
• If request would interfere with the right of free speech.
• For the continuation of scientific, historical, or statistical research purposes
if the individual has previously provided informed consent.
• To comply with legal obligations. [1798.105(d)]
• If request is manifestly unfounded or excessive.
• If request would interfere with the right of freedom of expression and
information.
• To comply with legal obligations.
• For reasons of public interest.
• For archiving purposes. [Article 12, Article 17]

55
Required Notices? • Categories, sources, and purpose of PI collection. [1798-110, 115, 130]
• Categories and purpose of PI sold. [1798.115, 130]
• Categories of PI disclosed and whether or not disclosure was for a business
purpose (or fact that no disclosures were made for business purposes).
[1798.115, 130]
• Description of consumer’s rights and one or more methods for submitting
requests. [1798.130]
• Categories of third parties to whom data is shared. [1798.10, 130]
• Right to opt out of sale of PI. [1798.120(b)]
• Right to request deletion of PI. [1798.105]
• A web address and a toll free number for consumers. [1798.130]
• Clear and conspicuous link on the homepage, entitled “Do Not Sell My
Personal Information” for business that sell PI. [1798.135]
• Categories and purpose of data collection.
• Recipients of personal data.
• Identity and contact information of controller (and representative and data
protection officer, where applicable).
• The purpose and legal basis for data processing.
• If data is to be transferred outside of the EU, information regarding
appropriate or suitable safeguards (such as model contractual clauses).
• The period for which personal data will be stored.
• Existence of right to request access to and rectification or erasure of personal
data or restrictions on processing.
• Right to withdraw consent to processing, if applicable.
• Right to lodge a complaint to the supervisory authority.
• The existence of automated decision-making, including profiling.
• If further processing is to be conducted beyond the original scope, disclosure
of such additional processing. [Article 13]
Security
Requirement
Duty to implement and maintain reasonable security measures to protect PI.
[1798.150]
Duty to implement appropriate organizational measures to ensure a level of
security appropriate to the risk, including, as appropriate:
• Pseudonymization and encryption of personal data.
• Ability to ensure confidentiality, integrity, availability and resilience of
processing systems and services.
• Ability to restore availability in a timely manner.
• A process for regularly testing, assessing and evaluating the effectiveness of
security measures. [Article 32]

66
Some exceptions
to compliance
obligations
• In order to comply with other federal, state, or local laws as well as
regulatory, criminal and civil investigations (note, compliance with
international laws is not addressed). [1798.145(k)(1)-(2)]
• To cooperate with law enforcement agencies concerning conduct or activity
that may violate federal, state, or local law. [1798.145(k)(3)]
• To exercise or defend legal claims. [1798.145(k)(4)]
• Use data that is deidentified aggregate consumer information.
[1798.145(k)(5)]
• If every aspect of the commercial conduct (including collection and sale of
data) occurs outside of California. [1798.145(a)(6)]
• The Act does not apply to Personal health information governed by
California’s Confidentiality of Medical Information Act or HIPPA.
[1798.145(c)]
• The Act does not apply to consumer data subject to certain other laws
including the Gramm-Leach Bliley Act and the Driver’s Privacy Protection
Act. [1798.145(e), (f)]
• Sale or usage of PI to or from a consumer reporting agency. [1798.145(d)]
• Data subject to the Federal Policy for the Protection of Human Subjects
(clinical trial data) [1798.145(c)(1)(C)]
Varies depending on the right. For instance:
• Data subject right to access information is limited if access would adversely
affect the rights and freedoms of others. [Article 15]
• Right to erasure does not apply to the extent further processing is necessary:
o For exercising the right of freedom of information.
o For controller’s compliance obligations under EU or Member state law.
o For reasons of public interest or public health.
o For archiving purposes in the public interest.
o For the establishment, exercise, or defense of legal claims.[Article 17]
• The right to restrict processing does not apply:
o To the establishment, exercise, or defense of legal claims.
o The protection of the rights of another natural or legal person.
o For reasons of important public interest of the European Union or of a
Member State. [Article 18]
• Certain record keeping obligations do not apply to an organization employing
fewer than 250 persons unless:
o The processing is likely to result in a risk to the rights and freedoms of data
subjects;
o The processing is not occasional; or
o The processing applies to Special Categories of Data or criminal convictions.
[Article 29]
Liability/Responsi-
bilities for Services
Providers?
No. It is the obligation of the business which collects the data to direct its service
providers to delete information. [1798.105(c)]
Yes. Any person who has suffered damage due to breach of the regulation shall
have the right to receive compensation from the controller or the processor for
damage suffered. [Article 82]

77
Private Right of
Action
Only for violation of business’ duty to implement and maintain reasonable
security measures to protect PI that results in data breach IF before creating
class action, consumer provides a 30-day opportunity to cure. [1798.150]
• Data subjects have a right to lodge a complaint with the supervisory authority.
[Article 80]
• Data subjects also have a right to bring a proceeding against a controller or a
processor before the courts of the Member State where the controller or
processor has an establishment or where the data subject has his or her
habitual residence. [Article 79]
Fines and
Penalties
Statutory damages between $100 and $750 per consumer per incident, or actual
damages, whichever is greater, in consumer lawsuits. Up to $2,500 for each
violation or $7,500 for each intentional violation in an action by the Attorney
General. AG may not bring enforcement actions until six months after
publication of the final regulations or July 1, 2020, whichever is sooner.
[1798.150; 1798.155; 1798.185]
Fines range between € 10 million or 2% of total annual worldwide turnover of the
preceding year (whichever is higher) for less serious violations and €20 million or
4% for more serious violations. [Article 83]
Opportunity to
cure after
receiving notice of
violation
Yes. [1798.155] • No
Specific Internal
Compliance Role
mandated?
No. Appointment of independent data protection officer who reports to the highest
level of management required when:
• Core activities require regular and systematic monitoring of data subjects on a
large scale; or
• Core activities consist of processing on a large scale data relating to criminal
convictions or special categories of data (defined above).
Role of data protection officer:
• Inform/advise regarding GDPR and Member State laws.
• Monitor compliance with law.
• Cooperate with supervisory authority.
• Act as point of contact for supervisory authority. [Article 37]

88
Additional Record
Keeping
Obligations?
No. For organizations with 250 persons or more (with certain exceptions) record of
data processing requirement which includes:
• The purpose of data processing.
• Description of categories of data subjects and categories of personal data.
• Categories of data recipients.
• Data retention information.
• General description of security measures.
• Transfers to third countries and documentation of suitable safeguards. [Article
30]
Assessment of the impact of processing prior to processing if:
• Systematic and extensive processing which includes profiling.
• Large scale processing of special categories of data or data relating to criminal
convictions.
• Systematic monitoring of a publicly accessible area on a large scale. [Article 35]

Second Verse, Different from the First.

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Second Verse, Different from the First.

Similar to Second Verse, Different from the First. (20)

Recently uploaded

Recently uploaded (20)

Second Verse, Different from the First.