This document provides a summary of the key requirements and differences between the California Consumer Privacy Act (CCPA) and the European Union's General Data Protection Regulation (GDPR). It outlines and compares major provisions around who and what data is regulated, consumer rights and choices, response requirements to consumer requests, when data deletion can be refused, and required privacy notices. The CCPA and GDPR both aim to give individuals more control over their personal data, but they differ in their scope and specific rights and obligations provided.
California Consumer Privacy Act: What your brand needs to knowOgilvy Health
The California Consumer Privacy Act (CCPA) is landmark data privacy legislation that takes effect on January 1, 2020. It gives California residents expanded rights over their personal data collected by businesses. These include the right to know what data is collected and how it is used, the right to say no to the sale of personal data, and the right to access and delete personal data. The CCPA applies to for-profit businesses that collect personal data of California residents and meet certain revenue or data thresholds. Non-compliance can result in fines of up to $7,500 per violation. Companies need to audit their data practices, get proper consent, and update privacy policies to comply with the CCPA.
California Consumer Privacy Act (CCPA): Countdown to ComplianceTinuiti
The document provides an overview of the California Consumer Privacy Act (CCPA) which takes effect on January 1, 2020. It discusses key aspects of the new law such as what types of businesses it applies to, definitions of personal information and what is considered a "sale" of data. The presentation recommends that companies audit their data collection practices, create processes for individuals to exercise their rights like opting out of data sales, and ensure their privacy policies are compliant with the CCPA's requirements. It outlines steps businesses should take ahead of the January 2020 deadline to be prepared for the new regulations.
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec
On January 1, 2020, one of the strictest privacy laws in the US, the California Consumer Privacy Act (CCPA), will come into effect. What should governance, risk and compliance executives know in order to prepare for CCPA? Watch the on demand recording here: https://symc.ly/2Pn7tvW.
The CCPA is set to be the toughest privacy law in the United States and a trailblazer for future state and potentially federal legislation. The Act expands the rights of consumers and requires businesses falling within its scope to be significantly more transparent about how they collect, use, and disclose personal information. Any business in scope are required to enhance their data management practices, expand their individual rights processes, and update their privacy policies by the 2020 deadline.
This webinar will review:
-10 step plan to reach CCPA compliance by the end of the year
-Key areas still under discussion and feedback from open forums
-How enforcement will work; private action and regulator enforcement
California Consumer Privacy Act - What You Need To KnowTokenEx
The California Consumer Privacy Act (AB 375, or CCPA for short) is a law passed by California’s state legislature in June of 2018. The new law will likely have major implications for organizations that obtain, process, or store the personal data of any California resident.
These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful.
The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint.
You can find out more about our organisations here:
https://tech-trust.org/
https://www.lightful.com/
https://www.meetup.com/netsquaredlondon/
*Webinar* CCPA: Get Your Business ReadyMoEngage Inc.
The impact of non-compliance with the California Consumer Privacy Act (CCPA) could be severe! If you're a business owner or an executive responsible for data and compliance for your organization, this presentation by Marit Davey - Data Privacy Compliance Expert can be helpful.
This is a presentation comparing the high level differences between the General Data Protection Regulation (GDPR) of the european union and the recently enacted California Consumer Privacy Act (CCPA). The presentation covers topics such as recent events in data privacy, who must comply with the laws, what is considered personal information, and requirements that organizations must follow under both laws.
California Consumer Privacy Act: What your brand needs to knowOgilvy Health
The California Consumer Privacy Act (CCPA) is landmark data privacy legislation that takes effect on January 1, 2020. It gives California residents expanded rights over their personal data collected by businesses. These include the right to know what data is collected and how it is used, the right to say no to the sale of personal data, and the right to access and delete personal data. The CCPA applies to for-profit businesses that collect personal data of California residents and meet certain revenue or data thresholds. Non-compliance can result in fines of up to $7,500 per violation. Companies need to audit their data practices, get proper consent, and update privacy policies to comply with the CCPA.
California Consumer Privacy Act (CCPA): Countdown to ComplianceTinuiti
The document provides an overview of the California Consumer Privacy Act (CCPA) which takes effect on January 1, 2020. It discusses key aspects of the new law such as what types of businesses it applies to, definitions of personal information and what is considered a "sale" of data. The presentation recommends that companies audit their data collection practices, create processes for individuals to exercise their rights like opting out of data sales, and ensure their privacy policies are compliant with the CCPA's requirements. It outlines steps businesses should take ahead of the January 2020 deadline to be prepared for the new regulations.
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec
On January 1, 2020, one of the strictest privacy laws in the US, the California Consumer Privacy Act (CCPA), will come into effect. What should governance, risk and compliance executives know in order to prepare for CCPA? Watch the on demand recording here: https://symc.ly/2Pn7tvW.
The CCPA is set to be the toughest privacy law in the United States and a trailblazer for future state and potentially federal legislation. The Act expands the rights of consumers and requires businesses falling within its scope to be significantly more transparent about how they collect, use, and disclose personal information. Any business in scope are required to enhance their data management practices, expand their individual rights processes, and update their privacy policies by the 2020 deadline.
This webinar will review:
-10 step plan to reach CCPA compliance by the end of the year
-Key areas still under discussion and feedback from open forums
-How enforcement will work; private action and regulator enforcement
California Consumer Privacy Act - What You Need To KnowTokenEx
The California Consumer Privacy Act (AB 375, or CCPA for short) is a law passed by California’s state legislature in June of 2018. The new law will likely have major implications for organizations that obtain, process, or store the personal data of any California resident.
These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful.
The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint.
You can find out more about our organisations here:
https://tech-trust.org/
https://www.lightful.com/
https://www.meetup.com/netsquaredlondon/
*Webinar* CCPA: Get Your Business ReadyMoEngage Inc.
The impact of non-compliance with the California Consumer Privacy Act (CCPA) could be severe! If you're a business owner or an executive responsible for data and compliance for your organization, this presentation by Marit Davey - Data Privacy Compliance Expert can be helpful.
This is a presentation comparing the high level differences between the General Data Protection Regulation (GDPR) of the european union and the recently enacted California Consumer Privacy Act (CCPA). The presentation covers topics such as recent events in data privacy, who must comply with the laws, what is considered personal information, and requirements that organizations must follow under both laws.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
This document discusses the key requirements of the General Data Protection Regulation (GDPR) that will take effect in May 2018. It explains that GDPR will apply broadly to any company that handles personal data of Europeans, regardless of location. It outlines important concepts like data subjects, data controllers, and data processing. It also summarizes the core GDPR principles of lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; limited storage; integrity and confidentiality; and accountability. The document provides examples of lawful bases for processing personal data and notes that explicit consent is required for special categories of sensitive data.
This document provides an overview and summary of a webinar titled "Mastering Consent, Do Not Sell, Consumer Rights, and Look Back Requirements" presented by TrustArc. The webinar covered key topics related to the California Consumer Privacy Act (CCPA) including definitions of terms like "sale" and "service provider", an overview of consumer rights under CCPA, requirements for obtaining consent for sale of personal information, and how to prepare for and handle consumer rights requests. The webinar included polls to gauge participant challenges and discussed the CCPA regulations and recent amendments that provide clarification and exemptions around certain topics.
Update Your CCPA Plan with Practical Insights into the Proposed Regulations, ...TrustArc
Major developments related to the California Consumer Privacy Act (CCPA) were announced at the end of last week. On Thursday, October 10th California Attorney General Xavier Becerra released proposed regulations under the CCPA. The proposed regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law. California Governor Gavin Newsom followed with a legislative update on Friday, October 11th in which he announced that he had signed 6 privacy bills into law, including 5 amending the CCPA and a new law related to the CCPA requiring data broker registration.
View this webinar to gain valuable insights into:
-A review and analysis of the proposed CCPA implementing regulations, related amendments and the impact to your planning
-Tips and tools to operationalize complying with the CCPA, including - the four types of consumer notices, including the Do Not Sell notice; consumer privacy requests, security considerations and verification; training and record-keeping; special rules for personal information of minors; requirements for financial incentives including calculating data value, practices for employment data and B2B transactions; and much more
-Insights into what to expect after the public comment period closes on December 6, 2019
2019 11-13 how to comply with ccpa as part of a global privacy strategyTrustArc
This document provides an overview of a webinar on complying with the California Consumer Privacy Act (CCPA) as part of a global privacy strategy. It introduces the speakers and poses a polling question about challenges to developing a global privacy strategy. The webinar will discuss treating privacy as a human right, challenges in achieving privacy compliance, and how tools can help build an ecosystem of compliance to manage multiple privacy regulations globally.
Preparing for GDPR: What Every B2B Marketer Must KnowIntegrate
Considering the consequences of non-compliance (up to €20M/$24M or 4% worldwide annual revenue), this translates to a major problem for B2B marketers.
How can your team ensure its lead gen processes are GDPR-compliant without undermining demand generation performance?
View this deck to see how Julian Archer (Sr. Research Director, SiriusDecisions) and Scott Vaughan (CMO, Integrate) educate B2B marketers on: developing a comprehensive GDPR compliance strategy, putting your compliance strategy into action, and applying software to support your compliance measures.
To watch the on-demand version of the webinar, click here:
https://www.integrate.com/gdpr-compliance-b2b-marketing-webinar
GDPR Is Coming – Are Search Marketers Ready?MediaPost
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
California Consumer Protection Act - Insight from Sia Partners Daniel Connor
The document discusses the California Consumer Privacy Act (CCPA), comparing it to the European Union's General Data Protection Regulation (GDPR). Some key points:
- The CCPA aims to give California residents greater control over their personal data and impose requirements on companies that collect this information, similar to GDPR.
- It provides new privacy rights like access to personal data and opting out of data sales. Companies over $25M in revenue that collect data on over 50,000 Californians are affected.
- While CCPA and GDPR share similarities, compliance with one does not guarantee compliance with the other due to differences in things like governance frameworks and consent rules.
California Consumer Protection Act - Insight from Sia Partners Daniel Connor
This Insight article describes the requirements of the new law applicable to California residents as well as comparing it to the new European standards in GDPR.
2019-06-11 What New US State Laws Mean For Your BusinessTrustArc
On-Demand Webinar Recording: https://info.trustarc.com/WB-2019-06-11-USDataProtectionLaws_RegPage.html
-------
While the focus over the past two years has been around global privacy regulations such as the EU GDPR regulation, individual US states have been proposing -- and enacting -- a number of privacy-impacting laws that may affect your company in new and challenging ways. From the comprehensive California Consumer Privacy Act (CCPA) to the revisions in data breach laws in Colorado, Oregon and Vermont, it can be difficult to track these changes, and even more difficult to build a compliance program with the flexibility to adapt to the constantly changing environment.
This webinar will provide:
-An overview of major new US state privacy laws and important pending legislation
-An update on the discussions and atmospherics around a comprehensive US privacy law
-Recommendations on incorporating US state privacy law compliance into a global privacy risk management program
CMR - GDPR - general introduction for marketeersThe CMR Agency
Some general information by The CMR Agency on GDPR - General European Protection Regulation - from a marketing perspective - meant for non-legal persons
The document summarizes a webinar about recent amendments to the California Consumer Privacy Act (CCPA) and proposed regulations from the Attorney General. It discusses five CCPA amendments including exemptions for employee and contractor data and business-to-business data that will expire after one year. It also covers product warranty and vehicle information exemptions. The proposed Attorney General regulations provide detailed guidelines for businesses to comply with CCPA consumer notice requirements, privacy policy content, and responding to consumer requests. The regulations require businesses to provide clear, accessible privacy notices and a roadmap for privacy policies.
March 25, 2019, 9:30 AM
International Meeting of NAICS code Experts
Statistics Canada
Simon Goldberg Room, RH Coats building
100 Tunney’s Pasture Driveway
With research contributions by Ben Wright, Carleton University and Dustin Moores, University of Ottawa
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...Kenneth Riley
Following the adoption of GDPR in the European Union, the United States has seen their own privacy regulatory landscape evolve and develop. Beginning in California and expanding to Nevada, Maine, and beyond, ensuing organizational and technical compliance with these stringent regulations has become a priority for many organizations. These regulations have come with additional reputational and regulatory risk (e.g. fines), increased consumer rights, and an enhanced focus on how companies use data as a commodity. This webinar will unpack the key complexities surrounding those regulations, speak to how technology advancements can assist in compliance and overall privacy program maturity, and discuss how Internal Audit can prepare for and drive a proactive approach to privacy.
Luis Alberto Montezuma provides his insight on the latest sanctions imposed by the Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) for using personal data to send direct marketing without first obtaining the consent of data subjects.
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
The document discusses data protection in India as the country transitions to a digital economy. It notes that India has over 450 million internet users and the government has launched a "Digital India" initiative. However, with increased data collection and use, protection of personal data has become important. The government has drafted a white paper that outlines key principles for a data protection law, including technology neutrality, informed consent, data minimization, and accountability. The white paper was released for public consultation to help shape India's comprehensive data protection law and ensure privacy protections are balanced with enabling innovation.
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
A brief outline of the challenges that could be face by financial institutions with the implementation of the GDPR and recommendations to mitigate them
This document discusses the importance of protecting personally identifiable information (PII) and complying with relevant laws and regulations. It covers what constitutes PII, why protection is critical to avoid identity theft, financial penalties, and reputational damage. Key aspects of PII management discussed include the storage, sensitivity, encryption of data, multi-jurisdictional issues, data ownership, procedures, and system needs across the data lifecycle. Major US privacy laws like FCRA and GLBA that regulate how PII is collected and used are also summarized.
California Consumer Privacy Act and the Role of IAMWSO2
The document discusses the California Consumer Privacy Act (CCPA) and how identity and access management (IAM) can help companies comply. The CCPA gives California residents new privacy rights over their personal data collected by large companies. IAM solutions can help businesses manage user consent, process data securely through features like encryption, and implement proper access controls and workflows to comply with CCPA requirements on data minimization and governance. With the law going into effect in January 2020, companies have less than a year to prepare and should leverage existing IAM tools to minimize risks of noncompliance.
Building Consumer Trust through Individual Rights / DSAR ManagementTrustArc
Perhaps the most customer facing and public compliance requirements for GDPR, CCPA and LGPD are around the rights of the data subject, often referred to as individual rights or data subject access requests (DSARs). These regulations have significantly increased the requirements on businesses regarding how they address individual rights and related requests, specifically the type of requests they need to address and the timeline and process they need to follow in order to fulfill the requests.
In order to build consumer trust and fulfil data subject rights requirements, organizations must have a consistent and streamlined process for the intake and management of consumer requests.
This webinar will review:
-Summary of data subject rights requirements for GDPR, CCPA & LGPD
-Best practices and tips to comply
-Practical steps for implementing a Data Subject Rights -Management program along with sample case studies
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
This document discusses the key requirements of the General Data Protection Regulation (GDPR) that will take effect in May 2018. It explains that GDPR will apply broadly to any company that handles personal data of Europeans, regardless of location. It outlines important concepts like data subjects, data controllers, and data processing. It also summarizes the core GDPR principles of lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; limited storage; integrity and confidentiality; and accountability. The document provides examples of lawful bases for processing personal data and notes that explicit consent is required for special categories of sensitive data.
This document provides an overview and summary of a webinar titled "Mastering Consent, Do Not Sell, Consumer Rights, and Look Back Requirements" presented by TrustArc. The webinar covered key topics related to the California Consumer Privacy Act (CCPA) including definitions of terms like "sale" and "service provider", an overview of consumer rights under CCPA, requirements for obtaining consent for sale of personal information, and how to prepare for and handle consumer rights requests. The webinar included polls to gauge participant challenges and discussed the CCPA regulations and recent amendments that provide clarification and exemptions around certain topics.
Update Your CCPA Plan with Practical Insights into the Proposed Regulations, ...TrustArc
Major developments related to the California Consumer Privacy Act (CCPA) were announced at the end of last week. On Thursday, October 10th California Attorney General Xavier Becerra released proposed regulations under the CCPA. The proposed regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law. California Governor Gavin Newsom followed with a legislative update on Friday, October 11th in which he announced that he had signed 6 privacy bills into law, including 5 amending the CCPA and a new law related to the CCPA requiring data broker registration.
View this webinar to gain valuable insights into:
-A review and analysis of the proposed CCPA implementing regulations, related amendments and the impact to your planning
-Tips and tools to operationalize complying with the CCPA, including - the four types of consumer notices, including the Do Not Sell notice; consumer privacy requests, security considerations and verification; training and record-keeping; special rules for personal information of minors; requirements for financial incentives including calculating data value, practices for employment data and B2B transactions; and much more
-Insights into what to expect after the public comment period closes on December 6, 2019
2019 11-13 how to comply with ccpa as part of a global privacy strategyTrustArc
This document provides an overview of a webinar on complying with the California Consumer Privacy Act (CCPA) as part of a global privacy strategy. It introduces the speakers and poses a polling question about challenges to developing a global privacy strategy. The webinar will discuss treating privacy as a human right, challenges in achieving privacy compliance, and how tools can help build an ecosystem of compliance to manage multiple privacy regulations globally.
Preparing for GDPR: What Every B2B Marketer Must KnowIntegrate
Considering the consequences of non-compliance (up to €20M/$24M or 4% worldwide annual revenue), this translates to a major problem for B2B marketers.
How can your team ensure its lead gen processes are GDPR-compliant without undermining demand generation performance?
View this deck to see how Julian Archer (Sr. Research Director, SiriusDecisions) and Scott Vaughan (CMO, Integrate) educate B2B marketers on: developing a comprehensive GDPR compliance strategy, putting your compliance strategy into action, and applying software to support your compliance measures.
To watch the on-demand version of the webinar, click here:
https://www.integrate.com/gdpr-compliance-b2b-marketing-webinar
GDPR Is Coming – Are Search Marketers Ready?MediaPost
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
California Consumer Protection Act - Insight from Sia Partners Daniel Connor
The document discusses the California Consumer Privacy Act (CCPA), comparing it to the European Union's General Data Protection Regulation (GDPR). Some key points:
- The CCPA aims to give California residents greater control over their personal data and impose requirements on companies that collect this information, similar to GDPR.
- It provides new privacy rights like access to personal data and opting out of data sales. Companies over $25M in revenue that collect data on over 50,000 Californians are affected.
- While CCPA and GDPR share similarities, compliance with one does not guarantee compliance with the other due to differences in things like governance frameworks and consent rules.
California Consumer Protection Act - Insight from Sia Partners Daniel Connor
This Insight article describes the requirements of the new law applicable to California residents as well as comparing it to the new European standards in GDPR.
2019-06-11 What New US State Laws Mean For Your BusinessTrustArc
On-Demand Webinar Recording: https://info.trustarc.com/WB-2019-06-11-USDataProtectionLaws_RegPage.html
-------
While the focus over the past two years has been around global privacy regulations such as the EU GDPR regulation, individual US states have been proposing -- and enacting -- a number of privacy-impacting laws that may affect your company in new and challenging ways. From the comprehensive California Consumer Privacy Act (CCPA) to the revisions in data breach laws in Colorado, Oregon and Vermont, it can be difficult to track these changes, and even more difficult to build a compliance program with the flexibility to adapt to the constantly changing environment.
This webinar will provide:
-An overview of major new US state privacy laws and important pending legislation
-An update on the discussions and atmospherics around a comprehensive US privacy law
-Recommendations on incorporating US state privacy law compliance into a global privacy risk management program
CMR - GDPR - general introduction for marketeersThe CMR Agency
Some general information by The CMR Agency on GDPR - General European Protection Regulation - from a marketing perspective - meant for non-legal persons
The document summarizes a webinar about recent amendments to the California Consumer Privacy Act (CCPA) and proposed regulations from the Attorney General. It discusses five CCPA amendments including exemptions for employee and contractor data and business-to-business data that will expire after one year. It also covers product warranty and vehicle information exemptions. The proposed Attorney General regulations provide detailed guidelines for businesses to comply with CCPA consumer notice requirements, privacy policy content, and responding to consumer requests. The regulations require businesses to provide clear, accessible privacy notices and a roadmap for privacy policies.
March 25, 2019, 9:30 AM
International Meeting of NAICS code Experts
Statistics Canada
Simon Goldberg Room, RH Coats building
100 Tunney’s Pasture Driveway
With research contributions by Ben Wright, Carleton University and Dustin Moores, University of Ottawa
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...Kenneth Riley
Following the adoption of GDPR in the European Union, the United States has seen their own privacy regulatory landscape evolve and develop. Beginning in California and expanding to Nevada, Maine, and beyond, ensuing organizational and technical compliance with these stringent regulations has become a priority for many organizations. These regulations have come with additional reputational and regulatory risk (e.g. fines), increased consumer rights, and an enhanced focus on how companies use data as a commodity. This webinar will unpack the key complexities surrounding those regulations, speak to how technology advancements can assist in compliance and overall privacy program maturity, and discuss how Internal Audit can prepare for and drive a proactive approach to privacy.
Luis Alberto Montezuma provides his insight on the latest sanctions imposed by the Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) for using personal data to send direct marketing without first obtaining the consent of data subjects.
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
The document discusses data protection in India as the country transitions to a digital economy. It notes that India has over 450 million internet users and the government has launched a "Digital India" initiative. However, with increased data collection and use, protection of personal data has become important. The government has drafted a white paper that outlines key principles for a data protection law, including technology neutrality, informed consent, data minimization, and accountability. The white paper was released for public consultation to help shape India's comprehensive data protection law and ensure privacy protections are balanced with enabling innovation.
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
A brief outline of the challenges that could be face by financial institutions with the implementation of the GDPR and recommendations to mitigate them
This document discusses the importance of protecting personally identifiable information (PII) and complying with relevant laws and regulations. It covers what constitutes PII, why protection is critical to avoid identity theft, financial penalties, and reputational damage. Key aspects of PII management discussed include the storage, sensitivity, encryption of data, multi-jurisdictional issues, data ownership, procedures, and system needs across the data lifecycle. Major US privacy laws like FCRA and GLBA that regulate how PII is collected and used are also summarized.
California Consumer Privacy Act and the Role of IAMWSO2
The document discusses the California Consumer Privacy Act (CCPA) and how identity and access management (IAM) can help companies comply. The CCPA gives California residents new privacy rights over their personal data collected by large companies. IAM solutions can help businesses manage user consent, process data securely through features like encryption, and implement proper access controls and workflows to comply with CCPA requirements on data minimization and governance. With the law going into effect in January 2020, companies have less than a year to prepare and should leverage existing IAM tools to minimize risks of noncompliance.
Building Consumer Trust through Individual Rights / DSAR ManagementTrustArc
Perhaps the most customer facing and public compliance requirements for GDPR, CCPA and LGPD are around the rights of the data subject, often referred to as individual rights or data subject access requests (DSARs). These regulations have significantly increased the requirements on businesses regarding how they address individual rights and related requests, specifically the type of requests they need to address and the timeline and process they need to follow in order to fulfill the requests.
In order to build consumer trust and fulfil data subject rights requirements, organizations must have a consistent and streamlined process for the intake and management of consumer requests.
This webinar will review:
-Summary of data subject rights requirements for GDPR, CCPA & LGPD
-Best practices and tips to comply
-Practical steps for implementing a Data Subject Rights -Management program along with sample case studies
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
Part of the webinar series: CYBERSECURITY & DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
Sia Partners_CCPA 2018_The American GDPRLoïc Vachon
The California Consumer Privacy Act (CCPA) aims to strengthen data privacy for California residents. It gives consumers new rights over their personal data and requires businesses to be more transparent about data collection and usage. While similar to Europe's GDPR, CCPA only applies to California currently. Businesses need to assess if CCPA applies to them and ensure their practices comply with its requirements, such as responding to consumer data requests. Non-compliance can result in fines of up to $750 per violation.
Future-Proof Your Workplace Privacy Approach for CPRA and BeyondTrustArc
The California Privacy Rights Act (CPRA) is coming fast and even companies currently complying with the California Consumer Privacy Act (CCPA) will face new challenges, including the protection of human resource (HR) data, something previously exempt under the CCPA.
Before the CPRA comes into effect, HR professionals need to be prepared to understand and comply with this new legislation. While employers’ were previously obligated to provide disclosure notices, they will now be required to provide their employees with the right to access, correct, and delete data.
Explore what employers need to consider to be compliant with CPRA.
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-regulations-and-requirements-2021/
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
This document discusses key privacy and data security questions that in-house counsel should address. It covers the current regulatory environment, including the GDPR, CCPA, and Ohio Data Protection Act. It defines important concepts like personal data and data subject rights. It also outlines enforcement mechanisms and penalties for noncompliance, such as fines under the GDPR and private rights of action under the CCPA. In-house counsel are encouraged to understand their company's risks and compliance, have strategies for responding to incidents, and potentially form a privacy or data security committee.
The document discusses how the General Data Protection Regulation (GDPR) affects organizations collecting equal opportunities monitoring data. It states that GDPR allows organizations to continue collecting protected characteristics data for equal opportunities monitoring as it is a legal basis for processing. However, GDPR introduces stricter controls on sensitive personal data to protect privacy and safety. Organizations must establish lawful basis to process equal opportunities data and allow individuals to opt out of having their data processed. Completely anonymized equal opportunities data is not subject to GDPR.
The document compares key provisions of the proposed American Data Privacy and Protection Act (ADPPA) and California's Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Some of the key differences highlighted include:
1) ADPPA has stronger data minimization requirements and places stricter limits on the collection and use of sensitive data.
2) CCPA/CPRA provide stronger protections against future amendments that could weaken privacy, while ADPPA allows Congress to amend it.
3) ADPPA prohibits discriminatory uses of data and requires algorithmic impact assessments, while CCPA has no such protections.
4) Both laws have similar requirements
It, Legal, Marketing and sales departments are all affected by the European Union's General Data Protection Regulation (EU GDPR). EU GDPR is more than an IT governance issue, it impacts the IT architecture and the user journey of your online and offline data capture processes.
On 25 May 2018, the EU’s General Data Protection Regulation
(GDPR) came into effect and applies to all businesses – regardless of size - operating in the U.K., as well as all businesses outside the EU that collect or process the data of EU citizens and residents.
The purpose of this document is threefold:
1: Introduce the GDPR and highlight key pieces of the legislation
that should be front-of-mind for business owners
2: Lay out a path for businesses to follow to ensure compliance
by May 2018
3: Address questions put forward by businesses that completed
our GDPR survey
This document discusses re-thinking trust in data practices. It covers several areas:
1. Macro and micro industry trends driving the criticality of trust, including increased regulations, societal shifts, and emerging technologies like AI and big data.
2. Embedding privacy into data operations to meet evolving privacy laws and move beyond just compliance. This includes enhancing data context, program automation, and data lifecycle integration.
3. Balancing individual choice with business value by focusing on first-party data capture, communicating privacy notices, and identifying third parties. It also discusses applying consent-based data governance.
4. Achieving sustainable data practices such as reducing data footprints to lower environmental impacts and offsetting remaining
Post US Election Privacy Updates & ImplicationsTrustArc
The United States election on November 3rd will impact the future use of personal information for organizations doing business with US citizens. From presidential results to state propositions, there will be many privacy ramifications, and how we move forward to embrace the new changes is a topic that will bring many perspectives.
Join us as we discuss the implications of the US election, including California’s Proposition 24 which would expand the provisions of the CCPA and what the next administration’s role will be in helping shape the new framework for EU-US data transfers.
-Privacy issues that were included or arose in the 2020 election
-Implications of election outcomes on privacy laws or priorities
-What to watch for in 2021
Cybersecurity, Privacy and Data Security from a Business Lawyer's PerspectiveData Con LA
Data Con LA 2020
Description
The presentation includes a discussion of data breach cases and the takeaways from these cases, i.e., that no companies (large, medium or small) are immune from liability. I discuss the potential impact of a data breach on a business and the steps that businesses can take to protect themselves along the timeline of a breach (i.e, before, during and after.) I discuss the FTC's role in the regulation and enforcement of actions related to data security and data breaches, and talk about the commercially reasonable standard that the FTC applies to determine liability, what that standard means from a legal perspective, and how it relates to data security measures and cyber insurance. I present examples of practices that the FTC has found to be commercially unreasonable and discuss what security experts have deemed to be some of the best practices when it comes to data security. I also discuss businesses' liability for their vendor's data breaches, cyber insurance and current and future data security and privacy regulations and legislation including the GDPR and CCPA.
The objectives of the presentation are to:
1) ensure that attendees know that they are exposed to risk in the area of cybersecurity and data breaches;
2) provide them with information to minimize that risk;
3) make them aware of current and expected privacy laws and regulations; and
4) provide pragmatic, specific actionable information to help enable them to comply with their legal obligations.
Speaker
Kathy Winger, Law Offices of Kathy Delaney Winger, Attorney/Owner
This document compares and contrasts the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).
HIPAA was implemented in the United States to protect patient healthcare data and privacy, while GDPR was implemented in the European Union to standardize and strengthen data protection for all EU citizens. Both regulations aim to protect personally identifiable information (PII) and protected health information (PHI), but GDPR has broader scope and applicability to any company that processes EU citizens' data. GDPR also provides stronger penalties for non-compliance in the form of fines up to 20 million Euros or 4% of annual revenue.
California's Tough New Privacy Law is Here. Are You Ready?Affiliate Summit
The document summarizes key aspects of California's new privacy law, the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. It outlines CCPA provisions regarding consumer rights to access their personal data, opt-out of sale of personal data, and request deletion of personal data from companies. It also discusses requirements for companies covered by CCPA, including providing notices of privacy rights and complying with consumer requests. Enforcement of CCPA is described as involving penalties of up to $2500 per violation imposed by the California Attorney General.
Similar to Second Verse, Different from the First. (20)
Safeguarding Against Financial Crime: AML Compliance Regulations DemystifiedPROF. PAUL ALLIEU KAMARA
To ensure the integrity of financial systems and combat illicit financial activities, understanding AML (Anti-Money Laundering) compliance regulations is crucial for financial institutions and businesses. AML compliance regulations are designed to prevent money laundering and the financing of terrorist activities by imposing specific requirements on financial institutions, including customer due diligence, monitoring, and reporting of suspicious activities (GitHub Docs).
Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...AHRP Law Firm
Law Number 13 of 2003 on Manpower has been partially revoked and amended several times, with the latest amendment made through Law Number 6 of 2023. Attention is drawn to a specific part of the Manpower Law concerning severance pay. This aspect is undoubtedly one of the most crucial parts regulated by the Manpower Law. It is essential for both employers and employees to abide by the law, fulfill their obligations, and retain their rights regarding this matter.
A Critical Study of ICC Prosecutor's Move on GAZA WarNilendra Kumar
ICC Prosecutor Karim Khan's proposal to its judges seeking permission to prosecute Israeli leaders and Hamas commanders for crimes against the law of war has serious ramifications and calls deep scrutiny.
The presentation deals with the concept of Right to Default Bail laid down under Section 167 of the Code of Criminal Procedure 1973 and Section 187 of Bharatiya Nagarik Suraksha Sanhita 2023.
Business law for the students of undergraduate level. The presentation contains the summary of all the chapters under the syllabus of State University, Contract Act, Sale of Goods Act, Negotiable Instrument Act, Partnership Act, Limited Liability Act, Consumer Protection Act.
Corporate Governance : Scope and Legal Frameworkdevaki57
CORPORATE GOVERNANCE
MEANING
Corporate Governance refers to the way in which companies are governed and to what purpose. It identifies who has power and accountability, and who makes decisions. It is, in essence, a toolkit that enables management and the board to deal more effectively with the challenges of running a company.
2. 22
General Data Protection Regulation (GDPR) and the
California Consumer Protection Act (CCPA)
This article was written by Judy Selby and Alison Bird. Judy Selby, founder of Judy Selby Consulting LLC, provides regulatory compliance and cyber insurance consulting services. She can be
reached at judyselbyconsulting@gmail.com. Alison Bird is a partner of Turinas & Bird LLC . Her legal practice focuses on corporate law and privacy compliance. She can be reached as
alison.bird@turinasbird.com. This article is for informational purposes only and not for the purpose of providing legal advice.
In May of 2018, the EU’s groundbreaking privacy and cyber security regulation, the General Data Protection
Regulation (GDPR), went into effect. The GDPR covers virtually every aspect of how companies handle protected
data and empowers individuals with a wide range of rights over their data. Implementing these sweeping GDPR
requirements has proved to be strategically and operationally challenging for affected businesses, with few
expecting to have achieved full compliance by the Regulation’s May 25, 2018, effective date.
Just as companies were catching their collective breath after racing toward the GDPR deadline, Governor Jerry
Brown of California signed the hastily enacted and similarly groundbreaking California Consumer Protection Act
(CCPA). The Governor later approved certain CCPA updates. Like the GDPR, the CCPA also vests individuals with
more control over their protected data. Although the CCPA is expected to be further clarified prior to its January 1,
2020, effective date, it also promises to create challenging strategic and operational hurdles for covered businesses.
While there are a number of similarities between GDPR and CCPA — some commentators actually refer to CCPA as
“GDPR light” — understanding the specific areas of overlap as well as the differences between the two standards
can help companies more efficiently and effectively work towards ongoing compliance with both.
3. 33
Major requirements of the GDPR and the CCPA and the
important differences between them
This article was written by Judy Selby and Alison Bird. Judy Selby, founder of Judy Selby Consulting LLC, provides regulatory compliance and cyber insurance consulting services. She can be reached
at judyselbyconsulting@gmail.com. Alison Bird is a partner of Turinas & Bird LLC . Her legal practice focuses on corporate law and privacy compliance. She can be reached as alison.bird@turinasbird.com. This
article is for informational purposes only and not for the purpose of providing legal advice.
California Consumer Privacy Act of 2018 General Data Protection Regulation
Who is Regulated A for-profit entity with:
• gross revenues greater than $25 million;
• annually buys, receives, sells the personal information of 50,000 or more
consumers, households or devices; or
• derives 50% or more of its annual revenue from selling consumers’ personal
information. [1798.140(c)]
Any party
• processing personal data
• in the Union;
• offering goods or services to data subjects in the Union;
• monitoring the behavior of data subjects in the Union. [Article 3]
Who is Protected? Natural persons who are California residents. [1798.140(g)] An identified or identifiable natural person (a “data subject”) in the European
Union. [Article 3.2]
What Data is
Protected?
“Personal Information” (“PI”), which is broadly defined to include Information
that identifies, relates to, describes, or is capable of being associated with or
could reasonably be linked, directly or indirectly, with a particular consumer or
household including identifiers such as a real name, alias, online identifier, IP
address, email address, account name, commercial information, internet or
other electronic network activity information, such as browsing history, search
history, products and services purchased, and information regarding a
consumer’s interaction with an Internet Web site, application, or advertisement.
Publicly available information is excluded. [1798.140(o)]
“Personal Data” which is defined as any information relating to a data subject who
can be identified, directly or indirectly, by reference to an identifier such as a name,
an identification number, location data, an on-line identifier or to one or more
factors specific to the physical, physiological, genetic, genetic, mental, economic,
cultural or social identity of that natural person. [Article 4(1)]
Special Categories
of Data?
No. Yes. Special categories of personal data are:
• personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership;
• genetic data;
• biometric data;
• health data;
• data concerning sex life or sexual orientation. [Article 9]
4. 44
Major requirements of the GDPR and the CCPA and the
important differences between them (cont’d)
This article was written by Judy Selby and Alison Bird. Judy Selby, founder of Judy Selby Consulting LLC, provides regulatory compliance and cyber insurance consulting services. She can be reached
at judyselbyconsulting@gmail.com. Alison Bird is a partner of Turinas & Bird LLC . Her legal practice focuses on corporate law and privacy compliance. She can be reached as alison.bird@turinasbird.com. This
article is for informational purposes only and not for the purpose of providing legal advice.
California Consumer Privacy Act of 2018 General Data Protection Regulation
Consumer’s Rights
and Choices
• Right to request:
o Information on categories of PI collected, sold or disclosed.
o Sources from whom the PI is collected.
o Categories of third parties to whom the PI is sold.
o Information on specific pieces of PI collected.
o Business or commercial purpose for selling or disclosing PI.
• Right to request PI deletion.
• Right to opt out of sale (with a right to equal service and price). [1798.100,
105, 110, 115, 120]
• Right to know whether data is being processed and if so::
• The purpose of processing.
• Categories of data collected.
• The data retention policy.
• The existence of automated decision making including profiling).
• Right to correct data.
• Right to have data erased.
• Right to restrict processing in specific situations.
• Right to move data.
• Right to get a copy of the data being processed (with certain limitations).
• Right to object to automated individual decision-making. [Articles 15-22]
Response to
consumer request
• 45 days (which may be extended in certain circumstances) to disclose and
deliver the requested information following a verified request.
• Covers only the 12-month period preceding the request.
• Must be free of charge.
• Not required to provide PI to a consumer more than twice in a 12-month
period. [1798.130(2)]
• One month to respond.
• Must be free of charge.
• reasonable fee or denial of request permitted when request is unfounded,
excessive, or repetitive. [Article 12]
When can a
business refuse a
deletion request?
• When necessary to complete a transaction for which the PI was collected.
• As reasonably contemplated in connection with the ongoing relationship or
internal business purposes.
• For security, crime prevention, and functionality purposes.
• If request would interfere with the right of free speech.
• For the continuation of scientific, historical, or statistical research purposes
if the individual has previously provided informed consent.
• To comply with legal obligations. [1798.105(d)]
• If request is manifestly unfounded or excessive.
• If request would interfere with the right of freedom of expression and
information.
• To comply with legal obligations.
• For reasons of public interest.
• For archiving purposes. [Article 12, Article 17]
5. 55
Major requirements of the GDPR and the CCPA and the
important differences between them (cont’d)
This article was written by Judy Selby and Alison Bird. Judy Selby, founder of Judy Selby Consulting LLC, provides regulatory compliance and cyber insurance consulting services. She can be reached
at judyselbyconsulting@gmail.com. Alison Bird is a partner of Turinas & Bird LLC . Her legal practice focuses on corporate law and privacy compliance. She can be reached as alison.bird@turinasbird.com. This
article is for informational purposes only and not for the purpose of providing legal advice.
California Consumer Privacy Act of 2018 General Data Protection Regulation
Required Notices? • Categories, sources, and purpose of PI collection. [1798-110, 115, 130]
• Categories and purpose of PI sold. [1798.115, 130]
• Categories of PI disclosed and whether or not disclosure was for a business
purpose (or fact that no disclosures were made for business purposes).
[1798.115, 130]
• Description of consumer’s rights and one or more methods for submitting
requests. [1798.130]
• Categories of third parties to whom data is shared. [1798.10, 130]
• Right to opt out of sale of PI. [1798.120(b)]
• Right to request deletion of PI. [1798.105]
• A web address and a toll free number for consumers. [1798.130]
• Clear and conspicuous link on the homepage, entitled “Do Not Sell My
Personal Information” for business that sell PI. [1798.135]
• Categories and purpose of data collection.
• Recipients of personal data.
• Identity and contact information of controller (and representative and data
protection officer, where applicable).
• The purpose and legal basis for data processing.
• If data is to be transferred outside of the EU, information regarding
appropriate or suitable safeguards (such as model contractual clauses).
• The period for which personal data will be stored.
• Existence of right to request access to and rectification or erasure of personal
data or restrictions on processing.
• Right to withdraw consent to processing, if applicable.
• Right to lodge a complaint to the supervisory authority.
• The existence of automated decision-making, including profiling.
• If further processing is to be conducted beyond the original scope, disclosure
of such additional processing. [Article 13]
Security
Requirement
Duty to implement and maintain reasonable security measures to protect PI.
[1798.150]
Duty to implement appropriate organizational measures to ensure a level of
security appropriate to the risk, including, as appropriate:
• Pseudonymization and encryption of personal data.
• Ability to ensure confidentiality, integrity, availability and resilience of
processing systems and services.
• Ability to restore availability in a timely manner.
• A process for regularly testing, assessing and evaluating the effectiveness of
security measures. [Article 32]
6. 66
Major requirements of the GDPR and the CCPA and the
important differences between them (cont’d)
This article was written by Judy Selby and Alison Bird. Judy Selby, founder of Judy Selby Consulting LLC, provides regulatory compliance and cyber insurance consulting services. She can be reached
at judyselbyconsulting@gmail.com. Alison Bird is a partner of Turinas & Bird LLC . Her legal practice focuses on corporate law and privacy compliance. She can be reached as alison.bird@turinasbird.com. This
article is for informational purposes only and not for the purpose of providing legal advice.
California Consumer Privacy Act of 2018 General Data Protection Regulation
Some exceptions
to compliance
obligations
• In order to comply with other federal, state, or local laws as well as
regulatory, criminal and civil investigations (note, compliance with
international laws is not addressed). [1798.145(k)(1)-(2)]
• To cooperate with law enforcement agencies concerning conduct or activity
that may violate federal, state, or local law. [1798.145(k)(3)]
• To exercise or defend legal claims. [1798.145(k)(4)]
• Use data that is deidentified aggregate consumer information.
[1798.145(k)(5)]
• If every aspect of the commercial conduct (including collection and sale of
data) occurs outside of California. [1798.145(a)(6)]
• The Act does not apply to Personal health information governed by
California’s Confidentiality of Medical Information Act or HIPPA.
[1798.145(c)]
• The Act does not apply to consumer data subject to certain other laws
including the Gramm-Leach Bliley Act and the Driver’s Privacy Protection
Act. [1798.145(e), (f)]
• Sale or usage of PI to or from a consumer reporting agency. [1798.145(d)]
• Data subject to the Federal Policy for the Protection of Human Subjects
(clinical trial data) [1798.145(c)(1)(C)]
Varies depending on the right. For instance:
• Data subject right to access information is limited if access would adversely
affect the rights and freedoms of others. [Article 15]
• Right to erasure does not apply to the extent further processing is necessary:
o For exercising the right of freedom of information.
o For controller’s compliance obligations under EU or Member state law.
o For reasons of public interest or public health.
o For archiving purposes in the public interest.
o For the establishment, exercise, or defense of legal claims.[Article 17]
• The right to restrict processing does not apply:
o To the establishment, exercise, or defense of legal claims.
o The protection of the rights of another natural or legal person.
o For reasons of important public interest of the European Union or of a
Member State. [Article 18]
• Certain record keeping obligations do not apply to an organization employing
fewer than 250 persons unless:
o The processing is likely to result in a risk to the rights and freedoms of data
subjects;
o The processing is not occasional; or
o The processing applies to Special Categories of Data or criminal convictions.
[Article 29]
Liability/Responsi-
bilities for Services
Providers?
No. It is the obligation of the business which collects the data to direct its service
providers to delete information. [1798.105(c)]
Yes. Any person who has suffered damage due to breach of the regulation shall
have the right to receive compensation from the controller or the processor for
damage suffered. [Article 82]
7. 77
Major requirements of the GDPR and the CCPA and the
important differences between them (cont’d)
This article was written by Judy Selby and Alison Bird. Judy Selby, founder of Judy Selby Consulting LLC, provides regulatory compliance and cyber insurance consulting services. She can be reached
at judyselbyconsulting@gmail.com. Alison Bird is a partner of Turinas & Bird LLC . Her legal practice focuses on corporate law and privacy compliance. She can be reached as alison.bird@turinasbird.com. This
article is for informational purposes only and not for the purpose of providing legal advice.
California Consumer Privacy Act of 2018 General Data Protection Regulation
Private Right of
Action
Only for violation of business’ duty to implement and maintain reasonable
security measures to protect PI that results in data breach IF before creating
class action, consumer provides a 30-day opportunity to cure. [1798.150]
• Data subjects have a right to lodge a complaint with the supervisory authority.
[Article 80]
• Data subjects also have a right to bring a proceeding against a controller or a
processor before the courts of the Member State where the controller or
processor has an establishment or where the data subject has his or her
habitual residence. [Article 79]
Fines and
Penalties
Statutory damages between $100 and $750 per consumer per incident, or actual
damages, whichever is greater, in consumer lawsuits. Up to $2,500 for each
violation or $7,500 for each intentional violation in an action by the Attorney
General. AG may not bring enforcement actions until six months after
publication of the final regulations or July 1, 2020, whichever is sooner.
[1798.150; 1798.155; 1798.185]
Fines range between € 10 million or 2% of total annual worldwide turnover of the
preceding year (whichever is higher) for less serious violations and €20 million or
4% for more serious violations. [Article 83]
Opportunity to
cure after
receiving notice of
violation
Yes. [1798.155] • No
Specific Internal
Compliance Role
mandated?
No. Appointment of independent data protection officer who reports to the highest
level of management required when:
• Core activities require regular and systematic monitoring of data subjects on a
large scale; or
• Core activities consist of processing on a large scale data relating to criminal
convictions or special categories of data (defined above).
Role of data protection officer:
• Inform/advise regarding GDPR and Member State laws.
• Monitor compliance with law.
• Cooperate with supervisory authority.
• Act as point of contact for supervisory authority. [Article 37]
8. 88
Major requirements of the GDPR and the CCPA and the
important differences between them (cont’d)
This article was written by Judy Selby and Alison Bird. Judy Selby, founder of Judy Selby Consulting LLC, provides regulatory compliance and cyber insurance consulting services. She can be reached
at judyselbyconsulting@gmail.com. Alison Bird is a partner of Turinas & Bird LLC . Her legal practice focuses on corporate law and privacy compliance. She can be reached as alison.bird@turinasbird.com. This
article is for informational purposes only and not for the purpose of providing legal advice.
California Consumer Privacy Act of 2018 General Data Protection Regulation
Additional Record
Keeping
Obligations?
No. For organizations with 250 persons or more (with certain exceptions) record of
data processing requirement which includes:
• The purpose of data processing.
• Description of categories of data subjects and categories of personal data.
• Categories of data recipients.
• Data retention information.
• General description of security measures.
• Transfers to third countries and documentation of suitable safeguards. [Article
30]
Assessment of the impact of processing prior to processing if:
• Systematic and extensive processing which includes profiling.
• Large scale processing of special categories of data or data relating to criminal
convictions.
• Systematic monitoring of a publicly accessible area on a large scale. [Article 35]