Category

Topic

GDPR Provision

CPRA Provision

1

Scope

Effective Date

May 25, 2018

January 1, 2023 with the following caveats:

(1) the right of access shall only apply to personal information collected by a business on or after January 1, 2022

(2) extends the CCPA’s exemption re: the collection of personal data of a job application and/or employee and/or contractor by a business from an expiration date of January 1, 2021 to January 1, 2023

(3) the CPRA’s changes to the funding dynamics of the Consumer Privacy Fund, the regulation process, and the creation and funding of the California Privacy Protection agency all become operative on the effective date of the CPRA (i.e. 5 days after voting results are certified)

2

Scope

Who is Regulated?

Applies to “Controllers” (entities who determine the purposes and means of the processing of personal data) and “Processors” (third parties that process personal data on behalf of the controller) who are either: (a) established in the EU, regardless of whether the processing takes place in the EU or not, or (b) not established in the EU that either offer goods or services (irrespective of paid or not) to, or monitor behavior of, EU data subjects. [Article 3]

Small and medium-sized enterprise (“SMEs”) that process personal data as described above do have to comply with the GDPR. However, if the processing isn’t a core part of a SME’s business and their activity doesn’t create risks for individuals, then some obligations of the GDPR will not apply to them (e.g. appointment of a Data Protection Officer).

A for-profit “Business” that “collects consumers’ personal information” and has the following thresholds:

(1) gross revenue greater than $25 million in the preceding calendar year OR

(2) buys/sells/shares personal information on over 100,000 consumers or households; OR

(3) derives 50% or more of its revenue from selling or sharing consumer personal information.

Also covers (a) any entity that controls or is controlled by a business and “shares common branding” with the business and “with whom the business shares consumers’ personal information”; (b) “a joint venture or partnership composed of businesses In which each business has at least a 40 percent interest”; and (c) any entity that does business in California and voluntarily certifies to the California Privacy Protection Agency that it is in compliance with the CRPA. [§ 1798.140(d)]

3

Scope

Who is Protected?

An identified or identifiable natural person (i.e. a real person, not a corporation, and not a deceased person), regardless of whether they are a resident of the EU. Also referred to as a “data subject.” [Article 4(1)]

A “Consumer” that is a natural person who is California resident. [§ 1798.140(i)] Resident defined per Cal. Rev. Code § 17014 as

(1) Every individual who is in this state for other than a temporary or transitory purpose.

(2) Every individual domiciled in this state who is outside the state for a temporary or transitory purpose.

4

Scope

Do Children Get Special Protection?

Yes. In general children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. [Recital 38].

Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. EU states may provide by law for a lower age but not below 13 years. [Article 8] And children must be able to receive privacy notices in clear and plain language for them to understand. [Article 12].

Yes, “a business shall not sell or share the personal information” of children aged from 13-16 unless the child directly “opts-in” to the sale. For children under 13, a business requires parental consent to the sale or sharing of their child’s personal data. [§ 1798.120(c)-(d)] Furthermore, for children under 16 who did not give consent, businesses must “wait for at least 12 months before requesting the consumer’s consent again” or “until the consumer attains 16 years of age.” [§ 1798.135(a)]

In addition, the Privacy Protection Agency can level administrative enforcement fines of $7500 per violation of the law in cases where the “business, service provider, contractor or other person has actual knowledge that the consumer is under 16 years of age.” [§ 1798.155(a)]

Note that the provisions of the CPRA relating to children under 16 years of age shall only apply to the extent not in conflict with Children’s Online Privacy Protection Act (COPPA). [Sec. 30 Savings Clause]

5

Scope

Covers Employees?

Yes. EU states “may by law or by collective agreements also provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organization of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.” [Article 89]

No, not until January 1, 2023. Specifically, “the title shall not apply to … personal information that is collected by a business about a natural person in the course of the natural person acting as … an employee.” Nor shall the consumer rights (right of access, deletion, etc.) “apply to personal information reflecting a written or verbal communication or a transaction between the business” and the employee. Also applies to job applicants and contractors. [§§ 1798.145(m) – (n)]

6

Scope

What Information is Protected?

“Personal data” which means “any information relating to an identified or identifiable natural person (i.e. “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” [Article 4]

“Personal information” (PI) means “information that identifies, relates to, describes, is reasonably capable of being associated with …”a particular consumer or household. It then lists specific examples such as:

(1) Identifiers such as a real name, alias, postal address, unique personal identifier (which can include a device), IP address, email address, account name, social security number, driver’s license number, and passport number;

(2) Commercial information, including records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies;

(3) Biometrics;

(4) Internet or other network activity information (e.g. browsing history);

(5) Geolocation data;

(6) Audio, electronic, visual, thermal, olfactory, or similar information;

(7) Professional or employment-related information;

(8) Education information as defined in FERPA;

(9) Inferences drawn from any of the information above; and

(10) Sensitive personal information (definition below)

It does not include publicly available information, data that is lawfully obtained and truthful and a matter of public concern, and data that is “lawfully made available to the public by the consumer or from widely distributed media.” Does not apply to information that is deidentified. Nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA. [§§ 1798.140(v) and 1798.145(c)-(f)]

7

Scope

Additional Restrictions on Sensitive Data?

Yes. “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” However, this will not apply in a number of cases including if the data subject gives explicit consent; is done in the context of labor or employment laws; is done for social security legislation; is done in the vital interest of the data subject, and others. [Article 9]

Yes. “Sensitive Personal Information” (SPI) includes a consumer’s:

(1) social security, driver’s license, state ID card, or passport number;

(2) account log-in (including access code and password), financial account, debit card, or credit card number

(3) precise geolocation;

(4) racial or ethnic origin, religious or philosophical beliefs, or union membership — ala the GDPR;

(5) mail, email and text messages, unless the business is the intended recipient of the communication;

(6) genetic and biometric data;

(7) personal information collected and analyzed concerning a consumer’s health;

(8) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. [§ 1798.140(ae)]

Businesses must inform consumers that they are collecting SPI, the purposes for collection, and whether SPI will be sold and shared as well as the length of time this data will be stored. Businesses cannot collect additional SPI for additional purposes that are incompatible with the disclosed purpose, and cannot store SPI beyond the expressed length of time. [§ 1798.100(a)] A consumer shall have the right at any time to limit the use of their SPI. [§ 1798.121(a)] A business must also either put on its homepage a clear link titled “Limit the Use of My SPI” or support an opt-out signal. As SPI is personal information, a consumer can also request that the business does not sell or share SPI, [§ 1798.135 (a)] as well respect the consumer’s rights re: personal information (right to access, delete, rectify, etc.).

8

Scope

Exemptions?

The GDPR does not apply to the processing of personal data in the context of (a) purely personal or household activity; (b) deceased individuals; (c) if it in unstructured hardcopy format; and (d) national security and/or law enforcement. [Article 2]

There are several exemptions for both businesses and types of personal data collected.

For businesses:

(1) Businesses that are non-profits and/or small businesses under $25m and/or don’t collect the requisite amount of personal data (per “Who is Regulated?” above) [§ 1798.140(d)]

(2) Businesses should not be restricted in order to comply with civil, criminal or regulatory inquiry and/or a subpoena/summons by a government authority [§ 1798.145(a)]

For types of personal data:

(1) Usage of personal data in emergency situations [§ 1798.145(a)]

(2) Personal data subject to sector-specific federal and/or state privacy laws such as GLBA, HIPAA, California’s Confidential Medical Information (CMI) Act [§§ 1798.145(c)-(f)]

(3) Personal data involving ownership of motor vehicles (e.g. such as information collected for recalls) [§ 1798.145(g)]

(4) Personal data involving job applicants, employees, contractors and owner/directors of businesses til January 1, 2021 [§ 1798.145(m)]

(5) Personal data that is deidentified or aggregate data [§ 1798.145(a)]

(6) Personal data collected as part of a clinical trial [§ 1798.145(c)]

(7) Personal data collected outside of California involving non-California residents [§ 1798.145(a)]

(8) Personal data involving grades, educational scores and educational test results [§ 1798.145(q)]

(9) Personal data such as a photograph in a yearbook if consent given [§ 1798.145(r)]

9

Scope

Lawful Bases to Process Personal Data?

GDPR has six legal bases for processing data: 1. Performance of a contract; 2. Legal obligation; 3. Performance of a task in the public interest; 4. Consent from the individual; 5. Legitimate interest; and 6. Protect the vital interests of an individual. [Article 6]. Specific to consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data, and have a record of when the consent was given. Consent shall be presented in a manner which is clearly understood. It must informed consent, freely given (i.e. “opt-in”) and can be revoked. [Article 7]

No. The US Constitution’s 1st Amendment in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.). But the CRPA requires that a business disclose what categories and the purpose for which they are collecting personal information (see Right to be Informed below), so as long as the consumer is informed and they don’t opt out (or opt-in in the case of minors), the business can collect. CRPA also requires businesses to retain personal information for no longer than necessary. But note that Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. Sec. 45(a)(1).

10

Scope

Law is Protected from Watering Down?

N/A

Yes. The CPRA may be amended after its approval by the voters by a statute that is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are “consistent with and further the purpose and intent” of the CPRA.

11

Individual Rights

Right to be Informed (aka Right to Know or Right to be Notified)

At the time personal data is obtained, the controller must provide the data subject detailed information about its data collection and protection activities, including the legal basis for the processing, as well as instruct the data subject on their individual rights vis a vis their personal data. The controller must also provide notice regarding personal data collected by third parties. [Articles 13, 14]

A business that “controls the collection” of PI and/or SPI shall, “at or before the point of collection,” inform the consumer the categories and purposes of PI and/or SPI “that are collected or used and whether such information is sold or shared.” PI and/or SPI shall not be collected for additional purposes that incompatible with the disclosed purpose for which that information is collected. The business needs to also inform of the length of time of the collection of that information. [§ 1798.100(a)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] Besides having the right to know what personal information is sold and shared, consumers have the right to know to whom. [§ 1798.115(b)]

12

Individual Rights

Right to Access

“Data subjects have the right to obtain from the controller whether or not personal data about the subject is being processed, and if that is the case, be able to access that personal data” as well additional information such as the purposes of processing, the categories of personal data, the recipients of that data, how long that data will be stored, etc. [Article 15]

“A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories” and “specific pieces of personal information the business it has collected.” [§ 1798.110(a)] This includes any third-parties the business has shared the personal data with. And that the business shall provide that information once they verified the consumer request. Furthermore, a business shall “disclose and deliver the required information to a consumer free of charge to the consumer” within a 45 day period of receiving a verifiable consumer request. The disclosure “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request,” and any right beyond the 12-month period “shall only apply to personal information collected on or after January 1, 2022.” [§ 1798.130(a)] A business “shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.130(b)]

13

Individual Rights

Right to Correct (aka Right to Rectification)

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed. [Article 16] Furthermore, the controller must take steps to inform other recipients of that subject’s personal data being rectified. [Article 19]

“A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer correct such inaccurate personal information.” [§ 1798.106(a)]

14

Individual Rights

Right to Delete (aka Right to Erasure or Right to be Forgotten)

Data subjects have the right to obtain from the controller the erasure of personal data under six different scenarios including the personal data is no longer necessary in relation to the purposes for which they were collected, the data subject withdraws consent and there is no other lawful bases for processing and the personal data have been unlawfully processed. [Article 17] Furthermore, the controller must take steps to inform other recipients of that subject’s personal data being erased. [Article 19]

“A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” [§ 1798.105(a)] The business must also notify any service providers or contractors, as well as to “notify all third parties to whom the business has sold or shared that information,” to also delete the consumer’s personal information from their records. A service provider or contractor is not required to fulfill a deletion requested submitted directly by the consumer. [§ 1798.105(c)] There are 8 exceptions in [§ 1798.105(d)] including performing the contractual obligations that exist between business and consumer, help insure security and integrity, debugging, the exercise of free speech, and engage in research that conforms to applicable ethics and privacy laws.

15

Individual Rights

Right to Restrict Processing

GDPR lets a data subject to have the right to restrict the controller’s processing of the data subject’s data under a few scenarios including the accuracy of the personal data is contested by the data subject or the processing is unlawful. [Article 18] Furthermore, the controller must take steps to inform other recipients of that subject’s personal data being restricted. [Article 19]

N/A, with exception of the right to opt-out of the selling and sharing of personal information and also the limiting use of sensitive personal information (see below).

16

Individual Rights

Right to Data Portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. [Article 20]

As part of a consumer’s Right to Access, a business shall “provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at the consumer’s request without hindrance.” [§ 1798.130 (a)]

17

Individual Rights

Right to Object to Processing

“The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.” Objections can be based on concerns over profiling, direct marketing, scientific and other matters. [Article 21]

N/A, with exception of the right to opt-out of the selling and sharing of personal information and also the limiting use of sensitive personal information (see below).

18

Individual Rights

Right to “Opt Out” of Sale and Sharing of Personal Information (aka Right to Say No)

This is not one of GDPR’s formally defined rights per se (was added to this cheat sheet to benchmark against CCPA and CPRA), but GDPR does provide other rights that can net the same result. e.g. the right to object: “Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.” [Article 21] In addition, data subjects could revoke their right of consent as part of their right of erasure vis a vis direct marketing. [Article 17]

“A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. This right may be referred to as the right to opt-out of sale or sharing.” [§ 1798.120(a)]

19

Individual Rights

Right to Limit Use of Sensitive Personal Information (including Precise Geolocation)

This is not one of GDPR’s formally defined rights per se (was added to this cheat sheet to benchmark against CCPA and CPRA), but this is an implicit right in that the use of sensitive personal information is prohibited: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” However, this will not apply in a number of cases including if the data subject gives explicit consent; is done in the context of labor or employment laws; is done for social security legislation; is done in the vital interest of the data subject, and others. [Article 9] For other categories of personal information that are found in the CPRA definition of sensitive data, GDPR provides the right of restriction and objection (see above).

“A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.” [§ 1798.121 (a)] Recall that sensitive personal information includes precise geolocation.

20

Individual Rights

Right to Reject Automated Decision Making and Profiling

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Exceptions include the data subject’s explicit consent or the performance of a contract. [Article 22]

The CPRA leaves the possibility of this right being issued as a regulation by the Privacy Protection Agency. [§ 1798.185 (a)]

21

Individual Rights

Right of No Retaliation (aka Right to not be Discriminated Against)

This is not one of GDPR’s formally defined rights per se (was added to this cheat sheet to benchmark against CCPA), but GDPR is implicit that discrimination is not allowed. e.g. “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to … rise to discrimination”. [Recital 75]

The CPRA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against. Examples include (and directly quoted from [§ 1798.125(a)]):

(1) Denying goods or services to the consumer.

(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.

(3) Providing a different level or quality of goods or services to the consumer.

(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

The CPRA specifically states that this right “does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs.”

22

Obligations

Privacy Policy Disclosure

Per Article 5, the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 of Article 5 (‘accountability’), with the first item of paragraph 1 in Article 5 being that personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject.” Which means an obligation of the controller is to publish clear privacy notice and inform the data subject of their rights, including their “Right to be Informed.” [Article 5]

A business that “controls the collection” of PI and/or SPI shall, “at or before the point of collection,” inform the consumer the categories and purposes of PI and/or SPI “that are collected or used and whether such information is sold or shared.” PI and/or SPI shall not be collected for additional purposes that incompatible with the disclosed purpose for which that information is collected. The business needs to also inform of the length of time of the collection of that information. [§ 1798.100(a)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] Businesses must also tell consumer not only what personal information is sold and shared, but they must disclose to consumers to whom. [§ 1798.115(b)]

23

Obligations

Data Protection by Design and Default

Controllers must implement data protection by design and by default. e.g. “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner.” Furthermore, “the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” [Article 25]

A business shall not collect additional categories of PI and/or SPI that are “incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice.” [§ 1798.100(a)] Clearly a business must design their systems and apps to identify not only what data is personal but what is sensitive information. A business shall not collect this data “for longer than is reasonably necessary for that disclosed purpose” (i.e. principle of storage limitation). Furthermore, the “business’s collection … of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed” (i.e. data or purpose minimization, aka principle of proportionality). [§ 1798.100(c)] Finally, a business must also “implement reasonable … procedures and practices appropriate to the nature of the personal information to protect.” [§ 1798.100(e)]

24

Obligations

Written Contracts with Processors / Service Providers / Contractors / Third Parties

“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.” [Article 28]

“A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor.” The contract must include that the PI used, sold or shared is only for a limited and specified purpose and those entities must also comply with the CPRA’s obligations re: the protection of PI and the rights of consumers over their PI. [§ 1798.100(d)]

The definition of contractor and service provider does specify that a business can enforce via contract the ability for the business to monitor “compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.” [§ 1798.140(ag)] Furthermore, both service providers and contractors must assist businesses in complying with the CCPA, e.g. verified consumer deletion requests [§ 1798.105(c)]. But “a service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor.”

A contractor or service provider that engages another entity to assist in the processing of a business’s personal information must “notify the business of such engagement.” [§ 1798.140(ag)]

25

Obligations

Maintain Records of Processing Activities

“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” [Article 30]

The Privacy Protection Agency will create regulations “specifying record keeping requirements for businesses to ensure compliance with this title.” [§ 1798.199.40] It is implied that records need to be maintained re: what personal information is shared or sold with which third parties. Also, a “business may maintain a confidential record of deletion requests.” [§ 1798.105(c)] Furthermore, a business should document their security procedures and practices to show compliance of implementing reasonable security procedures. [§ 1798.150(a)]

26

Obligations

Respond to Rights Requests

“The controller shall facilitate the exercise of data subject rights … and shall not refuse to act on the request of the data subject for exercising his or her rights … unless the controller demonstrates that it is not in a position to identify the data subject.” Furthermore, “the controller shall provide information on action taken on a request … to the data subject without undue delay and in any event within one month of receipt of the request.” [Article 12]

A business must respond to a “verifiable consumer request.” [§ 1798.140(ak)] Furthermore, a business must “disclose and deliver the required information to a consumer free of charge within 45 days” and can extend the 45 days once. [§ 1798.130(a)] This information must be provided “free of charge to the consumer” but “shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.130(a)] Businesses must also respond to other rights requests (e.g. deletions, do not sell, etc.) with no limitations. [§ 1798.105(c), 1798.120(d)]

27

Obligations

New Homepage Links Required (e.g. do not sell/share personal information, limit use of sensitive personal information)

N/A

A business must “provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell or Share My Personal Information,” as well as a link titled “Limit the Use of My Sensitive Personal Information” to Internet Web page(s) that enable a consumer, or a person authorized by the consumer, to opt-out of the sale and sharing of the consumer’s personal information and/or limiting the use of their SPI. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.” [§ 1798.135(a)] A business may support on their web page and mobile application an “opt-out preference signal” that automatically indicates the consumer’s intent to opt-out and/or limit usage. The technical specifications of this “opt-out signal preference” will be defined via regulations created by the Privacy Protection Agency. [§ 1798.135(b)]

28

Obligations

Implement Appropriate Security Measures

“The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” including “pseudonymisation and encryption of personal data” as well “ensure the ongoing confidentiality, integrity availability and resilience of processing systems and services.” [Article 32]

“A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.” [§ 1798.100(e)] In addition, the Privacy Protection Agency will issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to: … perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent.” [§ 1798.185(a)]

Furthermore, existing California law states that “a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” [§ 1798.81.5]

29

Obligations

Security Breach Notification

Controllers must notify both the supervisory authority and impacted data subjects within 72 hours. There is a carve out with the supervisory authority where “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” The carve out with data subjects is if the data were encrypted and not readable. [Article 33, 34]

N/A, but California has an existing (and separate) data breach notification law § 1798.82.

30

Obligations

Data Protection Impact Analysis

“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” [Article 35]

The Privacy Protection Agency will issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent” … and (B) “submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal Information.” [§ 1798.185(a)]

31

Obligations

Data Protection Officers

Controllers and processors must appoint a Data Protection Officer in specific instances including when their core activities include monitoring of data subjects on a large scale. The DPO should have a certain amount of independence and be the main point of contact with the supervisory authority. Specific tasks are spelled out in Article 39. [Articles 37-39]

N/A

32

Obligations

Adhere to the Rules of Cross-Border Data Transfers

Transfers of personal data outside the EU are restricted with the following exceptions: (1) OK to transfer to countries or territories deemed “adequate” by the European Commission in terms of the protection of personal data (note the US or states such as California do not have an “adequacy decision”; (2) where there is an EU-approved transfer agreement and/or mechanism (e.g. the EU-US Privacy Shield and/or binding corporate rules between a controller and a processor); or (3) there an exception to specific personal data such as explicit consent. [Articles 44-50]

N/A

33

Enforcement

Dedicated Supervisory Authority

Each European Union Member State shall have at least one independent “Supervisory Authority” (SA) [Article 51] that “shall contribute to the consistent application of this Regulation throughout the Union.” [Article 51]. Each SA shall “remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.” [Article 52]. Each SA shall “shall facilitate the submission of complaints” that are “free of charge” for data subjects. [Article 57]. Each SA has a number of investigative and corrective powers as well as authorization and administration powers, including the ability to issue fines. [Article 58] Each SA “shall draw up an annual report on its activities” [Article 59] and cooperate with other SAs [Article 60] and provide mutual assistance [Article 61].

The European Data Protection Board is an oversight organization that “ensure the consistent application of this Regulation” and provides advisory services to both Member States’ SAs as well as the European Commission [Article 70]. It issues “guidelines, recommendations, and best practices on procedures” related to the GDPR. [Article 69] The Board will be composed of the head of each Member State’s SA [Article 68] and shall act independently. [Article 69]. “The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations.” [Article 71]

The CPRA establishes Privacy Protection Agency (PPA), whose primary mission is to “protect the fundamental privacy rights of natural persons with respect to the use of their personal information” [§ 1798.199.40] and is vested with full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act. [§ 1798.199.10] The PPA has a 5 member board who appoints an executive director. [§ 1798.199.30] The PPA enforces the CPRA through administrative actions, and is also tasked to “promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information.” [§ 1798.199.40]. The PPA is funded through the Consumer Privacy Fund, with annual budget of $10 million from the State’s General Fund. [§ 1798.199.195] The regulations associated with the CPRA will be adopted by the California Attorney General with “broad public participation” [§ 1798.185] but once the PPA is operational will assume ownership of the regulation process [§ 1798.199.40]

34

Enforcement

Penalties (Civil Fines)

A range of penalties can be issued by Supervisory Authorities including: (1) fines up to €20 million or 4% of annual worldwide turnover; (2) requiring entities to change how they process personal data; and/or (3) stopping entities from processing data altogether. [Articles 83-84]

“Upon the sworn complaint of any person or on its own initiative,” the PPA “may investigate possible violations of this title relating to any business, service provider, contractor, or person.” [§ 1798.199.45] Violators of the CPRA will be given 30 day notice by the PPA [§ 1798.199.50], and when the PPA “determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred.” If the PPA determines a violation has occurred, it can issue a cease and desist order, as well order an entity to “pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state.” [§ 1798.199.55] The PPA “may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records or other items material to the performance” of the PPA’s duties. [§ 1798.199.65]

35

Enforcement

Penalties (Private Rights of Action)

Data subjects have private rights of actions that be filed against controllers and processors. These private rights of actions can be for material or non-material damage. Furthermore, there is mechanism spelled out how to enable a not-for-profit body, organization or association to bring class action claims. Data subjects can also lodge complaints with Supervisory Athorities. [Articles 77-82]

The CPRA enables a consumer’s private right of action if their “nonencrypted and nonredacted personal information” or “whose email address in combination with a password or security question and answer that would permit access to the account” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Damages may be “not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.” [§ 1798.150(a)] There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request). Furthermore, the definition of “personal information” is from a narrower definition of personal information found in [§ 1798.81.5]. Note that “actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated” but the “implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach.” [§ 1798.150(b)]