Editor’s Note: WRAL TechWire recently launched a 5-part series on data privacy law to clarify one of the most dynamic and complex areas of technology law. This is part 3. Previous posts are embedded in this story.

Steve Britt is Counsel for Cyber, Data Privacy & Technology (CIPP/E, CIPM), Parker Poe and Sarah Hutchins is Partner for Cyber, Data Privacy & Technology (CIPP/US), Parker Poe.

+++

Just as California was the first state to enact a data breach notification law in 2002 (Alabama was the 50e in 2018), it was the first state to enact a comprehensive data privacy law in 2020, known as the California Consumer Privacy Act (CCPA). Using the GDPR as a guide, but putting its own stamp on the end result, California shared many things in common with the GDPR, including:

  • A broad definition of personal informationto include any information relating to or that could be used to identify a natural person, including internet protocol (IP) addresses, device data and other online identifiers,
  • Adoption of most (but not all) GDPR data subject rights, subject to clear and transparent explanations of how those rights can be exercised,
  • The requirement for detailed privacy notices on the data collected, the purposes of this collection and whether it is shared with third parties,
  • The requirement of restrictive contracts for certain types of third parties with whom data is shared,
  • Imposing risk-based data security standards,
  • The requirement for comprehensive employee training for all personnel handling personal information,
  • A limited private cause of action for a data breach resulting from the failure to provide reasonable data security with statutory damages of $100 to $750 per consumer per incident in such actions, and, finally,
  • Enforcement of the CCPA by a government agency, in this case the California Attorney General.

Data privacy and you: what you really need to know from a legal perspective

At the time of its enactment, the CCPA was called GDPR-Lite, but that was really only conceptually true, as the CCPA differed from the GDPR in some significant ways. For example, CCPA:

  • Did not apply to non-profit or government organizations and exempted employees and business-to-business (B2B) contacts for 3 years,
  • Applies only to for-profit companies doing business in California that, with co-branded affiliates, generated worldwide annual revenues of $25,000,000 or more, processed data on at least 50,000 consumers (including including their devices) or received 50% of their revenue from the sale. personal information,
  • Granted a private cause of action for damages resulting from a data breach resulting from failure to provide adequate data security (14 states now allow a private cause of action in their data breach notification laws) ,
  • Excluded entities regulated by Gramm-Leach-Bliley, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act and information regulated by the Health Insurance Portability and Accountability Act (HIPAA),
  • Requires a web button on a company’s homepage titled “Do not sell my personal informationfor the transfer of personal information to a third party who does not qualify as a “service provider”,
  • Defined as a “sale” of data, any transfer for “non-monetary consideration” that captured Advertising Technology and Marketing Technology Providers, and
  • Does not require cookie pop-ups or affirmative consent for marketing communications.

Guest Review: General Data Protection Regulation, or GDPR – Where It All Began

However, as ambitious as the CCPA was, before the ink dried, in November 2020 California enacted the California Privacy Rights Act (CPRA) by vote, effective January 1, 2023. The CPRA amended the CCPA and expanded it in several significant ways. For example, the ACRP:

  • Increased jurisdictional trigger on CCPA for collecting data on 100,000 consumers (from 50,000) and removed coverage of a consumer’s “devices”
  • Excludes common brand affiliates from the definition of covered businesses, unless the California business actually shares personal information of Californians with its affiliate,
  • Inclusion of a new category of personal information called “sensitive information” and extension of the right of withdrawal to cover this data,
  • Creating a third-party data disclosure category called “sharing” and expanding the “Do Not Sell” button to “Do Not Sell Or Share My Personal Information”,
  • extended its data rights to cover a company’s employees and business-to-business (B2B) contacts, and
  • Creation of the first dedicated national state data privacy regulator (called the California Privacy Protection Agency) with broad regulatory powers, including 22 new areas for potential new regulation.

The expansive powers of the California Privacy Protection Agency (CPPA) should not be overlooked, especially since the CCPA has already been subject to four rounds of Attorney General regulations, in some cases imposing rules that go beyond what was provided for in the law. Additionally, California’s private cause of action and, in some other jurisdictions, the possibility of litigation under data breach laws has exponentially increased the risks associated with handling data.

The complexity of the CCPA, as amended by the CPRA, already rivals the GDPR, but California and the European Union have expressed a goal to work together on cross-border transfer restrictions and a range of other GDPR initiatives. EU. Meanwhile, as we will see in our next article, other US states are taking inspiration from California.

steve brit, CIPP/E, CIPM, is a cybersecurity, data privacy and technology attorney with the law firm Parker Poe. He focuses his practice on cybersecurity and data privacy laws and regulations. Britt advises clients on all data protection laws. It can be attached to [email protected].

Sarah Hutchins, CIPP/US, is a cybersecurity, data privacy and technology attorney with the law firm Parker Poe. She helps clients navigate commercial litigation, government investigations, data privacy and cybersecurity. Hutchins can be reached at [email protected].