Editor’s note: WRAL TechWire  recently launched a 5-part series on data privacy law to bring some clarity to one of the fastest growing and most complex areas of technology law. This is part 3.The previous posts are embedded in this story.

Steve Britt is Counsel for Cyber, Data Privacy & Technology (CIPP/E, CIPM), Parker Poe and Sarah Hutchins is Partner for Cyber, Data Privacy & Technology (CIPP/US), Parker Poe.

+++

Just as California was the first state to enact a data breach notification law in 2002 (Alabama was the 50th state in 2018), it was the first state to enact a comprehensive data privacy law in 2020, known as the California Consumer Privacy Act (CCPA). Using GDPR as a guide, but putting its own stamp on the end result, California shared many elements in common with GDPR, including:

  • A broad definition of personal information, to include any information that relates to or could be used to identify a natural person, including IP (internet protocol) addresses, device data and other online identifiers,
  • Adoption of most (but not all) of GDPR’s data subject rights, subject to clear, transparent explanations of how those rights may be exercised,
  • The requirement for detailed privacy notices about what data is collected, the purposes for such collection and whether it is shared with third parties,
  • The requirement for restrictive contracts for certain types of third parties with which the data is shared,
  • Imposition of risk-based data security standards,
  • The requirement of comprehensive employee training for all personnel handling personal information,
  • A limited private cause of action for a data breach resulting from the failure to provide reasonable data security with statutory damages of $100-$750 per consumer per incident in such actions, and, finally,
  • Enforcement of CCPA by a government agency, in this case the Attorney General of California.

Data privacy & you: What you really need to know from a legal point of view

At the time of its enactment, CCPA was referred to as GDPR-Lite, but that was really only true in a conceptual sense as CCPA differed from GDPR in some meaningful ways. For example, CCPA:

  • Did not apply to nonprofits or governmental organizations and exempted employees and business-to-business (B2B) contacts for 3 years,
  • Only applied to for-profit companies doing business in California that, together with commonly branded affiliates, had global annual revenues of $25,000,000 or more, processed data on at least 50,000 consumers (including their devices) or received 50% of their revenue from the sale of personal information,
  • Granted a private cause of action for damages from a data breach that resulted from the failure to provide adequate data security (14 states now permit a private cause of action in their data breach notification laws),
  • Excluded entities regulated by Gramm-Leach-Bliley, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act and information regulated by the Health Insurance Portability and Accountability Act (HIPAA),
  • Required a web button on a company’s home page labeled “Do Not Sell My Personal Information” for transferring personal information to a third party which did not qualify as a “service provider,”
  • Defined as a “sale” of data any transfer for “non-monetary consideration” which captured advertising technology and marketing technology providers, and
  • Did not require cookie pop-ups nor affirmative consent for marketing communications.

Guest opinion: General Data Protection Regulation, or GDPR – Where it all began

However, as far-reaching as CCPA was, before the ink on it could dry, in November 2020, California enacted the California Privacy Rights Act (CPRA) by ballot initiative, effective January 1, 2023. CPRA amended CCPA and expanded it in several meaningful ways. For example, CPRA:

  • Raised the jurisdictional trigger on CCPA to collection of data on 100,000 consumers (rather than 50,000) and dropped the coverage of a consumer’s “devices,”
  • Excluded commonly branded affiliates in the definition of covered businesses unless the California business actually shared the personal information of Californians with its affiliate,
  • Included a new category of personal information called “sensitive information” and expanded the Right of Opt-Out to cover such data,
  • Created a category of third-party disclosure of data called “sharing” and expanded the “Do Not Sell” button to “Do Not Sell or Share My Personal Information,”
  • Expanded its data rights to cover a business’s employees and business-to-business (B2B) contacts, and
  • Created the first-in-the-nation dedicated state data privacy regulator (called the California Privacy Protection Agency) with broad regulatory powers, including 22 new areas for potential new regulation.

The expansive powers of the California Privacy Protection Agency (CPPA) should not be overlooked, especially since CCPA has already been the subject of four rounds of Attorney General regulations, in some cases imposing rules beyond what was provided in the statute. Also, California’s private cause of action and, in certain other jurisdictions, the possibility of litigation under data breach laws has exponentially increased the risks relating to data management.

The complexity of CCPA, as amended by CPRA, already rivals GDPR but both California and the European Union have expressed the goal of working together on cross-border transfer restrictions and an array of other EU initiatives. Meanwhile, as we will see in our next article, other US states are taking their cues from California.

Steve Britt, CIPP/E, CIPM, is a cyber, data privacy & technology attorney at law firm Parker Poe. He focuses his practice on cybersecurity and data privacy laws and regulations. Britt counsels his clients on the full range of data protection laws. He may be reached at stevebritt@parkerpoe.com.

Sarah Hutchins, CIPP/US, is a cyber, data privacy & technology attorney at law firm Parker Poe. She helps clients navigate business litigation, government investigations, and data privacy and cybersecurity. Hutchins may be reached at sarahhutchins@parkerpoe.com.