California Consumer Privacy Act and General Data Protection Regulation: A Guide to California Businesses

16 December 2019 Publication
Authors: Jennifer J. Hennessy Chanley T. Howell James R. Kalyvas Steven M. Millendorf Jennifer L. Rathburn Eileen R. Ridley Aaron K. Tantleff

Beginning with the California Online Privacy Protection Act (CalOPPA) in 2004, California has led the U.S. in adopting laws to protect the privacy of its residents. California continued this trend by enacting the California Consumer Privacy Act of 2018 (CCPA) to become the first state in the U.S. with a comprehensive consumer privacy law. Under the CCPA, which is effective as of January 1, 2020, entities doing business in California and their service providers will have new data protection duties and California consumers will have new rights regarding their personal information (including the right to bring a private action).

Included among these new duties are requirements for businesses to update or create privacy notices, provide consumers a choice whether to permit the selling of their personal information as well as other rights to access or delete their personal information, and create new restrictions on business models that rely on the monetization of personal data. The first section of Foley’s California Consumer Privacy Act and General Data Protection Regulation: A Guide to California Businesses is designed to help businesses understand the scope of the CCPA as well as identify consumers’ rights and highlight obligations for businesses under the CCPA.

CCPA Scope

Notably, as sweeping as CCPA is, certain organizations that are subject to federal privacy laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) are excluded from the CCPA’s provisions for personal information activities related to their core businesses, though they may still be subject to some of the CCPA’s requirements for their employee personal information.

The CCPA’s sweeping scope mimics another important international privacy law. The General Data Protection Regulation (GDPR) went into effect on May 25, 2018, repealing the previous Data Protection Directive of 1995. For businesses subject to the GDPR, which includes both businesses that have establishments in the European Union (EU) and businesses outside of the EU that offer their goods and services to individuals in the EU, the GDPR created significant additional privacy obligations as well as new rights for data subjects.

The GDPR’s obligations include requirements to adopt a Data Protection Officer (DPO) and a representative in the EU for businesses without an establishment in the EU, as well as duties to conduct privacy impact assessments and adopt the principle of privacy by design. Data subjects have the right to obtain information about the collection and use of their personal data as well as a copy of their personal data, have their personal data corrected or deleted, and object to and restrict the processing of their personal data. The second section of this guide is designed to help businesses subject to the GDPR understand their obligations and consumers’ rights under the GDPR.

GDPR Scope

Entities that do business in California may be subject to both the GDPR and the CCPA. Although the GDPR and the CCPA have many similarities, compliance with the GDPR is not sufficient to comply with the CCPA. Each of these laws has its own unique requirements. Nevertheless, businesses that have already adopted policies and procedures to become compliant with the GDPR have a significant head start to becoming compliant with the CCPA. The third section of this guide is designed to assist businesses in understanding the differences between the GDPR and the CCPA as well as what they may need to do to become compliant with the CCPA if they are already compliant with the GDPR.

To learn more about your business’s obligations under the CCPA and how Foley can help guide you in your compliance efforts, please contact any of the attorney authors listed below.