June 5, 2019

Data Privacy: From California to the European Union


  • Recent data privacy scandals have shaken the confidence of consumers worldwide, leading to calls to regulate what internet businesses can do with people’s personal information.
  • Two of the most prominent data privacy laws influencing our domestic debate are the EU General Data Protection Regulation and the California Consumer Privacy Act.
  • Both laws are based upon the principle that people own their personal information and should have control over it, but there are important differences between them.

As data breaches make headlines, consumers are increasingly concerned about the security of their personal information on the internet. At least three Senate committees have begun discussions and held hearings on data privacy: Commerce; Judiciary; and Banking.

Two of the most prominent data privacy laws currently influencing the discussions are the European Union General Data Protection Regulation and the California Consumer Privacy Act. The GDPR has been in force for just over a year. The CCPA built upon many of the principles of the GDPR, and is scheduled to take effect in January 2020. These two laws together end up covering a large number of American businesses and other groups, and they are already affecting how data is handled on the internet.  

EU General Data Protection regulation

The GDPR took effect on May 25, 2018, with the goal of standardizing data protection law across all 28 EU countries. The regulation grants EU residents ownership rights in their personal information and requires businesses, public bodies, and non-profits to protect consumers’ personal data for transactions that occur within Europe or involve the data of EU residents. GDPR applies to any U.S. business that operates in the EU or processes data of people in the EU.

GDPR — What’s Covered?

The GDPR defines personal information as direct or indirect information related to an identifiable person. Examples include name, identification number, location data, and biometric data. It gives people a variety of rights based on the principle of ownership of data. One of these is the right for data to be erased, also known as the “right to be forgotten.” Exceptions include freedom of expression, research purposes, and establishing or exercising legal claims or obligations.

Courts have required search engines to remove links to content deemed to be “inadequate, irrelevant, or no longer relevant.”

For example, a court in Europe ordered Google to remove links in search results related to a decade-old crime committed by an anonymous British businessman. The accuracy of the information was not in dispute; the deciding factor was relevancy. In America, the First Amendment would generally prohibit such rulings. But the internet has no boundaries. Rulings from Europe that apply across the global internet may conflict with the U.S. Constitution and the First Amendment’s right to free speech.

The GDPR gives people the right to be informed of the categories of personal information being collected, the purpose of the collection, and their other rights under the regulation. They must opt in to having their data collected and processed and can see the data that’s been gathered about them. People also can have their data easily transferred from one entity to another, called the right of data portability.

Businesses and other entities must generally obtain consent prior to collecting data, and they must explain why it is collected and how it’s used. They are not allowed to use the data for a different reason later, without consent. One result of this requirement has been pop-up consent boxes. Consumers often do not have the option to use the service if they choose not to consent.

Under the GDPR, minors under 16 years old must have their parents’ or guardians’ consent to allow their data to be collected. Member states are allowed to lower that age to 13.

GDPR — How Is It Enforced?

Each EU member state’s data protection authority is tasked with producing guidance and issuing regulations on the GDPR. These authorities also have powers to investigate, issue warnings and reprimands, and impose fines.

The Irish Data Protection Commission has been the most active, due to the fact that many major U.S. technology companies’ European headquarters are located in Ireland. Other countries also have acted; for example, France’s data authority recently fined Google €50 million for allegedly violating GDPR access and consent rules.

The regulation also requires certain businesses to appoint data protection officers. These officers advise companies on best practices and monitor compliance with the GDPR. Officers also serve as the main point of contact with regulators.

Finally, the GDPR authorizes fines for non-compliance of up to 4 percent of a business’ global annual revenues or €20 million, whichever is higher.

California Consumer privacy act

The CCPA grants California residents rights regarding their personal information and imposes responsibilities on companies doing business in California. While it incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are areas where the two differ.

CCPA — What’s Covered?

The law applies to any for-profit entity doing business in California that meets one of the following: has a gross revenue greater than $25 million; buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes; derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Because California is the fifth largest economy in the world, the CCPA is expected to have worldwide impact. It also will end up applying to a large share of all businesses across the United States.

The CCPA definition of personal information is expansive. It includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household. Examples include names, IP addresses, email addresses, driver’s license numbers, Social Security numbers, and passport information. The law excludes some categories of personal information, including medical information covered by the California Confidentiality of Medical Information Act and the Health Insurance Portability and Accountability Act, as well as financial information covered by the Gramm-Leach-Bliley Act. The CCPA does not apply to de-identified or aggregate consumer information.

Consumers can have their data deleted, with some exceptions including data necessary to exercise free speech, fulfill a contract, or conduct scientific, historical, or statistical research. People have the right to be informed about the categories of data being collected and the purpose for which it is collected. They also have the right to opt out of the selling of their data. As with the GDPR, consumers have the right to access their data and to data portability.

The California law requires businesses to include a link on their home page with the words “Do Not Sell My Personal Information.” The link must allow the consumer to opt out of the sale of personal information.

Businesses are required to offer both a posted privacy policy as well as specific notice at or before the time data is collected, known as “point of collection notices.” Posted privacy policies must spell out consumers’ rights, list the categories of data collected, list the purpose for which data could be sold or disclosed, and be updated annually. Point of collection notices must inform consumers of the categories of data to be collected and the purposes for which the categories of data will be used.

Under the CCPA, businesses have to give minors the right to opt in. Business are required to get affirmative consent for consumers under 16 years old before selling data. Parents or guardians must provide the consent for children under 13.

CCPA — How Is It Enforced?

If a business is notified it is not complying with the law, it has 30 days to fix any violation. Businesses found to have intentionally violated the law can incur penalties of up to $7,500 per violation. The California attorney general is tasked with providing guidance and is authorized to issue regulations.

The CCPA also provides for a private right of action in instances of security violations and data breaches. Consumers whose sensitive data is breached may file a civil action for statutory damages of up to $750 per data breach or actual damages, whichever is greater.


Data Privacy

Issue Tag: Technology