The Weight of “GDPR Lite”

Mar 19, 2019

By Dawn Ingley

See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

In June, 2018, California’s legislature took the first steps to ensure that the state’s approach to data privacy was trending more closely to the European Union’s General Data Protection Regulation (GDPR), the de facto global industry standard for data protection.  Though legislators have acknowledged that further refinements to the California Consumer Privacy Act (CCPA) will be necessary in the coming months, its salient requirements are known:

  • California consumers (broadly defined as California residents—this definition is inclusive of both employee data and other data that is not traditionally “consumer” data) may require a covered business to provide them with a copy of their personal information, delete their personal information, and to not sell their personal information.  Under CCPA, personal information includes:
    • real name or alias, physical address, biometric information;
    • IP address, email address, unique personal identifier, online identifiers;
    • account name, driver’s license number, passport number;
    • characteristics of protected classes;
    • records of purchasing history or tendencies;
    • internet browsing or search history, information related to web site interactions, geolocation data;
    • audio or visual data, olfactory data; and
    • employment or education data
  • CCPA applies to for-profit businesses that collect California consumer’s personal information, determine the purposes and means of processing such information, do business in California AND meet or surpass one or more of the following criteria:
    • $25,000,000.00 in annual gross revenues;
    • Buy/sell/share and/or receive, on an annual basis, the personal information of at least 50,000 California consumers, households or devices; OR
    • 50 percent of annual revenue comes from selling California consumers’ personal information.
  • Businesses subject to CCPA must maintain an inventory of personal information collected and advise California consumers as to the categories of personal information collected, along with the purposes of collection of each such category.
  • Businesses subject to CCPA further must provide consumers with the following information:
    • Consumers’ rights under CCPA;
    • Link to its “Do Not Sell My Personal Information” opt-out functionality;
    • Two or more communication methods for consumers to submit requests to the business (but at a minimum, a toll-free telephone number and a website address); and
    • Any incentives to be provided to consumers in exchange for their consent.

For businesses not subject to GDPR, compliance with CCPA is a formidable task with an aggressive deadline that is fast approaching.  For those businesses already subject to and in compliance with GDPR, the leap into CCPA compliance would appear to be far less of a burden, as the overlaps are considerable.  Yet, there are a few notable areas in which those businesses already subject to and already complying with GDPR should take note:

Definition of Personal Information:

  • CCPA: Slightly broader definition than GDPR, in that it covers not only data collected about an individual, but also data collected about a household or at the device level.
  • GDPR: Applies generally to any information related to an identified or identifiable person.

Opt-Out Right for the Sale of Personal Information

  • CCPA: Businesses must comply with a consumer’s request to opt-out of the sale of personal information to third parties, with narrow exceptions.
  • GDPR: No specific right to opt-out of personal data sales, but it does include an opt-out for the processing of data for marketing purposes, as well as the ability to withdraw consent for processing.


  • CCPA: Prohibits selling personal information of a consumer under age 16 without consent.  Children ages 13-16 may provide direct consent.  Parental consent is required for children under 13.  COPPA requirements apply over and above these requirements.
  • GDPR: Default age for consent to any type of data processing is 16, but member state laws may further lower the age (but no lower than 13).   Age-appropriate privacy notices must be used for children. 

Civil Penalties:

  • CCPA: Civil penalties of up to $7,500 per violation.
  • GDPR: A percentage of gross revenues (up to 4% of annual global turnover or 20 million Euros).

“Do Not Sell My Personal Information” Internet Website Page

  • CCPA: Required.
  • GDPR: Not Required.

Breach Notification Obligation:

  • CCPA: Less objective than GDPR—“in the most expedient time possible, without unreasonable delay” (from California’s existing breach notification law).
  • GDPR: 72 hours after becoming aware of the breach.

Private Right of Action

  • CCPA: Consumers may pursue claims, but recovery of damages is limited to the greater of up to $750 (per consumer, per incident), or actual damages.
  • GDPR: European residents may pursue compensatory claims against both controllers and processors of personal data for material or non-material damages.

No Discrimination Resulting from An Exercise of Consumer Rights

  • CCPA: Consumers must not be discriminated against because of any exercise of their rights.
  • GDPR: No explicit provision regarding discrimination.

The areas set forth above illustrate subtle, but important nuances in the requirements of CCPA and GDPR.  In many aspects, the requirements of GDPR are indeed, dramatically more comprehensive than those of CCPA.  Yet, companies that attempt to leverage only their GDPR compliance activities and duties as an “overlay” for CCPA compliance may miss out on small, but critical variations that CCPA presents.


The ABA Speaks on AI

By Jennifer Thompson | Earlier this week, the American Bar Association (“ABA”) House of Delegates, charged with developing policy for the ABA, approved Resolution 112 which urges lawyers and courts to reflect on their use (or non-use) of artificial intelligence (“AI”) in the practice of law, and to address the attendant ethical issues related to AI.

Is Anonymized Data Truly Safe From Re-Identification? Maybe not.

By Linda Henry | Across all industries, data collection is ubiquitous. One recent study estimates that over 2.5 quintillion bytes of data are created every day, and over 90% of the data in the world was generated over the last two years.

FTC Settlement Reminds IoT Companies to Employ Prudent Software Development Practices

By Linda Henry | Smart home products manufacturer D-Link Systems Inc. (D-Link) has reached a proposed settlement with the Federal Trade Commission after several years of litigation over D-Link’s security practices.

Beyond GDPR: How Brexit Affects Other Data Laws

By Dawn Ingley | Since the United Kingdom (UK) voted in June, 2016, to exit the European Union (i.e., “Brexit”), the question in many minds has been, “Whither GDPR?” After all, the UK was a substantial contributor to this legislation. The UK has offered assurances that that it intends to, in large part, harmonize its data protection laws with GDPR.

San Francisco Says The Eyes Don’t Have It: Setting Limits on Facial Recognition Technology

By Jennifer Thompson | On May 14, 2019, the San Francisco Board of Supervisors voted 8-1 to approve a proposal that will ban all city agencies, including law enforcement entities, from using facial recognition technologies in the performance of their duties.

NYC’s Task Force to Tackle Algorithmic Bias: A Study in Inertia

By Linda Henry | In December, 2017 the New York City Council passed Local Law 49, the first law in the country designed to address algorithmic bias and discrimination occurring as a result of algorithms used by City agencies.

U.S. Lawmakers Want Companies to Check their Bias

By Linda Henry | Although algorithms are often presumed to be objective and unbiased, technology companies are under increased scrutiny for alleged discriminatory practices related to their use of artificial intelligence.

The Weight of “GDPR Lite”

By Dawn Ingley | In June, 2018, California’s legislature took the first steps to ensure that the state’s approach to data privacy was trending more closely to the European Union’s General Data Protection Regulation (GDPR), the de facto global industry standard for data protection. Though legislators have acknowledged that further refinements to the California Consumer Privacy Act (CCPA) will be necessary in the coming months, its salient requirements are known.

The ABA’s Valentine’s Gift to Same-Sex Couples: Formal Opinion 458 Requires Judges to Perform Marriages

By Jennifer Thompson | On Valentine’s Day, the American Bar Association (ABA) Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 485, entitled “Judges Performing Same-Sex Marriages,” stating that judges may not decline to perform marriages for couples of the same sex.

The Intersection of Artificial Intelligence and the Model Rules of Professional Conduct

By Linda Henry | Artificial intelligence is transforming the legal profession and attorneys are increasingly using AI-powered software to assist with a wide rage of tasks, ranging from due diligence review, issue spotting during the contract negotiation process and predicting case outcomes.