The GDPR has extraterritorial reach, meaning it applies to organizations outside the EU that process the personal data of EU residents if the processing activities are related to the offering of goods or services to, or monitoring the behavior of, EU data subjects.

Non-Compliance and Penalties:

Organizations found to be in breach of the GDPR can face significant fines, which can be up to 4% of their global annual revenue or €20 million, whichever is higher, depending on the severity of the violation (Figure 7.3).

Figure 7.3: GDPR implications (source-https://www.emotiv.com/glossary/gdpr/)

The GDPR aims to empower individuals with more control over their personal data and encourage organizations to handle data responsibly, securely, and transparently. Its impact has been significant, driving data privacy discussions worldwide and influencing the enactment of similar privacy regulations in other regions.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a comprehensive data privacy law that was enacted in the state of California, United States. It went into effect on January 1, 2020, and provides California residents with enhanced privacy rights and control over their personal information. The CCPA is one of the most influential data privacy laws in the United States and has served as a model for other state-level privacy legislation (Figure 7.4).

Figure 7.4: California Consumer Privacy Act

Key Provisions of the CCPA:

• Consumer Rights: The CCPA grants California consumers several rights concerning their personal information, including the right to know what personal data is collected, sold, or disclosed about them, the right to request deletion of their personal information and the right to opt-out of the sale of their data.
• Notice and Transparency: Businesses subject to the CCPA are required to inform consumers about their data collection and sharing practices by providing a clear and easily accessible privacy notice.
• Right to Opt-Out of Data Sale: Businesses that sell consumers’ personal information must provide a clear and conspicuous “Do Not Sell My Personal Information” link or button on their websites, allowing consumers to opt out of the sale of their data.
• Non-Discrimination: Businesses are prohibited from discriminating against consumers who exercise their CCPA rights, meaning they cannot deny goods or services, charge different prices, or provide different quality levels based on a consumer’s exercise of their privacy rights.
• Data Security Obligations: Businesses are required to implement reasonable security measures to protect consumer’s personal information from unauthorized access, disclosure, and other potential breaches.
• Applicability and Thresholds: The CCPA applies to businesses that meet specific thresholds, such as having annual gross revenues over a certain amount, handling personal information of a certain number of California residents, or deriving a significant portion of their revenue from selling personal information.
• Children’s Privacy: The CCPA includes provisions related to collecting and selling personal information from minors, requiring affirmative opt-in consent for minors under the age of 16 and parental consent for those under 13.
• Data Processing Agreements: Businesses that share personal information with service providers are required to have written contracts that govern how the service providers handle that data.

Enforcement and Penalties:

The California Attorney General enforces the CCPA. In case of violations, businesses can face penalties of up to $2500 per violation or up to $7500 for intentional violations.

Impact and Influence:

The CCPA has had a significant impact on privacy discussions in the United States and has prompted other states to consider similar privacy legislation. It paved the way for the enactment of the California Privacy Rights Act (CPRA), a ballot initiative that further enhances data privacy rights in California and creates a dedicated privacy enforcement agency.

Overall, the CCPA empowers consumers in California with greater control over their personal information and encourages businesses to be more transparent and accountable in their data-handling practices.