Draper Goren Holm, LLC

PRIVACY NOTICE FOR CALIFORNIA RESIDENTS

Effective Date: January 1, 2020

This Privacy Notice for California Residents supplements the information contained in Draper Goren Holm, LLC (“we,” “us,” “our” or “Company”) https://drapergorenholm.com/privacy and applies solely to all visitors, users, and others who reside in the State of California (”consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this notice.

Information We Collect

Our Website collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (”personal information”). In particular, Company’s website (drapergorenholm.com) has collected the following categories of personal information from its consumers within the last twelve (12) months:

Category Examples Collected
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.Some personal information included in this category may overlap with other categories. YES
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). NO
D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. YES
E. Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. NO
F. Internet or other similar network activity. Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. YES
G. Geolocation data. Physical location or movements. NO
H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. YES
I. Professional or employment-related information. Current or past job history or performance evaluations. NO
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. NO
K. Inferences drawn from other personal information. Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. NO

Personal information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.
  • Information excluded from the CCPA’s scope, like:
    • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
    • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

Company obtains the categories of personal information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete or products and services you purchase.
  • Indirectly from you. For example, from observing your actions on our Website.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following business purposes:

  • To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save your information to facilitate new product orders or process returns.
  • To provide, support, personalize, and develop our Website, products, and services.
  • To create, maintain, customize, and secure your account with us.
  • To process your requests, purchases, transactions, and payments and prevent transactional fraud.
  • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
  • To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
  • For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your personal information or as otherwise set forth in the CCPA.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Draper Goren Holm, LLC’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Draper Goren Holm, LLC about our Website users is among the assets transferred.
  • Company will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

Company may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

We share your personal information with the following categories of third parties:

  • Service providers.

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, Company has disclosed the following categories of personal information for a business purpose:

Category A: Identifiers.

Category B: California Customer Records personal information categories.

Category C: Protected classification characteristics under California or federal law. Category D: Commercial information.

Category F: Internet or other similar network activity.

Category H: Sensory data.

We disclose your personal information for a business purpose to the following categories of third parties:

  • Service providers.

Sales of Personal Information

In the preceding twelve (12) months, Company has not sold personal information in the following categories of personal information:

  1. Identifiers.
  2. California Customer Records personal information categories.
  3. Protected classification characteristics under California or federal law.
  4. Commercial information.
  5. Biometric information.
  6. Internet or other similar network activity.
  7. Geolocation data.
  8. Sensory data.
  9. Professional or employment-related information. J. Non-public education information.
  10. Inferences drawn from other personal information.

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that Company disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request).
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • sales, identifying the personal information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that Company delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

  • Emailing us at privacy@drapergorenholm.com
  • Visiting drapergorenholm.com/privacy
  • Contacting us via Live Chat through your existing Account Management Panel (AMP).
  • Submitting a ticket to customer service through your Account Management Panel (AMP).

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.

We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

For instructions on exercising sale opt-out rights, see Personal Information Sales Opt-Out and Opt-In Rights.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time up to 90 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance, specifically in .PDF, .TXT, or .DOC format.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Information Sales Opt-Out and Opt-In Rights

If you are 16 years of age or older, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”). We do not sell the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to personal information sales may opt-out of future sales at any time.

To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by emailing us at privacy@drapergorenholm.com

You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.

Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@drapergorenholm.com or write us at:

P.O. Box
Draper Goren Holm Group, LLC
1112 Montana Ave, Suite 384
Santa Monica, CA 90402
California

Changes to Our Privacy Notice

Company reserves the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this notice, the ways in which Company collects and uses your information described below and in the Privacy Policy https://drapergorenholm.com/privacy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Website: drapergorenholm.com

Email: privacy@drapergorenholm.com

Postal Address:

P.O. Box
Draper Goren Holm Group, LLC
1112 Montana Ave, Suite 384
Santa Monica, CA 90402
California

CALIFORNIA’S CONSUMER PRIVACY ACT OF 2018 SECTION-BY-SECTION NOTICE REQUIREMENT SUMMARY

The following chart identifies and summarizes the primary statute sections relating to the CCPA’s generalized notice or disclosure requirements.

CCPA Section General Notice or Information Disclosure Summary
Cal. Civ. Code § 1798.100(b) Must inform consumers, before or at the point of collection:

  • What personal information categories a business collects.
  • Its intended use purposes.

Prohibits collection of additional personal information categories or using collected personal information for additional purposes without providing this required notice.

Cal. Civ. Code § 1798.105(b) Must disclose the consumer’s deletion right.Cross-references Section 1798.130 for the disclosure requirement.
Cal. Civ. Code § 1798.110(c) If a business collects personal information about a consumer, it must disclose:

  • Personal information categories collected.
  • Source categories for the personal information collected.
  • Business or commercial purposes for collecting or selling personal information.
  • Third-party categories with which the business shares personal information.
  • The specific pieces of personal information the business has collected about that consumer.

Cross-references Section 1798.130(a)(5)(B) for the disclosure requirement.

NOTE: While Section 1798.110(c)(5) does list “the specific pieces of personal information the business has collected about that consumer” as a required piece of information in the online privacy disclosure, this is likely a statutory drafting error (see Practice Note, Understanding the California Consumer Privacy Act (CCPA): History of the CCPA). Businesses should probably interpret this requirement as referring to the consumer’s specific information (access) rights and not as a requirement to include individual personal information in the online privacy notice (see Practice Note, Understanding the California Consumer Privacy Act (CCPA): Specific Information Rights).

Cal. Civ. Code § 1798.115(c) If a business sells personal information or discloses personal information for a business purpose, it must disclose the personal information categories:

  • Sold or include a statement that it has not sold personal information.
  • Disclosed for a business purpose or include a statement that it has not disclosed personal information.

Cross-references Section 1798.130(a)(5)(C) for the disclosure requirement.

Cal. Civ. Code § 1798.115(d) A third-party purchaser of a consumer’s personal information cannot resell that information unless the consumer receives explicit notice and an opportunity to opt- out.Cross-references Section 1798.120 establishing the consumer’s personal information sales opt-out and opt-in rights.
Cal. Civ. Code § 1798.120(b) If a business sells personal information to third parties, it must provide notice to consumers that:

  • It may sell their information.
  • Consumers have the right to opt-out of these sales.

Cross-references Section 1798.135(a) for notice requirements.

Cal. Civ. Code § 1798.125(b)(2) and (3) If a business offers financial incentives for personal information collections, sales, or deletions, it must notify consumers of the financial incentives and clearly describe material terms.Cross-references Section 1798.135 for notice requirements.
Cal. Civ. Code § 1798.130 Primary section discussing both general and specific notice requirements. Cross-references:

  • Section 1798.100 (statute introduction and general establishment of information rights).
  • Section 1798.105 (deletion right).
  • Section 1798.110 (disclosures for business that collects personal information).
  • Section 1798.115 (disclosures for business that sells personal information or discloses personal information for a business purpose).
  • Section 1798.125 (non-discrimination rights).

Subsections related to general or public disclosures and notices described below.

Cal. Civ. Code § 1798.130(a)(1) Must make available two or more designated methods for submitting verified consumer requests for information disclosures required under:

  • Section 1798.110 (disclosures for business that collects personal information).
  • Section 1798.115 (disclosures for business that sells personal information or discloses personal information for a business purpose).

Contact methods must include, at minimum:

  • Toll-free telephone number.
  • Website address, if the business maintains an internet website.
Cal. Civ. Code § 1798.130(a)(5) Must disclose the following information:

  • A description of the following consumer rights and one or more methods for submitting consumer requests:
    • Section 1798.110 (disclosures for business that collects personal information);
    • Section 1798.115 (disclosures for business that sells personal information or discloses personal information for a business purpose); and
    • Section 1798.125 (non-discrimination rights).
  • A list of the personal information categories the business collected in the preceding 12 months.
  • A list of the personal information categories the business sold in the preceding 12 months or a statement that no sales took place.
  • A list of the personal information categories the business disclosed for a business purpose in the preceding 12 months or a statement that no disclosures took place.

The lists must use the 11 categories enumerated in the personal information definition in Section 1798.140(o) that most closely describe the personal information.

Disclosure must occur:

  • In the business’s online privacy policy, if it exists.
  • In any California-specific description of consumer’s privacy rights, if it exists.
  • On its internet website, if the business does not maintain an online privacy policy or California-specific description of rights.

Must update this information at least once every 12 months.

Cal. Civ. Code § 1798.135 Disclosures and operational requirements for the consumer’s sale opt-out and opt-in rights, established in Section 1798.120.Subsections related to general or public disclosures and notices described below.NOTE: While Section 1798.125 (non-discrimination right) cross-references this section for its notice requirement, this section does not directly address or reference Section 1798.125 ‘s disclosure requirements.
Cal. Civ. Code § 1798.135(a)(1) If a business sells personal information, it must provide a clear and conspicuous link on the business’s internet homepage to a webpage titled “Do Not Sell My Personal Information,” that enables the consumer or authorized representative to opt-out of personal information sales, in a form reasonably accessible to consumers.Must not require consumers to create an account to exercise their opt-out rights.
Cal. Civ. Code § 1798.135(a)(2) If a business sells personal information, it must include a description of the consumer’s opt-out/opt-in right under Section 1798.120 and a link to the “Do Not Sell My Personal Information” webpage in:

  • Any online privacy policies that exist.
  • Any California-specific description of consumer’s privacy rights that exist.
Cal. Civ. Code § 1798.135(b) Gives businesses the option of providing the “Do Not Sell My Personal Information” notice and links required by this section on a separate and additional California- specific website homepage, instead of the general public homepage, if the business takes reasonable steps to ensure California consumers land on the California homepage instead of the general homepage.
Cal. Civ. Code § 1798.140(d) Business purpose definition.
Cal. Civ. Code § 1798.140(e) Collects definition.
Cal. Civ. Code § 1798.140(f) Commercial purposes definition.
Cal. Civ. Code § 1798.140(i) Designated methods for submitting requests definition.
Cal. Civ. Code § 1798.140(l) Homepage definition.
Cal. Civ. Code § 1798.140(o) Personal information definition, including the 11 enumerated categories.
Cal. Civ. Code § 1798.140(t) Sales definition.
Cal. Civ. Code § 1798.185 Establishes the California Attorney General’s rulemaking authority, including for the CCPA’s different notice requirements.

COMPARISON OF KEY REQUIREMENTS UNDER THE CCPA AND THE GDPR

(Note, this is not a comprehensive list of all measures required under the CCPA or GDPR)

CCPA GDPR Comparison
Who is Regulated? Any for-profit entity doing business in California, that meets one of the following:

  • Has a gross revenue greater than $25 million.
  • Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The law also applies to any entity that:

  • Controls or is controlled by a covered business.
  • Shares common branding with a covered business, such as a shared name, service mark, or trademark.

Parts of the CCPA apply specifically to:

  • Service providers.
  • Third parties.
Data controllers and data processors:

  • Established in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU.
  • Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior.
The scope and territorial reach of the GDPR is much broader.Substantially different in parties regulated.
Who is Protected? Consumers, defined as California residents that are either:

  • In California for other than a temporary or transitory purpose.
  • Domiciled in California but are currently outside the State for a temporary or transitory purpose.

Consumers include:

  • Customers of household goods and services.
  • Employees.
  • Business-to- Business transactions.
Data subjects, defined as identified or identifiable persons to which personal data relates. Substantially different in approach, but similarly broad in effect.Both laws focus on information that relates to an identifiable natural person, however the definitions differ.Both have potential extraterritorial effects that businesses located outside the jurisdiction must consider.
What Information is Protected? Personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.The statutory definition includes a list of specific categories of personal information.Personal information does not include certain publicly available government records. The CCPA also excludes certain personal information covered by other sector specific legislation from its coverage scope. Personal data is any information relating to an identified or identifiable data subject.The GDPR prohibits processing of defined special categories of personal data unless a lawful justification for processing applies. Substantially similar. However, the CCPA definition also includes information linked at the household or device level.
Anonymous, Deidentified, Pseudonymous, or Aggregated Data The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose a consumer information that is deidentified or aggregated.However, the CCPA establishes a high bar for claiming data is deidentified or aggregated Pseudonymous data may qualify as personal information under the CCPA because it remains capable of being associated with a particular consumer or household. However, the statute does not clearly categorize or exclude pseudonymous data as personal information. Pseudonymous data is considered personal data.Anonymous data is not considered personal data.While the GDPR does not mention deidentified data, the CCPA definition is similar to GDPR’s concept of anonymous data. The CCPA and GDPR pseudonymization definitions are very similar and both require technical controls to prevent reidentification to qualify.The CCPA primarily discusses pseudonymization in the context of using personal information collected from a consumer for other purposes, for research. It does not appear to help businesses generally avoid the CCPA’s requirements.At this point, it is unclear how different the position under the GDPR is.
Privacy Notice / Information Right Businesses must inform consumers about:

  • The personal information categories collected.
  • The intended use purposes for each category.

Further notice is required to:

  • Collect additional personal information categories.
  • Use collected personal information for unrelated purposes.

The CCPA requires that businesses provide specific information to consumers and establishes delivery requirements.

Third parties must also give consumers explicit notice and an opportunity to opt out before re-selling personal information that the third party acquired from another business.

Data controllers must provide detailed information about its personal data collection and data processing activities. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party. Similar disclosure requirements, but differences in the specific information required and the delivery methods.The CCPA notice requirements on personal information disclosed or sold to third parties only covers the 12 months preceding the request.
Security The CCPA does not directly impose data security requirements. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law. The GDPR requires data controllers and data processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Substantially similar in statutory approach though reasonable security measures may vary to some extent according to an organization’s circumstances and regulator interpretation.
Opt-Out Right for Personal Information Sales Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defenses.Must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website homepage.Must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out. The GDPR does not include a specific right to opt-out of personal data sales.However, the GDPR does contain other rights a data subject may use to obtain a similar result in certain circumstances. For example, it does permit data subjects, at any time, to:

  • Opt-out of processing data for marketing purposes.
  • Withdraw consent for processing activities.

This allows data subjects to opt- out of third-party sales that support marketing purposes or rely on consent for their legal processing basis.

Substantially different.
Children The CCPA prohibits selling personal information of a consumer under 16 without consent.Children aged 13 – 16 can directly provide consent. Children under 13 require parental consent.Importantly, protections provided by the federal Children’s Online Privacy Protection Act (COPPA) still apply on top of the CCPA’s requirements. The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13. The person with parental responsibility must provide consent for children under the consent age.Children must receive an age appropriate privacy notice.Children’s personal data is subject to heightened security requirements. Substantially different requirements, other than ages involved.The CCPA only requires parental consent for personal data sales, while GDPR’s parental consent requirement applies to all processing consent requests.
Right of Disclosure or Access Consumers have a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information. Data subjects have a right to access their personal data, including receiving a copy and to obtain certain information about the data controller’s processing. Broadly similar rights of disclosure/access.The CCPA’s right is only to obtain a written disclosure of the information. The GDPR allows broader access, which is not limited to a written disclosure in a portable format.
Right of Data Portability In response to a request for disclosure, a business must provide personal information in a readily useable format to enable a consumer to transmit the information from one entity to another entity without hindrance. The GDPR includes a new right to data portability to:

  • Receive a copy of the personal data in a structured, commonly used and machine- readable format.
  • Transmit the personal data to another data controller (including directly by another data controller where possible).
Broadly similar rights.The GDPR provides a specific right to request a data controller to transfer their personal data to another data controller.
Right to Deletion / Erasure (The Right to be Forgotten) A consumer has the right to deletion of personal information a business has collected, subject to certain exceptions.The business must also instruct its service providers to delete the data. Data subjects have the right to request erasure of personal data under six circumstances (the right to be forgotten).Data controllers must also take reasonable steps to inform any other data controllers also processing the data. Similar data deletion rights.The GDPR right only applies if the request meets one of six specific conditions while the CCPA right is broad.However, the CCPA also allows business to refuse the request on much broader grounds than the GDPR.The GDPR’s obligation to inform downstream data recipients of the person’s deletion request is also broader.
Right of rectification None. The GDPR grants data subjects the right to:

  • Correct inaccurate personal data.
  • Complete incomplete personal data.
Substantially different.
Right to Restrict Processing None, other than the right to opt-out of personal information sales. Right to restrict processing of personal data, under certain circumstances. Substantially different.
Right to Object to Processing None, other than the right to opt-out of personal information sales. Right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes. Substantially different.
Right to Object to Automated Decision-Making None. Data subjects have the right to not be subject to automated decision-making, including profiling, which has legal or other significant effects on the data subject, subject to certain exceptions. Substantially different.
Non-Discrimination A business must not discriminate against a consumer because they exercised their rights.However, a business may charge differently if that difference reasonably relates to the value provided by the consumer’s data.Businesses may also offer financial incentives if they are disclosed in terms or online privacy policy, and require opt-in consent. It is implicit in the GDPR that organizations cannot discriminate against a data subject that exercises his rights, for example by references prohibiting processing that adversely affects the rights and freedoms of data subjects. Similar idea, different obligations.
Responding to Rights Requests A business must:

  • Comply with a verifiable consumer request (as defined in Cal. Civ. Code § 1798.140(y)).
  • Respond within 45 days after receipt, potentially extendable once for another 45 or 90 days on customer notification.
  • Inform the consumer of the reasons for not taking action.
  • Provide the information free of charge, unless the request is manifestly unfounded or excessive.

Consumers may only make most information requests twice a year and only for a 12-month look-back. There are no limits on deletion and do not sell requests.

A data controller must:

  • Verify the identity of a data subject before responding to a request.
  • Respond to requests without undue delay and at the latest within one month., extendable for up to two more months if necessary after data subject notice.
  • Give reasons if the data controller does not comply with any requests.

Requests do not have to be free to data subjects.

Substantially similar.
Penalties (Private Rights of Action) The CCPA establishes a narrow private right of action for certain data breaches involving a sub- set of personal information. However, the CCPA grants companies a 30-day period to cure violations, if possible.Consumers may seek the greater of actual damages or statutory damages ranging from $100 to $750 per consumer per incident.Courts may also impose injunctive or declaratory relief. The GDPR establishes a private right of action for material or non-material damage caused by a data controller or data processors breach of the GDPR. Substantially different in scope, but violations of either may potentially result in significant economic liability.
Penalties (Civil Fines) The California AG may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional. However, the CCPA also grants businesses a 30-day cure period for noticed violations. Administrative fines can reach EUR20 million or 4% of annual global revenue, whichever is highest.EU Member States can impose their own penalties applicable to infringements of the GDPR that are not subject to administrative fines under Article 83, GDPR. Approach to calculating fines differs, but violations of either may potentially result in significant economic liability.