USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
• delete their personal information; • opt out of data “sales” (exchanges of their personal information with third parties for monetary or other valuable consideration); • opt out of data “sharing” (providing their personal information to a third party for cross- context behavioural advertising); • limit the use and disclosure of their sensitive personal information; and • opt out of profiling performed by automated decision-making technology that has signifi - cant legal or similar effects. The California Privacy Protection Agency (CPPA) and the California attorney general enforce the CCPA. The CPPA has authority to promulgate implementing regulations. The CCPA provides a limited private right of action for consumers in the event of a data breach caused by inadequate security safeguards. In addition to the CCPA, the California Online Privacy Protection Act requires operators of websites and online services that collect per - sonally identifiable information from California residents to post a privacy policy that contains certain information, and the California “Shine the Light” Law requires businesses that have dis - closed certain personal information of California consumers to third parties for those third parties’ own direct marketing purposes to give consum - ers the right to receive information about those disclosures and those third parties. The CCPA compared with other state privacy statutes While the CCPA is like other state privacy stat - utes in many respects, there are some important differences, as follows. The CCPA protects the personal information of employees and individuals in an employment
and business context, whereas the other state privacy laws apply only to personal information in a personal or household context. Except in the few cases noted below, other state laws do not use the amount of a company’s annual revenue as a jurisdictional threshold. Instead, with a couple of exceptions, they use the number of state residents whose personal data an entity collects or the revenue the entity derives from the sale of personal information. While the CCPA uses the terms “business” and “service provider” (and “contractor”), the other state laws use the terms “controller” and “pro - cessor”, which are roughly equivalent to the same terms in the GDPR. All state privacy laws use the term “third party” to describe entities that are none of these, however. The CCPA gives consumers the right to limit the processing of their sensitive personal informa - tion that is used to infer characteristics about them, while most other states require entities to obtain consent from consumers before process - ing their sensitive personal information. States generally define “sensitive” personal data to include information revealing: • race or ethnic origin; • religious beliefs; • citizenship or immigration status; • genetic data; • biometric data; • physical or mental health diagnosis; and • sexual orientation. Some states add additional categories to the foregoing, such as precise geolocation, philo - sophical beliefs, sex life, union membership and – in California and Colorado – neural data (among others).
526 CHAMBERS.COM
Powered by FlippingBook