The Video Privacy Protection Act (VPPA) is a federal privacy law in the United States designed to protect individuals’ privacy regarding their video rental and viewing histories. The VPPA limits the unauthorized sharing of video rental and purchase records. It was passed in 1988 after the public disclosure of Supreme Court nominee Robert Bork’s video rental records raised concerns about the lack of safeguards for personal information. 

At the time of the Act’s enactment, video viewing was an offline activity. People would visit rental stores, borrow a tape, and return it after watching. Today, streaming services and social media platforms mean that watching videos is a largely digital activity. In 2023, global revenue from online video streaming reached an estimated USD 288 billion, with the US holding the largest share of that market.  

Still, the VPPA has remained largely unchanged since its enactment, apart from a 2013 amendment. However, recent legal challenges to digital video data collection have led courts to reinterpret how the law applies to today’s video viewing habits.

In this article, we’ll examine what the VPPA law means for video platforms, the legal challenges associated with the law, and what companies can do to enable compliance while respecting users’ privacy.

Scope of the Video Privacy Protection Act (VPPA)

The primary purpose of the Video Privacy Protection Act (VPPA) is to prevent the unauthorized disclosure of personally identifiable information (PII) related to video rentals or purchases. PII under the law “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 

The law applies to video tape service providers, which are entities involved in the rental, sale, or delivery of prerecorded video materials. Courts have interpreted this definition to include video streaming platforms like Hulu and Netflix, which have widely replaced physical video tape service providers.

The VPPA protects the personal information of consumers. The law defines consumers as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”

Video tape service providers are prohibited from knowingly disclosing PII linking a consumer to specific video materials, except in the following cases:

• direct disclosure to the consumer
• to a third party with informed, written consent provided by the consumer
• for legal purposes, such as in response to a valid warrant, subpoena, or court order
• limited marketing disclosures, but only if:
  • consumers are given a clear opportunity to opt out, and
  • the shared data includes only names and addresses and not specific video titles, unless it is for direct marketing to the customer
• as part of standard business operations, such as processing payments
• under a court order, if a court determines the information is necessary and cannot be met through other means, and the consumer is given the opportunity to contest the claim

The 2013 amendment expanded the conditions for obtaining consent, including through electronic means using the Internet. This consent must:

• be distinct and separate from other legal or financial agreements
• let consumers provide consent either at the time of disclosure or in advance for up to two years, with the option to revoke it sooner
• offer a clear and conspicuous way for consumers to withdraw their consent at any time, whether for specific instances or entirely

Tracking technologies and Video Privacy Protection Act (VPPA) claims

Tracking technologies like pixels are central to many claims alleging violations of the VPPA. Pixels are small pieces of code embedded on websites to monitor user activities, including interactions with online video content. These technologies can collect and transmit data, such as the titles of videos someone viewed, along with other information that may identify individuals. This combination of data may meet the VPPA’s definition of personally identifiable information (PII).

VPPA claims often arise when companies use tracking pixels on websites with video content and transmit information about users’ video viewing activity to third parties without requesting affirmative consent. Courts have debated what constitutes a knowing disclosure under the VPPA, but installing tracking pixels that collect and share video data has been found sufficient to potentially establish knowledge in some cases.

Lawsuits under the Video Privacy Protection Act (VPPA)

Many legal claims under the VPPA focus on one or more of three critical questions:

• Does the party broadcasting videos qualify as a video tape service provider?
• Is the individual claiming their rights were violated considered a consumer?
• Does the disclosed information qualify as PII?

Below, we’ll look at how courts have considered these questions and interpreted the law in the context of digital video consumption.

Does the party broadcasting video qualify as a video tape service provider?

Who is considered a video tape service provider under the law may depend on multiple factors. Courts have established that online streaming services qualify, but some rulings have considered other factors, which we’ll outline below, to decide whether a business meets the law’s definition.

Live streaming

The VPPA law defines a video tape service provider as a person engaged in the business of “prerecorded video cassette tapes or similar audiovisual materials.” In 2022, a court ruled that companies do not qualify as video tape service providers for any live video broadcasts, as live streaming does not involve prerecorded content.

However, if a company streams prerecorded content, it may qualify as a video tape service provider in relevant claims.

“Similar audio visual materials”

The definition of a video tape service provider in the digital age includes more than just video platforms that broadcast movies and TV shows. In a 2023 case, a court ruled that a gaming and entertainment website offering prerecorded streaming video content fell within the scope of the VPPA definition of a video tape service provider.

Focus of work

Another 2023 ruling found that the VPPA does not apply to every company that happens to deliver audiovisual materials “ancillary to its business.” Under this decision, a video tape service provider’s primary business must involve providing audiovisual materials. Businesses using video content only as part of their marketing strategy would not qualify as a video tape service provider under this reading of the law.

Is the individual claiming rights violations considered a consumer?

Online video services frequently operate on a subscription-based business model. Many legal challenges under the VPPA focus on whether an individual qualifies as a “subscriber of goods and services from a video tape service provider.”

Type of service subscribed to

Courts have varied in their opinions on whether being a consumer depends on subscribing to videos specifically. In a 2023 ruling, a court held that subscribing to a newsletter that encourages recipients to view videos, but is not a condition to accessing them, does not qualify an individual as a subscriber of video services under the VPPA.

By contrast, a 2024 ruling took a broader approach, finding that the term “subscriber of goods and services” is not limited to audiovisual goods or services. The Second Circuit Federal Court of Appeal determined that subscribing to an online newsletter provided by a video tape service provider qualifies an individual as a consumer. This decision expanded the definition to recognize individuals who subscribe to any service offered by a video tape service provider as consumers.

Payment

Courts have generally agreed that providing payment to a video tape service provider is not necessary for an individual to be considered a subscriber. However, other factors play a role in establishing this status. 

A 2015 ruling held that being a subscriber requires an “ongoing commitment or relationship.” The court found that merely downloading a free mobile app and watching videos without registering, providing personal information, or signing up for services does not meet this standard.

However, in a 2016 case, the First Circuit Federal Court of Appeal determined that providing personal information to download a free app — such as an Android ID and GPS location — did qualify the individual as a subscriber. Similarly, in the 2024 ruling above, the Second Circuit found that providing an email address, IP address, and device cookies for newsletter access constituted a meaningful exchange of personal information, qualifying the individual as a subscriber.

Does the disclosed information qualify as PII?

Courts have broadly interpreted PII to include traditional identifiers like names, phone numbers, and addresses, as well as digital data that can reasonably identify a person in the context of video consumption.

In the 2016 ruling referenced above, the First Circuit noted that “[m]any types of information other than a name can easily identify a person.” The court held that GPS coordinates and device identifier information can be linked to a specific person, and therefore qualified as PII under the VPPA.

Just two months later, the Third Circuit Court of Appeal ruled more narrowly, stating that the law’s prohibition on disclosing PII applies only to information that would enable an ordinary person to identify a specific individual’s video-watching behavior. The Third Circuit held that digital identifiers like IP addresses, browser fingerprints, and unique device IDs do not qualify as PII because, on their own, they are not enough for an ordinary person to identify an individual.

These conflicting rulings highlight the ongoing debate about what constitutes PII, especially as digital technologies continue to evolve.

Consumers’ rights under the Video Privacy Protection Act (VPPA)

Although not explicitly framed as consumer rights under the law, the VPPA does grant consumers several rights to protect their information.

• Protection against unauthorized disclosure: Consumers’ PII related to video rentals, purchases, or viewing history cannot be disclosed without consent or other valid legal basis.
• Right to consent: Consumers must provide informed, written consent before a video tape service provider can disclose their PII. This consent must be distinct and separate from other agreements and can be given for a set period (up to two years) or revoked at any time.
• Right to opt out: Consumers must be given a clear and conspicuous opportunity to opt out of the disclosure of their PII.
• Right to notice in legal proceedings: If PII is to be disclosed under a court order, consumers must be notified of the proceeding and given an opportunity to appear and contest the disclosure.
• Right to private action: Consumers can file civil proceedings against video tape service providers for violations of the VPPA.

Penalties under the Video Privacy Protection Act (VPPA)

The VPPA law allows individuals affected by violations to file civil proceedings. Remedies available under the law include damages up to USD 2,500 per violation. 

Courts may also award punitive damages to penalize particularly egregious or intentional misconduct. Additionally, plaintiffs can recover reasonable attorneys’ fees and litigation costs. Courts may also grant appropriate preliminary or equitable relief.

The VPPA statute of limitations requires that any lawsuit be filed within two years from the date the violation, or two years from when it was discovered.

Compliance with the Video Privacy Protection Act (VPPA)

Businesses that act as video tape service providers under the VPPA can take several steps to meet their legal obligations.

1. Conduct a data privacy audit

A data privacy audit can help businesses understand what personal data they collect, process, and store, and whether these practices comply with the VPPA. The audit should include assessing the use of tracking technologies like pixels and cookies to confirm whether they are correctly set up and classified.

2. Obtain informed, specific user consent

The VPPA requires businesses to obtain users’ informed, written consent before sharing PII. Implementing a consent management platform (CMP) like Usercentrics CMP can make it easier to collect, manage, and store consent from users.

VPPA compliance also requires businesses to provide clear and easy to find options for consumers to opt out of data sharing, which a CMP can also facilitate. The VPPA amendment outlines that consent records should not be stored for more than two years, and businesses must have a process for renewing consent before it expires.

3. Implement transparent communication practices

Businesses should help consumers understand how their data is used so they can make an informed decision about whether to consent to its disclosure. Cookie banners used to obtain consent should contain simple, jargon-free language to explain the purpose of cookies. They should clearly indicate if third-party cookies are used and identify the parties with whom personal information is shared.

Businesses should include a direct link to a detailed privacy policy, both in the cookie banner and in another conspicuous location on their website or mobile app. Privacy policies must explain how PII is collected, used, and shared, along with clear instructions on how consumers can opt out of PII disclosures.

4. Consult qualified legal counsel

Legal experts can help businesses achieve VPPA compliance and offer tailored advice based on specific business operations. Counsel can also help businesses keep up with current litigation to understand how courts are interpreting the VPPA, which is critical as the law continues to face new challenges and evolving definitions.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

In 2023, an estimated 101 million people in the European Union (EU) aged 16 and older — 27 percent of the population or one in four — were living with a disability. This group often faces significant challenges, including discrimination, poverty, and social exclusion, which can limit their full participation in society.

The European Accessibility Act (EAA) seeks to address these issues by improving access to products and services for people with disabilities and older adults across the EU. In this article, we examine the scope of the EAA, the products and services it covers, which businesses are required to comply, and the potential consequences of noncompliance.

What is the European Accessibility Act (EAA)?

The European Accessibility Act (EAA), passed in 2019, is an EU Directive created to standardize accessibility requirements across member states. Its goal is to improve access to products and services for people with disabilities, benefiting not only the millions of individuals living with disabilities, but also older adults who often face similar barriers. Member states are required to incorporate the EAA’s provisions into their own laws.

The EAA was passed in part to help fulfill the obligations of EU member states under the United Nations Convention on the Rights of Persons with Disabilities (CRPD). It adopts the CRPD’s definition of persons with disabilities: “persons […] who have long-term physical, mental, intellectual or sensory impairments which in interaction with various barriers may hinder their full and effective participation in society on an equal basis with others.”

The EAA is not the first directive to address the issue of accessibility in the EU. Directive (EU) 2016/2102, known as the EU Web Accessibility Directive, focuses on the accessibility of websites and mobile apps of public sector bodies. Unlike the EU Web Accessibility Directive, which applies to public sector bodies only, the EAA applies to the private sector as well, with certain exceptions.

What is the scope of the EAA?

The EAA applies to a wide range of products and services, helping to rectify previously inconsistent accessibility requirements for them across EU member states. These products and services are widely used in daily life by most people, so making them more accessible to people with disabilities helps with enabling them to be independent at home, more productive at work, etc. 

The table below includes examples of categories and items to which the EAA applies, and shows the breadth of products and services that are required to be accessible to individuals (and, by contrast, how limiting a lack of accessibility can be).

Who must comply with the EAA?

The EAA requires all products and services sold in the EU to be accessible to people with disabilities. This obligation applies to companies both inside and outside the EU if their products or services are available to EU-based consumers.

The directive identifies five categories, collectively referred to as economic operators, that must meet its requirements.

• Manufacturers: Individuals or businesses that market products under their own name or trademark that they either manufacture or have designed and manufactured.
• Authorized representatives: EU-based individuals or businesses authorized through a written agreement to act on behalf of a manufacturer for specific tasks.
• Importers: Individuals or businesses within the EU responsible for placing products from outside the EU onto the EU market for the first time.
• Distributors: Individuals or businesses making products available for distribution, consumption, or use in the EU but are not the manufacturer or importer.
• Service providers: Individuals or businesses offering services to consumers within the EU market.

Microenterprises are partly exempt from EAA compliance. They are defined as businesses with fewer than 10 employees and: 

• annual turnover not exceeding EUR 2 million 

or 

• an annual balance sheet total not exceeding EUR 2 million

Microenterprises providing services are exempt from some accessibility requirements under the EAA. Microenterprises that manufacture products and claim that compliance would lead to significant changes or impose an unreasonable burden do not need to formally document this assessment. However, these manufacturers are still required to consider accessibility principles when designing their products and must still provide relevant facts to authorities, upon request, if they choose to rely on these exceptions.

When does the EAA go into effect?

The EAA required Member States to adopt its provisions into their national laws by June 28, 2022. These laws must take effect and apply starting June 28, 2025. Because of this implementation date, the EAA is sometimes informally referred to as the “European Accessibility Act 2025.”

Exemptions to EAA effective date

The EAA applies to products placed on the market and services provided to consumers after June 28, 2025, but there are specific exemptions.

The directive provides for a transition period ending on June 28, 2030. During the transition period, service providers may continue using products that were already in use to provide similar services. Additionally, contracts signed before June 28, 2025 can remain in effect without changes, but they must end by June 28, 2030.

Transitional measures also apply to self-service terminals like ticket kiosks and ATMs. EU member states may decide that terminals in use before June 28, 2025 can remain operational until they are no longer economically viable. However, they cannot be used for more than 20 years from the date when they were first used, even if they are still functional.

The following website and mobile app content is also exempt from the EAA:

• pre-recorded time-based media published before June 28, 2025
• office file formats published before June 28, 2025
• online maps and mapping services, if essential information is provided in an accessible digital manner for maps intended for navigational use
• third-party content that is not funded, developed, or controlled by the organization required to comply
• archived content that is not updated or edited after June 28, 2025

Requirements for EAA compliance

The EAA requires products to be designed and manufactured so that they can be used by as many people with disabilities as possible. Products must also include clear, accessible information about how they work and their accessibility features, either on the product itself or in another accessible format, where possible.

Annex I of the directive details specific accessibility requirements, including design features, compatibility with assistive technologies, and accessible information.

Not all of the EAA’s requirements apply universally. The directive allows exceptions in cases where compliance would:

• result in a fundamental alteration to the nature of a product or service
• impose a disproportionate burden on businesses

Larger businesses must formally assess these situations using the criteria outlined in Annex VI. Microenterprises, while exempt from formal assessments, must still provide relevant facts to authorities if requested.

In addition to these requirements, the EAA outlines specific obligations of manufacturers, authorized representatives, importers, distributors, and service providers, which we’ll detail below.

Obligations of manufacturers

Manufacturers must meet several obligations under the EAA to make their products accessible. They must:

• design and manufacture products to meet accessibility requirements
• conduct a conformity assessment to verify that the product meets the relevant accessibility standards, and maintain supporting technical documentation
• prepare an EU Declaration of Conformity, which confirms that the product complies with all applicable EU directives
• affix the CE marking to products, indicating that they meet EU safety, health, environmental, and accessibility requirements
• establish processes to ensure that every product in a production run meets accessibility requirements

Products must include a type, batch, serial number, or other means of identification. If this is not possible because of the product’s size or nature, the information must be on the packaging or in an accompanying document.

The manufacturer’s name, registered trade name, or trademark, along with a contact address, must appear on the product. If these details cannot be placed directly on the product, they must appear on the packaging or an accompanying document. These details should be easy to understand and provide a way for consumers or authorities to reach the manufacturer.

Products must also include instructions and safety information in a language that users in the relevant country can easily understand. Labels and documents should be clear, simple, and accessible.

Obligations of authorized representatives

A manufacturer can appoint an authorized representative to handle specific tasks through a written agreement. The representative is not responsible for the manufacturer’s obligations related to the accessible design and manufacture of products or their technical documentation, but must:

• make the EU Declaration of Conformity and technical documentation available to relevant authorities for five years
• provide necessary information and documentation that demonstrates compliance to authorities upon request
• cooperate with authorities to address any issues or noncompliance with accessibility requirements for products under their mandate

Obligations of importers

Importers must ensure that the products they bring into the EU comply with the EAA. This includes verifying that: 

• the manufacturer has conducted a conformity assessment
• the product complies with the accessibility standards outlined in Annex I
• the CE marking is correctly applied
• the products include relevant identification information and the manufacturer’s contact information

The importer’s name, trade name, or trademark and contact address should appear either on the product or its packaging or accompanying documents. Information and safety instructions in a language that is easy for consumers to understand must also accompany the product.

Importers must ensure proper storage and transport conditions to maintain compliance while the product is under their responsibility.

Importers are also responsible for keeping a copy of the EU Declaration of Conformity for five years and making technical documentation available to the relevant authorities upon request. These details should be clear and easy for both consumers and authorities to understand.  

Additionally, importers must cooperate with national authorities during inspections and investigations, or when addressing noncompliance issues. They must take necessary measures to correct noncompliance or withdraw the product from the market if corrections cannot be made. They must also notify authorities immediately if they recognize that a product they have placed on the market is noncompliant, and maintain a record of such products and any related complaints.

Obligations of distributors

Distributors must ensure that the products they offer in the EU meet EAA accessibility standards. Specifically, they must confirm that:

• the product displays the CE marking to indicate compliance
• required accompanying documents, user instructions, and safety guidelines are provided in the official language(s) of the country where the product is sold
• the contact information of both the manufacturer and the importer as well as the product’s identification information are included on the product, its packaging, or accompanying documents  

Like importers, distributors are also required to ensure proper storage and transport conditions to maintain compliance with accessibility requirements. If a distributor identifies or suspects noncompliance, they must withhold the product from the market until it meets accessibility requirements. In such cases, distributors must notify the manufacturer or importer and inform relevant authorities about the noncompliance and any corrective actions taken.

Distributors must cooperate with authorities during investigations and provide all necessary documentation to demonstrate the product’s compliance upon request. Unlike importers, distributors are not required to keep a formal record of noncompliant products or complaints.

Obligations of service providers

Service providers must design and deliver their services to meet the EAA’s accessibility requirements. They must prepare information that explains how their services meet these requirements, following the guidance in Annex V. This information must be made available in accessible written and spoken formats for people with disabilities, and must be kept available for as long as the service operates.

Service providers must also establish processes to maintain compliance with accessibility standards. These processes should account for any changes to service features, accessibility requirements, or relevant standards and specifications.

If a service is found to be noncompliant, service providers must take corrective measures and immediately notify the relevant authorities. They must provide details of the noncompliance, including the corrective actions taken.

Upon request, service providers must supply authorities with all necessary information to demonstrate compliance and cooperate fully with any actions taken to address noncompliance.

Enforcement of the EAA

Member states are responsible for developing procedures to verify whether products and services meet the European compliance standards. This includes appointing a specialized body to handle the duties of market surveillance or to conduct compliance checks for services.

If market surveillance authorities find a product noncompliant, they must immediately require the economic operator concerned to correct the issue. If the issue remains unresolved, authorities can require the product to be withdrawn from the market.  

When market surveillance authorities believe noncompliance extends beyond their country, they must inform the European Commission and other member states of their findings and detail the actions that have been taken to address the issue.  

Examples of noncompliance include:

• incorrectly affixing or failing to affix the CE marking
• missing or incorrectly prepared EU Declaration of Conformity
• missing or incomplete technical documentation
• missing, incorrect, or incomplete contact details for the manufacturer or importer
• failing to meet other obligations required of manufacturers or importers under the EAA

Consequences of noncompliance with the EAA

Failing to comply with the EAA can lead to serious consequences for businesses. Authorities may order noncompliant products to be removed from the market, and economic operators may face penalties under the national laws that implement the directive.

Each EU member state is required to set its own rules for penalties, which must be “effective, proportionate and dissuasive.” They should also include measures to address and correct noncompliance. 

Penalties may include fines, which vary based on the country, the severity of the violation, the numbers of persons affected, and how many noncomplying products or services are involved. Some national laws, such as Ireland’s European Union (Accessibility Requirements of Products and Services) Regulations 2023, can also impose prison sentences. In Ireland, businesses face fines of up to EUR 60,000 or imprisonment of up to 18 months for violations.

Beyond legal penalties, noncompliance can harm a company’s reputation, erode user trust, and lead to customer losses. Organizations could also face legal actions from individuals or advocacy groups representing people with disabilities, which can lead to additional legal fees and damages.

Introduced in 2018, the General Data Protection Regulation (GDPR) applies to any company handling the personal data of individuals within the European Union, regardless of where the business is based. At its core, there are seven guiding principles that dictate how organizations collect, store, and use personal data.

Understanding these principles is more than just a legal requirement. It’s a vital step toward building trust with your customers and safeguarding your company from potential regulatory violations and penalties. These principles outline how to approach data processing transparently and ethically, helping you align your business practices with legal obligations and customer expectations.

Let’s explore these 7 data protection principles in detail and look at how they can be practically applied to your operations. By understanding these foundations, you’re one step closer to compliance and strengthening your company’s reputation.

What are the principles of GDPR?

The GDPR incorporates 7 principles, as outlined in Article 5 of the regulation. These form the backbone of compliant data protection practices. They serve as a set of rules for how organizations should handle and process personal data ethically, transparently, and securely.

The 7 principles of the GDPR are:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitations
• Integrity and confidentiality
• Accountability

These principles act as a framework, guiding businesses in everything from collecting various types of consent to implementing security measures. 

These 7 core principles of the GDPR are not optional guidelines. Instead, they are legally binding standards for any company that handles personal data, whether it’s an ecommerce business, healthcare provider, or multinational corporation.

Why are GDPR principles important?

The importance of these data protection principles extends far beyond avoiding fines. Still, the financial penalties for noncompliance can be significant, reaching up to EUR 20 million or 4 percent of a business’s annual global turnover. However, adhering to these principles is also critical for building customer trust, avoiding reputational damage, and meeting comparable requirements increasingly being levied by important tech platforms, like those for advertising.

Consumers are also more aware of their privacy rights than ever. Businesses that demonstrate transparency and accountability in their data practices are more likely to increase engagement and gain loyalty. In addition, adhering to the principles of the GDPR provides operational clarity, helping companies streamline processes and reduce inefficiencies. Clear, well-defined policies reduce confusion about data handling, helping employees and systems work in harmony to meet compliance standards.

On a broader scale, these principles help create a culture of accountability. When companies consistently prioritize data protection, they encourage responsible behavior and set a high standard for others in their industries. This proactive approach not only safeguards individual rights, but also positions businesses as leaders in privacy and ethics.

The 7 GDPR principles your company needs to know about (with examples)

1. Lawfulness, fairness, and transparency

This principle forms the bedrock of GDPR compliance. It requires that all processing of personal data must be lawful, fair, and transparent.

Let’s take a closer look at what that means in practice. Lawfulness means having a valid legal basis for collecting and using data. The GDPR provides six legal bases, of which companies (the controller) must validly use and document at least one to justify the collection of personal data:

• informed consent from the data subject
• performance of a contract with the data subject
• compliance with a legal obligation to which the data controller is subject
• protecting the vital interests of the data subject or of another natural person
• in the public interest, or if the data controller is exercising official authority
• legitimate interests pursued by the controller or by a third party

Fairness requires that data is not used in a way that is misleading or harmful to the individual. Transparency refers to providing clear, accessible information about how data will be used and secured, and about data subjects’ rights and how they can exercise them.

For instance, when an ecommerce site collects an email address for marketing purposes, it must also provide information to the user. It should include details like how frequently emails will be sent and what topics or information they will contain. Without clarity, users may feel misled, which damages trust and can breach GDPR principles.

Your company’s privacy policy should clearly explain how customer data is used, including for delivery and marketing emails. You also need to provide an easy opt-out option.

It’s worth noting that transparency goes hand in hand with effective communication. Privacy policies should be written in plain language and made easily accessible. This helps individuals understand their rights and the organization’s data practices.

2. Purpose Limitation

Purpose limitation requires that personal data be collected for a specific, legitimate, and communicated purpose and not used for anything else. Businesses must clearly define why they are collecting data and stick to those boundaries. Repurposing data for different uses, or collecting new types of data for an existing use — without explicit consent — violates this core GDPR principle.

Imagine a fitness app that collects user data to track exercise habits. If the company later uses this data to target ads for unrelated products without user consent, it breaches this GDPR principle. Purpose limitation prevents such misuse, and gives individuals control over how their data is handled.

Businesses must document the intended use of data at the point of collection. A consent management platform helps with this, enabling companies to granularly list out the data processing services in use, along with what data they collect and for what purposes. Regular audits can also help ensure that data usage aligns with declared purposes. If new purposes arise, obtain additional consent before proceeding.

3. Data Minimization

Data minimization dictates that businesses should only collect the data that is strictly necessary for their declared purpose. Over-collection not only increases the risk in the event of a data breach or other compliance violation, but also complicates compliance efforts and can raise concerns from customers about the actual need for the data. Collecting excessive or irrelevant information is strongly discouraged under the GDPR.

For example, a job application form should only ask for the details necessary to assess a candidate’s qualifications. Questions about personal hobbies, family status, or unrelated credentials could violate this principle. By minimizing data collection, businesses reduce exposure to risks while streamlining their operations.

Data minimization also involves periodically reviewing stored information to ensure relevance. Outdated or unnecessary data should be securely deleted or anonymized. This not only enhances compliance but also improves data management efficiency.

4. Accuracy

The accuracy principle requires that personal data be accurate and, where necessary, kept up to date. Companies must take every reasonable step to erase or rectify inaccurate personal data without delay, particularly when requested by the data subject. Inaccurate information can lead to poor decision-making and, in some cases, harm to the individual whose data is being processed.

For instance, a delivery service relying on outdated customer addresses may waste resources and inconvenience customers. Instead, the delivery service could offer customers the option to update their delivery preferences and personal information via their online account. By establishing mechanisms for regular updates and corrections, businesses can maintain accuracy and efficiency. 

Enabling individuals to easily update their information or easily make requests for it to be done is key for privacy compliance. Whether through self-service portals or responsive customer support, maintaining data accuracy benefits both the business and its customers.

5. Storage limitation

Storage limitation requires organizations to retain personal data for only as long as is necessary for the specified purpose. Keeping data indefinitely increases security risks and can negatively impact customer (or former customer) experience.

For example, a subscription service might delete user accounts after two years of inactivity, since their information is no longer necessary. They may also anonymize purchase data after five years so it can be used for long-term trend analysis, but can no longer be linked to individual customers. Businesses should maintain clearly defined retention schedules, and should have policies in place for secure deletion or anonymization.

It’s important to balance operational needs with privacy obligations. Regular audits can help identify data that is no longer needed, which reduces risks and supports compliance.

6. Integrity and confidentiality (security)

This principle of integrity and confidentiality seeks to protect data against unauthorized access, loss, or destruction. Businesses must implement robust security measures, including encryption, firewalls, and access controls.

Consider a healthcare provider storing sensitive patient records. Without proper encryption and restricted access, these records could be exposed in a data breach, causing significant harm to individuals, a major investigation by authorities, and reputational damage to the organization.

Implementing measures like strong encryption for data both in transit and at rest is recommended. Use access controls to ensure that only authorized personnel can access customer data, and only within the bounds of their job responsibilities, and conduct regular security audits.

Training employees in data protection practices is equally important, and needs to be done regularly to build strong habits. Human error is a leading cause of data breaches and sensitive data exposure. Raise awareness about security protocols to help mitigate this risk. Regularly updating systems and conducting security assessments will further enhance compliance.

7. Accountability

Accountability requires organizations to take responsibility for their data practices and demonstrate compliance with the core GDPR principles. This involves documenting data processing activities, conducting regular audits, and appointing a Data Protection Officer (DPO) if necessary.

For instance, a marketing agency might maintain detailed records of how client data is processed, in addition to conducting regular data protection impact assessments and creating a comprehensive data protection policy. These records provide a clear trail of accountability, which supports transparency and aids compliance efforts.

Accountability also means staying informed about evolving data protection regulations, frameworks, and requirements, and adapting practices accordingly. Demonstrating a proactive approach to compliance builds trust with customers and partners and strengthens your organization’s reputation.

Follow the 7 principles for GDPR compliance

The seven principles of the GDPR provide a clear roadmap for responsible data management. This is not only required to do business in the EU, but provides a valuable framework for businesses anywhere in the world that want to take strong measures for data privacy and protection. By adhering to these principles, businesses can not only comply with legal requirements but also build stronger relationships with customers and partners, foster transparency, and reduce risks.

Integrating these principles into your operations supports secure and ethical handling of personal data, and sets your company apart as a leader in data privacy and protection.

As organizations handle people’s personal data across borders, regulations like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) have become central to protecting privacy rights. Both regulations establish rules for when and how organizations can collect, use, and share personal data to give individuals control over their information.

Although the GDPR and the CCPA/CPRA share common goals, their scope, requirements, and enforcement mechanisms vary significantly. Understanding these differences is essential for organizations to avoid penalties and build trust with the people whose data they handle. 

We cover who these regulations apply to, their similarities and differences, and how organizations can implement compliance measures effectively.

CCPA vs GDPR: understanding the basics

The GDPR and the CCPA/CPRA are landmark data privacy laws, each setting standards for how personal data is managed and protected. Before going into details about their scope and application, let’s look at what these laws are.

What is the GDPR?

The General Data Protection Regulation (GDPR) governs data collection and processing for individuals located in 27 European Union (EU) member states and the European Economic Area (EEA) countries of Iceland, Liechtenstein, and Norway. It is designed to protect individuals’ privacy rights and establish consistent data protection standards across the EU/EEA. The GDPR applies to organizations that either offer goods or services to or monitor the behavior of individuals within these regions, regardless of where the business is located.

Effective since May 25, 2018, the GDPR has become a global benchmark for data protection, influencing data privacy legislation worldwide.

What is the CCPA?

The California Consumer Privacy Act (CCPA), effective January 1, 2020, is the first comprehensive data privacy law passed in the United States. It establishes a framework for protecting the personal information of California residents and regulates how businesses collect, share, and process this data.

The California Privacy Rights Act (CPRA) amended and expanded the CCPA, increasing consumer protections and introducing stricter obligations for businesses, such as increased transparency and limits on the use of sensitive information. The CPRA also created the California Privacy Protection Agency (CPPA) to enforce privacy laws in the state.

While the CPRA took effect on January 1, 2023, enforcement began in February 2024 following a delay caused by legal challenges.

The CPRA does not fully replace the CCPA, but instead builds on it. Both laws remain in effect and work together to regulate data privacy in California. They are sometimes known as “the California GDPR.”

CCPA vs GDPR: who do the regulations apply to?

The GDPR and the CCPA/CPRA each specify which types of entities are subject to their rules, with notable differences in scope and applicability.

GDPR scope and application

The GDPR applies to any entity — whether a legal or natural person — that processes the personal data of individuals located within the EU/EEA, provided the processing is connected to either:

• offering them goods or services 
• monitoring their behavior

Entities based outside the EU are included if they process the personal data of individuals located within the EU/EEA. The GDPR applies to EU organizations regardless of where the processing takes place.

Under the GDPR, entities are classified as either data controllers or data processors. Controllers determine the purposes and means of processing personal data, while processors act on behalf of the controller to process data.

The regulation does not apply to individuals collecting data for purely personal or household purposes. However, if an individual collects or processes personal data of EU residents — for example as a sole proprietor — they must comply with GDPR requirements.

The GDPR is not limited to businesses and applies to nonprofit organizations and government agencies as well.

CCPA/CPRA scope and application 

Unlike the GDPR’s broad application, the CCPA/CPRA applies to for-profit businesses that do business in California and meet one of the following thresholds: 

• have a gross annual revenue exceeding USD 25 million in the previous calendar year
• buy, sell, or share the personal data of more than 100,000 consumers or households
• earn more than 50 percent of their revenue from the sale of consumers’ personal information

The regulation defines such entities as “businesses” and extends compliance obligations to their service providers, third parties, and contractors through contractual agreements.

Like the GDPR, the CCPA/CPRA has extraterritorial reach. Businesses outside California — even those outside the US — must comply if they process the personal data of California residents and meet at least one of the regulation’s thresholds.

CCPA vs GDPR: who is protected?

The scope of protection under the CCPA/CPRA and the GDPR differs based on individuals’ residency status or location, which reflects the regulations’ distinct approaches to safeguarding individual rights.

Who is protected under the GDPR?

The GDPR protects the rights of any individual who is in the EU/EEA and whose data is processed. They are referred to as “data subjects” under the GDPR.

Who is protected under the CCPA/CPRA?

The CCPA/CPRA applies to individuals who meet California’s legal definition of a “resident.” A California resident is anyone who resides in the state other than for temporary reasons or anyone domiciled in California but who is currently outside the state for temporary reasons.

It does not include people who are in the state for temporary purposes. This definition may be clarified further as case law develops through rulings on alleged violations.

Individuals covered by the CCPA/CPRA are referred to as “consumers.”

CCPA vs GDPR: what data is protected?

Both the GDPR and the CCPA/CPRA regulate the collection and use of individuals’ personal data.

Personal data under the GDPR

The GDPR defines personal data as any information relating to ”an identified or identifiable individual,” or data subject. This includes basic identifiers such as names, addresses, and phone numbers, as well as more indirect identifiers like IP addresses or location data that can be linked to an individual.

The GDPR also imposes stricter obligations on the processing of certain types of data known as “special categories of personal data,” which may reveal specific characteristics and pose greater risk of harm to an individual if misused or abused. The following are considered special categories of personal data under the regulation: 

• data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
• genetic data
• biometric data used for unique identification
• health information
• data related to a person’s sex life or sexual orientation

Personal information under the CCPA/CPRA

The CCPA/CPRA protects personal information, which it defines as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples include names, email addresses, geolocation data, browsing history, and purchase records.

The CPRA introduced a new category called “sensitive personal information,” which has additional protections and obligations for businesses. It includes, among other things:

• Social Security numbers
• driver’s license numbers
• financial account information
• precise geolocation data used to accurately identify a person within a radius of 1850 feet (563 meters)
• racial or ethnic origin
• religious beliefs
• genetic or biometric data

CCPA vs GDPR: when can data be processed?

The GDPR and the CCPA take fundamentally different approaches to regulating when personal data can be processed.

Data processing under the GDPR

The GDPR requires data controllers to have a valid legal basis to process personal data. There are six legal bases under the regulation:

• Consent: When the data controller has obtained consent from the data subject that is ”freely given, specific, informed, and unambiguous.” Consent must be voluntary and explicit to be considered valid.
• Contract: When processing is necessary to fulfill or prepare a contract with the data subject.
• Legal obligation: To comply with an obligation under a law laid down by the EU or the member state that applies to the data controllers.
• Vital interests: When processing is necessary in the vital interests of the data subject or of another person, such as in an emergency.
• Public interest: When processing is necessary for tasks carried out in the interest of the public, or for tasks carried out by the data controllers as an official authority, as determined by the EU or the member state that applies to the data controllers.
• Legitimate interests: When data processing is essential for the legitimate interests of the data controller or a third party, provided that the rights and freedoms of the data subject don’t override a legitimate interest.

These legal bases establish clear conditions under which organizations can collect, store, and use personal data, in an effort to ensure that processing aligns with lawful purposes. Companies may be required by data protection authorities to provide proof to back up their legal basis, e.g. if they claim legitimate interests instead of obtaining valid user consent.

Data processing under the CCPA/CPRA

The CCPA/CPRA does not require businesses to establish a legal basis for processing personal information. Instead, businesses are free to collect and process data under most circumstances, provided they comply with the law’s consumer-focused mechanisms. These include giving consumers the right to:

• opt out of the sale or sharing of their personal information
• opt out of use of their personal data for targeted advertising or profiling
• limit the use and disclosure of sensitive personal information

Businesses must also transparently disclose processing purposes and practices under the regulation.

Rather than restricting data processing upfront, the CCPA/CPRA places responsibility on businesses to provide clear mechanisms and processes for consumers to exercise their rights and control how their data is used.

CCPA vs GDPR: what does consent look like?

The CCPA/CPRA and the GDPR differ significantly in their approaches to consent. The GDPR relies on explicit opt-in consent, while the CCPA/CPRA generally uses an opt-out model, with exceptions for specific cases.

Consent under the GDPR

Consent is one of the legal bases for processing personal data under the GDPR. The regulation requires data controllers to obtain explicit consent from users before collecting or processing their data. 

Consent given must be “freely given, specific, informed, and unambiguous.” This means individuals need to actively agree to their data being processed by taking an action such as ticking a box on a form or selecting specific settings.

Consent cannot be assumed from pre-checked boxes, ignoring the consent mechanism, or inactivity. Further, each purpose for processing data requires separate consent, and individuals must be able to withdraw their consent at any time. The process for withdrawing must be as simple and accessible as the process for giving consent.

The age of consent under the GDPR is 16 years. For minors under 16, the GDPR requires consent to be obtained from a parent or legal guardian. However, the GDPR permits member states to lower the age of consent to as young as 13 through their national laws.

Consent under the CCPA/CPRA

The CCPA/CPRA does not require businesses to obtain opt-in consent to collect or process personal information in most cases. Instead, it operates primarily on an opt-out model, where businesses must provide clear methods for consumers to decline the sale or sharing of their information.

However, there are specific scenarios in which prior consent is required under the CCPA/CCPA:

• Collecting, selling, or sharing the personal information of minors requires opt-in consent. For minors between the ages of 13 and 16, consent must be obtained directly from the minor. For those under 13, consent must come from a parent or legal guardian.
• Selling or sharing the personal information of consumers who have previously opted out requires a business to obtain the consumer’s consent.
• If a consumer dictates that a business only use sensitive personal information to provide the goods and services it offers, the business cannot use or disclose this information for any other reason without the consumer’s consent.
• Entering a consumer into financial incentive programs tied to the collection or retention of personal information requires explicit consent.

For cases requiring consent, the CCPA/CPRA’s definition of consent closely aligns with the GDPR’s requirements: it must be freely given, specific, informed, and unambiguous.

CCPA vs GDPR: what are users’ rights?

Both the GDPR and the CCPA/CPRA grant individuals specific rights over their personal data, which enable them to understand, access, and control how their information is used.

Data subjects’ rights under the GDPR

Under the GDPR, data subjects are entitled to the following rights:

• Right to be informed: Individuals must be informed about how their data is collected, used, and shared, by whom, for what reason, and which third parties are receiving their data, if any.
• Right to access: Individuals can request confirmation of whether their data is being processed and obtain a copy of their data from the data controller.
• Right to rectification: Individuals can request corrections to incomplete or inaccurate personal data.
• Right to erasure (right to be forgotten): Individuals can ask for their personal data to be deleted under certain conditions, such as when it is no longer needed for its original purpose or when they withdraw consent, among others.
• Right to restrict processing: Individuals can request that their data isn’t processed in certain situations. These include instances when there is no legal basis for processing or the controller doesn’t require the data for the original purposes anymore, among others.
• Right to data portability: Individuals can receive the data collected on the basis of consent or contract in a structured, commonly used, and machine-readable format and transfer it to another controller.
• Right to object: Individuals can object to data processing on certain grounds, including when it is used for direct marketing purposes.
• Rights related to automated decision-making: Individuals can contest decisions made solely by automated processes that significantly affect them, such as profiling.

Consumers’ rights under the CCPA/CPRA

The CCPA/CPRA grants California residents the following rights over their personal information:

• Right to know and access: Consumers have a right to know what personal information is being collected about them, for what reason, and whether it is sold or shared. They also have a right to request a copy of their personal information collected by a business.
• Right to delete: Consumers can request that businesses delete their personal information, with some exceptions. For example, businesses do not have to delete data that is needed to comply with legal obligations.
• Right to correct: Consumers can request that inaccurate personal information be corrected.
• Right to opt out: Consumers can opt out of the sale or sharing of their personal information, as well as its use for targeted advertising or profiling. Businesses must include a “Do Not Sell Or Share My Personal Information” link on their websites.
• Right to limit: Consumers can limit the use or disclosure of their sensitive personal information for purposes other than obtaining the goods or services that the business provides.
• Right to nondiscrimination: Consumers are protected from being penalized or denied services for exercising their privacy rights under the regulation.
• Right to data portability: Consumers can request their personal information in a “structured, commonly used, machine‐readable format,” to transfer it to another service or business.

CCPA vs GDPR: transparency requirements

Both the GDPR and the CCPA/CPRA require businesses to provide transparency in their data handling practices, though they approach this requirement in different ways.

Transparency requirements under the GDPR

While the GDPR does not explicitly mandate publishing a privacy policy, it requires data controllers to provide detailed and specific information about their data processing policies in a way that is concise, transparent, and easy to understand. It must use clear and simple language, especially when communicating with children. This information should be easily accessible and provided in writing, electronically, or through other appropriate means. This requirement is typically achieved through a privacy policy published on a data controller’s website, often located in the footer so that it is easily accessible on every page.

A GDPR-compliant privacy policy must include:

• the data controller’s identity and contact information, and, if applicable, the contact details of the Data Protection Officer
• purpose(s) of and legal bases for data processing
• who will have access to the personal data
• categories of personal data being processed 
• whether the data will be transferred internationally and the safeguards in place if so
• for how long the data will be retained
• information on data subjects’ rights and how to exercise them, as well as the right to lodge a complaint with a supervisory authority
• how to withdraw consent

Transparency requirements under the CCPA/CPRA

The CCPA/CPRA requires businesses to provide specific notices to consumers to ensure transparency about how their personal information is used.

Notice at or before the point of collection

Businesses are required to inform consumers about the personal information they collect at or before the time it is collected. This includes details on what types of information (including sensitive personal information, if any) are being collected, the purpose(s) of collection, how long they will keep the information, and whether it will be sold or shared. If the business sells personal information, the notice must include a “Do Not Sell Or Share My Personal Information” link so users can easily opt out. The notice should also provide a link to the business’s privacy policy, where consumers can find more detailed information about their rights and the company’s privacy practices.

Privacy policy

Businesses must have a privacy policy that is easy to access and includes:

• a list of the types of personal information the business collects, sells, or shares, which is updated at least once per year
• where the business collects the personal information from
• business or commercial purposes for collecting, selling, or sharing personal information
• who the business shares or discloses the information with
• what rights consumers have under the CCPA/CPRA and how they can exercise them
• a “Do Not Sell Or Share My Personal Information” link that takes consumers to a page where they can opt out of their information being sold or shared
• a “Limit The Use Of My Sensitive Personal Information” link (if applicable) so consumers can control how their sensitive information is used.

The privacy policy must be updated once every 12 months or when there are changes to privacy practices. It must be written in plain, simple language that the average person could understand, and it must be accessible to all readers, including those with disabilities.

CCPA vs GDPR: security requirements

Both the CCPA/CPRA and the GDPR require entities that process data to take steps to secure the personal information they collect, though their specific obligations differ.

Security requirements under the GDPR

Keeping personal data secure is a foundational principle of processing under the GDPR. The regulation requires that personal data is processed in a way that keeps it safe by protecting it against unauthorized or unlawful processing as well as accidental loss, destruction, or damage. 

Controllers and processors are required to adopt technical and organizational security measures that are suitable to the risks posed to personal data. These measures may include pseudonymization, encryption, and robust access controls to prevent unauthorized processing.

Controllers are required to conduct Data Protection Impact Assessments (DPIAs) for processing activities likely to result in high risks to individuals’ rights and freedoms, such as profiling, large-scale processing, or handling sensitive data. These assessments identify potential risks and determine the safeguards needed to mitigate them.

Security requirements under the CCPA/CPRA

The CCPA as it was originally passed did not include specific security requirements. The CPRA’s amendments to the regulation introduced provisions to address data protection more directly.

The CCPA/CPRA now requires businesses that collect consumers’ personal information to implement reasonable security measures appropriate to the nature of the personal information. These measures aim to protect against unauthorized or illegal access, destruction, use, modification, or disclosure.

For data processing activities that pose significant risks to privacy or security, businesses must conduct regular risk assessments and annual cybersecurity audits. These reviews assess factors like how sensitive personal information is used and the possible effects on consumer rights, balanced against the purpose of the data processing. While the CPRA outlines these obligations, the exact requirements businesses must follow are still being defined.

CCPA vs GDPR: enforcement and penalties

Both the GDPR and the CCPA/CPRA include enforcement mechanisms and penalties to ensure compliance, but the process and scale differ significantly between the two laws.

Enforcement and penalties under the GDPR

Each EU member state enforces the GDPR through its own Data Protection Authority (DPA), an independent public body responsible for overseeing compliance. DPAs have the authority to investigate compliance, address complaints, and impose penalties for violations. Data subjects can lodge complaints with a DPA in their country of residence, workplace, or where the violation occurred.

GDPR penalties are among the highest globally for data protection violations. Fines are divided into two tiers based on the severity of the offense:

• for less severe violations, fines are up to 2 percent of annual global turnover or EU 10 million, whichever is higher
• for more serious violations, fines can be up to 4 percent of annual global turnover or EU 20 million, whichever is higher

Enforcement and penalties under the CCPA/CPRA

The CCPA/CPRA are enforced by both the California Attorney General (AG) and the California Privacy Protection Agency (CPPA), a new enforcement body that was established under the CPRA. The CPPA has the authority to investigate violations and impose penalties, but it cannot limit the AG’s enforcement powers. The CPPA must halt its investigation if the AG requests, and businesses cannot be penalized by both authorities for the same violation.

Penalties under the CCPA/CPRA include:

• up to USD 2,500 for each unintentional violation
• up to USD 7,500 for each intentional violation
• up to USD 7,500 for each violation involving the personal information of minors

The regulation also provides consumers with the right to take legal action in the event of a data breach. Consumers can claim statutory damages of USD 100 to USD 750 per incident or seek actual damages, whichever is greater, along with injunctive relief. Private rights of action are limited to data breaches, while civil penalties apply only to violations pursued by the AG or CPPA.

CCPA vs GDPR: how to comply

The first step toward compliance is determining whether your organization collects personal data or personal information from individuals protected under these laws. For California residents, businesses must also confirm whether they meet the legal definition of a “business” under the CCPA/CPRA.

We strongly recommend consulting a qualified legal expert who can give you advice specific to your organization to achieve compliance with both data privacy regulations.

GDPR compliance

Here is a non-exhaustive list of steps to take for GDPR compliance:

• create a privacy policy that clearly outlines data collection, processing, and storage practices
• obtain specific, informed, and freely given consent from data subjects before collecting or processing personal data
• maintain detailed records of all data processing activities, including the purposes, data categories, and data retention periods
• enter into Data Processing Agreements (DPAs) with data processors, setting out clear terms for processing activities and mandating compliance with GDPR standards

A consent management platform (CMP) can simplify compliance with the GDPR’s consent and record-keeping requirements. CMPs enable businesses to collect and document explicit user consent for data processing, including cookies, in a manner that aligns with GDPR standards. They can also help maintain records of consent, link these to processing activities, and integrate cookie banners to promote transparency.

CCPA/CPRA compliance 

To comply with the CCPA/CPRA, businesses should focus on the following key actions:

• provide a notice at or before the point of data collection that details what personal and sensitive information is collected, how it will be used, and whether it will be sold or shared
• ensure your privacy policy includes information about what data categories are collected and for what purpose, as well as instructions on how consumers can exercise their rights
• add visible opt-out links to your website — labelled “Do Not Sell Or Share My Personal Information” and “Limit The Use Of My Sensitive Personal Information” — to enable consumers to exercise their opt-out rights
• provide at least two ways for consumers to exercise their rights, such as a toll-free phone number or a web form
• secure opt-in consent for selling or sharing data for individuals between the ages of 13 to 16, and obtain consent from a parent or guardian for minors under 13
• ensure your organization does not penalize or discriminate against consumers who exercise their privacy rights

A CMP can enable businesses to implement opt-out mechanisms for the sale or sharing of personal information and manage limitations on sensitive personal information. CMPs also make it easier to display a notice at the point of collection through a cookie banner to inform consumers about data collection practices.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are consumer privacy laws that aim to safeguard California residents’ personal information. Businesses that operate in California must understand these regulations to protect consumer privacy, maintain trust, and avoid potential litigation and penalties.

In this guide, we look at the California privacy laws, the changes introduced by the CPRA, and how businesses can achieve compliance.

What is the CCPA and CPRA?

The California Consumer Privacy Act (CCPA) passed in 2018 and has been in effect since January 1, 2020. It’s the first comprehensive consumer privacy law passed in the US. It grants California’s nearly 40 million residents greater control over their personal information and imposes obligations on businesses that handle this information.

The California Privacy Rights Act (CPRA), approved by ballot on November 3, 2020, does not entirely replace the CCPA. Instead, the CPRA strengthens and expands the CCPA with enhanced protections for the state’s residents, known as “consumers” under the laws, and new obligations for businesses. The CPRA went into effect on January 1, 2023, but legal challenges delayed enforcement until February 2024.

The CPRA brings the California privacy law closer to the European Union’s General Data Protection Regulation (GDPR) in some ways. Together, the two California privacy laws are often referred to as “the CCPA, as amended by the CPRA” or simply the “CCPA/CPRA.”

Understanding the CCPA

The CCPA set a new standard for consumer data privacy in the US, empowering California residents with control over their personal information and requiring businesses to comply with strict data handling practices.

Who must comply with the CCPA?

For-profit businesses operating in California must comply with the CCPA if they:

• collect or process the personal information of California residents

and

• meet at least one of the following thresholds:
  • have annual gross revenues exceeding USD 25 million
  • handle personal information of 50,000 or more consumers, households, or devices
  • earn more than 50 percent of their annual revenue from selling consumers’ personal information

Importantly, the law has extraterritorial jurisdiction, meaning it applies to businesses outside California if they meet these criteria. Under the CPRA there have been changes to these criteria, outlined below.

Who does the CCPA protect?

The CCPA protects individuals who meet the following legal definition of a California resident:

• those who are in the state for purposes other than a temporary or transitory reason
• those who are domiciled in California while temporarily outside the state, such as for vacation or work

Individuals who meet this legal definition remain protected even when they are temporarily outside the state. However, individuals who are only temporarily in California, e.g. for vacation, are not protected under the law.

The definition of who qualifies as a California resident may shift as courts interpret the CCPA in response to legal challenges and privacy lawsuits.

What does the CCPA protect?

The CCPA safeguards the personal information of California residents, which is defined under the law as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

This broad definition covers a wide range of information, including a consumer’s real name, telephone number, email address, alias, IP address, browsing history, and search history.

Key consumer rights under the CCPA

The CCPA gives California consumers significant control over their personal information by introducing specific rights:

• Right to know: Consumers can request details about the personal information a business has collected about them in the previous 12 months.
• Right to delete: Consumers can request the deletion of their personal information that has been collected by a business, with some exceptions.
• Right to opt out: Consumers can opt out of the sale of their personal information to third parties.  
• Right to non-discrimination: Businesses cannot deny services, charge different prices, or offer lower-quality goods or services to consumers who exercise their CCPA rights.
• Right to file civil proceedings: The CCPA grants consumers a private right of action in the event of a data breach. If a business fails to implement and maintain reasonable security measures, leading to the unauthorized access, theft, or disclosure of nonencrypted or nonredacted personal information, consumers can file a civil lawsuit against the business.

The CPRA updates some of these rights and adds additional ones as well, outlined below.

Key CCPA compliance requirements for businesses

Under the CCPA, businesses must meet specific requirements to achieve compliance with consumer privacy rights.

Privacy notices

Businesses must provide clear and detailed privacy notices to consumers at or before the point of collection of their personal information. The CCPA requires businesses to inform consumers of the categories of personal information they collect and the purposes for which each category will be used. Businesses are not required to obtain user consent prior to collecting personal information under many circumstances, however.

Opt-in rights for minors

Businesses collecting personal information from minors must obtain explicit consent before selling or sharing their data. For minors aged 13 to 16, opt-in consent must be obtained directly from the minor. For children under 13 years old, opt-in consent must be secured from a parent or legal guardian.

Provisions for opting out of sale

Businesses must enable consumers to opt out of the sale of their personal information through an easily accessible link titled “Do Not Sell My Personal Information” on their website. This has also been updated and expanded under the CPRA.

Enforcement of the CCPA

Before the CPRA amendment, under the CCPA, enforcement responsibilities rested solely with the California Attorney General (AG). When a business was found to be in violation of the law, the AG was required to notify the business, giving it 30 days to address and resolve the alleged violation (known as a cure period).

The maximum penalties for noncompliance under the CCPA are:

• USD 2,500 for each unintentional violation 
• USD 7,500 for each intentional violation

Understanding the CPRA

The CPRA builds on the CCPA, introducing new and expanded rights for consumers and additional obligations for businesses. It marks a significant step forward in safeguarding California residents’ personal information.

Who must comply with the CPRA?

The CPRA updated some compliance thresholds for businesses while retaining certain aspects of the CCPA’s criteria. The annual gross revenue threshold remains at USD 25 million, while the personal information handling threshold has increased from 50,000 to 100,000 California residents. Interestingly, more recently passed state-level data privacy laws have excluded a revenue-only threshold entirely.

For-profit businesses that collect or process the personal information of California residents must meet at least one of the following conditions to be subject to the CPRA:

• generate annual gross revenues exceeding USD 25 million in the previous calendar year
• buy, sell, or share the personal information of 100,000 or more California residents or households
• derive over 50 percent of their annual revenue from selling or sharing consumers’ personal information

Under the CPRA, the definition of “business” now includes for-profit entities that share consumers’ personal information, not just those that sell it. Sharing refers to any activity that involves the transfer of personal information to a third party for cross-context behavioral advertising, regardless of monetary or other valuable consideration, including transactions for the benefit of the business where there is no exchange of money.

Like the CCPA, the CPRA applies to businesses regardless of their location if they meet the listed thresholds. Businesses operating outside California but handling data belonging to its residents are still required to comply.

Establishment of the California Privacy Protection Agency (CPPA)

The CPRA created the California Privacy Protection Agency (CPPA) to enforce California’s updated privacy laws. This new body works alongside the Attorney General without replacing the AG’s authority. While the CPPA has independent enforcement powers, it is required to halt actions or investigations if requested by the AG. To prevent overlapping penalties, businesses cannot be fined by both the CPPA and the AG for the same violation.

Categorization of sensitive personal information under the CPRA

The CPRA introduced the category of “sensitive personal information,” which includes personal information that, if misused, could result in significant harm to consumers. This category includes, but is not limited to:

• Social Security numbers, driver’s license numbers, state ID card numbers, and passport numbers
• precise geolocation data that can identify a person’s location within a radius of 1850 feet (563 meters)
• debit or credit card numbers when combined with passwords or credentials needed to access the account
• information about racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, and union membership
• genetic data
• biometric data processed for the purpose of uniquely identifying a consumer
• personal information concerning a consumer’s health, sex life, or sexual orientation 
• the contents of a consumer’s postal mail, email, and text messages, unless specifically directed to the business

Under the CPRA, businesses must disclose when they collect sensitive personal information and must provide consumers with the option to limit its use. Consumers can restrict the use or disclosure of sensitive personal information to purposes necessary for providing services or goods. To meet this requirement, businesses must include a clearly labeled link on their website titled “Limit The Use Of My Sensitive Personal Information.”

New consumer rights under the CPRA

The CPRA grants consumers additional rights to enhance control over their personal information.

• Right to correct inaccurate personal information: Consumers can request corrections to any personal information a business holds about them.
• Right to limit the use and disclosure of sensitive personal information: Consumers can restrict the use of sensitive personal information to purposes essential for delivering goods or services.
• Right to data portability: Consumers can request their personal information in a “structured, commonly used, machine‐readable format” to transfer it to another service or business.
• Right to access information about automated decision-making or profiling: Consumers are entitled to know if automated processes or profiling are used in decisions that affect them, along with details about the likely outcomes of these processes.
• Right to opt out of automated decision-making: Consumers can refuse the use of their personal information in automated decision-making.

Expanded consumer rights under the CPRA

The CPRA builds on some of the existing CCPA consumer rights and enhances their scope. 

• Right to know: Consumers can request access to personal information collected beyond the original 12-month limit set by the CCPA, as long as the information was collected on or after January 1, 2022.
• Right to delete: Businesses must not only delete a consumer’s personal information upon request, they must also notify any service providers, contractors, or third parties holding the data to delete it from their records, with exceptions.
• Right to opt out: Consumers can now opt out of both the sale and sharing of their personal information. Business websites must include a link that states “Do Not Sell or Share My Personal Information.” Additionally, consumers can opt out of their data being used for targeted advertising or profiling.
• Private right of action: Consumers can bring civil lawsuits against a business if their email address, combined with a password or security question that could grant access to their account, is breached. This expands the private right of action introduced by the CCPA to address new types of data security risks.

CPRA obligations pertaining to minors

The CPRA strengthens the protections for minors established by the CCPA, which required businesses to obtain opt-in consent from minors aged 13 to 16 or from their parent or legal guardian if the minor is under 13 before selling or sharing their personal information.

Under the CPRA, if a minor does not consent to their personal information being shared or sold, businesses must wait 12 months before requesting consent again. This provision prevents businesses from repeatedly soliciting consent after an opt-out decision.

The CPRA also increases penalties for violations involving minors. For each instance of noncompliance related to a minor’s personal information, businesses can face fines of up to USD 7,500.

Expanded consent requirements under the CPRA

Like the other US state-level data privacy laws, the CCPA operates on an opt-out model, meaning that in most cases prior consent is not required to collect consumers’ personal information. There are certain exceptions, such as collecting a minor’s personal information.

The CPRA broadens the CCPA’s consent requirements. Businesses must now obtain consent in several key areas:

• selling or sharing personal information after a consumer has opted out
• secondary use of sensitive personal information, including selling or sharing such data after a consumer opts out
• processing personal information for research purposes
• participation in financial incentive programs

The definition of consent under the CPRA is more closely aligned with that under the GDPR as “a freely given, specific, informed, and unambiguous indication of a consumer’s wishes” that signifies agreement to the processing of their personal information for a specific purpose.

Enhanced CPRA notice at collection requirements

The CPRA expands the required information businesses must include in their notice at collection to give consumers greater transparency about how their personal information is handled. The notice must now specify:

• whether the collected personal information is sold or shared  
• categories of sensitive personal information collected 
• purposes for collecting or using sensitive personal information
• the amount of time each category of personal information and sensitive personal information will be retained

Data minimization requirements under the CPRA

Businesses that must comply with the CPRA can collect only personal information that is “reasonably necessary and proportionate” to achieve the disclosed purposes or for another disclosed purpose that is “compatible with the context in which the personal information was collected.” Personal information cannot be processed for any purpose that is incompatible with that which has been disclosed to consumers.

The CPRA also restricts how long businesses can retain personal information. Retention periods must be limited to the time necessary to fulfill the purpose for which the information was collected, while accounting for other regulatory requirements. 

These new CPRA requirements align with the data minimization and storage limitation principles under the GDPR.

Risk assessment requirements under the CPRA

Where the processing of consumers’ personal information poses a “significant risk to consumers’ privacy or security,” businesses must conduct annual cybersecurity audits and regular risk assessments. These assessments must evaluate whether the processing involves sensitive personal information and weigh the benefits of the processing against potential risks to consumer rights. Risk assessments conducted under the CPRA must be submitted to the CPPA for review. Formal rules detailing how businesses should implement these measures are still under development.

Contractual obligations under the CPRA

The CPRA requires businesses that share, sell, or disclose consumers’ personal information to contractors, service providers, or third parties to enter into official agreements with these entities. The agreement or contract must contain the following provisions.

• Limited use: The contract must specify that personal information is sold or disclosed only for limited and specified purposes.
• Compliance requirements: The contract must require the receiving entity to comply with the CPRA and maintain the same level of privacy protection as required by the law.
• Notification of noncompliance: The receiving entity must notify the business if they can no longer meet their obligations under the CPRA.
• Monitoring rights: The contract must grant the business the right to take reasonable and appropriate steps to ensure that the receiving entity uses personal information in a way that is consistent with the business’s obligations under the CPRA.
• Remediation rights: The business must be granted the authority to take reasonable and appropriate steps to stop and address any unauthorized use of personal information, provided notice is given to the receiving entity.

Enforcement of the CPRA

The California Privacy Protection Agency (CPPA), established by the CPRA, shares enforcement authority with the Attorney General. The CPPA’s powers complement, rather than limit, the AG’s ability to enforce privacy laws.  

The CCPA dictated that a business in violation of the law had a 30-day cure period to address and correct any alleged violation after being notified by the AG. The CPRA removes this automatic 30-day cure period for violations, although it can still be applied at the discretion of the authorities.

For private actions brought by consumers due to data breaches, the 30-day cure period still applies. This provision allows businesses an opportunity to resolve the issue before penalties are imposed.

CCPA/CPRA comparison chart

CCPA/CPRA Compliance Checklist

This checklist is designed to help your business align with CCPA/CPRA compliance requirements. We highly recommend consulting with a legal and/or privacy expert to achieve and maintain compliance.

Enable consumer opt-outs

Display clear links on your website to enable visitors to exercise their rights, labeled:

• “Do Not Sell or Share My Personal Information” for data sales and sharing opt-outs
• “Limit the Use of My Sensitive Personal Information” to enable consumers to control use of their sensitive data

Provide notice at collection

Display a notice at or before the point of collection, which specifies:

• types of personal and sensitive personal information collected
• purpose(s) for data collection
• whether personal information will be shared or sold to third parties

Maintain and update privacy policy

Publish and annually update (or as often as changes are required) a privacy policy on your website that:

• explains all consumer rights, including the handling of personal and sensitive information
• discloses cookie usage within the privacy policy or through a separate cookie policy
• explains how consumers can exercise their rights under the law

Have a system in place for Data Subject Access Requests (DSAR)

Establish two or more channels, such as a toll-free number, email, or form submission, through which consumers can easily exercise their rights and receive a timely response, and set up an identity verification system for users submitting requests.

Manage opt-out requests efficiently

Process opt-out requests within 15 days, and stop data sales or sharing immediately upon receiving a request. Notify any third parties that received the consumer’s data in the previous 90 days to halt further processing.

Obtain consent for personal information from minors

For consumers under 16, obtain opt-in consent before selling or sharing their data as follows:

• for minors aged 13 to 16 years, obtain opt-in consent from the minor
• for minors under 13 years old, obtain opt-in consent from their parent or legal guardian

Provide access to personal information records

On request, give consumers a report of their personal information collected over the past 12 months, free of charge.

Respond promptly to consumer requests

Acknowledge and process requests for data disclosure or deletion within 45 days of receipt, and provide confirmation of how the request will be handled.

Review financial incentives

Only offer financial incentives or differentiated services if they are reasonably related to the value the consumer’s personal information brings to the business.

Ensure non-discriminatory practices

Ensure that consumers are not penalized for exercising their rights under the California privacy laws, including the right to opt out of data collection and processing. This includes access to the website.

CCPA/CPRA compliance with Usercentrics CMP

If your business meets the CCPA/CPRA thresholds, using a consent management platform (CMP) like Usercentrics CMP can help you achieve compliance.

A CMP enables websites to offer cookie consent banners where you can display a “Do Not Sell or Share My Personal Information” link, enabling users to easily exercise their opt-out rights under the CCPA/CPRA. When a user opts out, the CMP can automatically block cookies and other tracking technologies to honor their privacy choices.

In addition to managing opt outs, Usercentrics CMP supports transparent communication with users about data practices. Clearly inform users about the categories of data collected, why the data is collected, and any third parties that may receive it. This transparency aligns with the requirements of the CCPA/CPRA and other data privacy laws, making it easier for your business to achieve compliance and build trust with consumers.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Discover essential insights into GDPR regulations specific to the Benelux region—covering the Netherlands, Belgium, and Luxembourg. This comprehensive session explains how the GDPR applies to cookie consent and highlights the distinctions between EU directives and regional requirements across NL, BE, and LU.

You’ll gain an overview of the latest non-compliance fines, understand the risks facing your organization if guidelines aren’t followed, and learn how Usercentrics’ Consent Management Platform (CMP) can streamline your compliance process and help avoid penalties.

Don’t miss this chance to access tools and knowledge essential for effective GDPR compliance in the Benelux region.

What you’ll learn:

• GDPR in the Benelux: Understand how GDPR applies to cookie consent specifically in the Netherlands, Belgium, and Luxembourg.
• Compliance risks: Get an overview of recent fines for non-compliance and the risks your organization may face.
• Streamlining compliance: Discover how Usercentrics’ CMP can simplify your compliance processes and help avoid fines.

Who should watch:

• Compliance Officers: Ensure your organization meets GDPR requirements and avoids potential fines.
• Marketing Professionals: Learn how cookie consent affects marketing strategies and data collection.
• Business Owners: Stay updated on legal obligations impacting business operations in the Benelux region.
• Data Protection Officers: Gain best practices for maintaining compliance in a changing regulatory landscape.

The United States does not yet have a single federal data protection law. To date, an increasing number of states have passed their own laws and/or updated existing ones, and bills have been introduced, are in progress, or have failed in many others.

There are a number of other long standing privacy laws that target specific types of information or human demographics in the US, like the Health Insurance Portability and Accountability Act (HIPAA) for health and the Children’s Online Privacy Protection Act (COPPA) for children’s safety. This does not make it easy to keep track of all or achieve compliance for all relevant regulations that address personal data.

The first and most influential state-level consumer privacy law passed in the United States is the California Consumer Privacy Act (CCPA). It takes some influence from the European Union’s General Data Protection Regulation (GDPR) and has, in turn, influenced privacy bills drafted by other states, including the Virginia Consumer Data Protection Act (VCDPA).

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a US state-level consumer privacy law that was passed in 2018 and came into effect on January 1, 2020. It applies exclusively to residents of California, known as ”consumers” under the law, and regulates the protection of their personal information. 

It’s worth noting, however, that California is the most populous US state, with a population of over 39 million people, as well as having the world’s fifth largest economy, and a number of the world’s largest and most influential tech companies are headquartered there. So the state has an outsized influence on many fronts.

A consumer under the law is a natural person who is a resident of California, however identified, including by means of a unique identifier. A “resident” means:

• every individual who is in the State for other than a temporary or transitory purpose

and

• every individual who is domiciled in the state who is outside the state for a temporary or transitory purpose

The CCPA was amended and expanded by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023, and granted additional rights to consumers and established the California Privacy Protection Agency (CPPA), among other things. Enforcement of the CPRA began in February 2024 after a legal challenge. Enforcement had been scheduled to begin on July 1, 2023.

Definitions under the California Consumer Privacy Act (CCPA) data privacy law

The CCPA, as amended by the CPRA, defines several terms that cover the data it protects and data processing activities. Unlike most other data privacy laws, California does not use the terms “controller” or “processor”.

Personal information under the CCPA/CPRA

The CCPA/CPRA law defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA/CPRA’s definition of personal information is wide ranging, and examples under the law include, among other things: 

• IP address, real name, alias, postal address, Social Security number, and email address
• biometric information that can establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, as well as sleep, health, or exercise data that contain identifying information
• electronic activity information, such as browsing history or interactions with online ads
• professional or employment-related information

Personal information is known as personal data under many international and other state-level data privacy laws in the US.

Sensitive personal information under the CCPA/CPRA

Sensitive personal information is that which can cause harm to a consumer if misused, and includes, among other things: 

• driver’s license, state ID card, passport, or Social Security number
• precise geolocation data that can accurately identify a person within a radius of 1850 feet (563 meters)
• racial or ethnic origin
• debit card or credit card number in combination with any required password or credentials that provide access to the account
• genetic data
• contents of a consumer’s postal mail, email, and text messages

Unique identifier under the CCPA/CPRA

The CCPA/CPRA law defines a unique identifier or “unique personal identifier” as “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services.”

The law specifies that a family means a custodial parent or guardian and any children under 18 years of age who are in their custody.

Examples of unique identifiers are:

• device identifier
• IP address
• cookies, beacons, pixel tags, mobile ad identifiers, or similar technology
• customer number, unique pseudonym, or user alias

Consent under the CCPA/CPRA

The law defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.“

The following does not constitute valid consent under the CCPA/CPRA:

• acceptance of a general or broad terms of use or similar document
• hovering over, muting, pausing, or closing a piece of content
• agreement obtained through dark patterns

Sale under the CCPA/CPRA

The law defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”

A business is not considered to have sold information when:

• a consumer uses or directs the business to intentionally disclose or interact with third parties
• the business uses or shares an identifier for the consumer, for the purpose of informing others that the consumer has opted out of the sale of or limited the use of their personal information
• the business transfers personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business

Who must comply with the California Consumer Privacy Act (CCPA)?

The CCPA/CPRA law applies to for profit businesses that operate in California and collect the personal information of the state’s residents, if they meet any one the following thresholds: 

• annual gross revenues exceeding USD 25 million for the previous calendar year
• receive, buy, sell, or share personal information of 100,000 or more consumers or households
• earn more than half of their annual revenue from the sale of consumers’ personal information

Interestingly, more recently passed privacy laws in other states have abandoned the revenue-only compliance threshold. Whether or not the company is headquartered in or has an office in California is not relevant to compliance. All companies that meet the threshold must meet CCPA/CPRA obligations if they are doing business with California residents, regardless of where in the world they are based.

What are consumers’ rights under the California Consumer Privacy Act (CCPA) laws?

The CCPA, as amended by the CPRA, grants consumers several rights to enable them to protect their personal information and control how it’s used.

• Right to delete: consumers can request businesses to delete their personal information that was collected from the consumer.
• Right to correct: consumers can request a business to correct any incomplete or inaccurate personal information that it holds.
• Right to know and access: consumers have a right to know and access the categories of personal information the business holds about them, the purposes for collecting the information, where the business obtained the information from, categories of third parties who receive the information, and the specific personal information the business has collected about the consumer.
• Right to know regarding sale or disclosure: consumers have the right to know what categories of personal information the business holds; the categories of personal information sold, shared, or disclosed; and the categories of third parties to whom it is sold, shared, or disclosed. 
• Right to opt out: consumers have the right to opt out of the sale or sharing of their personal information.
• Right to limit: consumers have the right to limit the use or disclosure of their sensitive personal information.
• Right of nondiscrimination: consumers have the right not to be discriminated against for exercising any of their rights under the law.

In addition to these rights that are explicitly stated in the CCPA/CPRA, consumers also have the right to data portability. Where a consumer has exercised their right to know and access personal information, businesses must present the consumer’s specific personal information in a “structured, commonly used, machine-readable format.”

Obligations under the California Consumer Privacy Act (CCPA) Rules

Businesses have specific CCPA/CPRA obligations to protect consumers’ personal data, ensuring transparency and accountability in their data handling practices.

Notices required under the CCPA/CPRA

The CCPA/CPRA requires businesses to provide two distinct notices to consumers: a notice at collection and a privacy policy.

A notice at collection must be displayed to consumers at or before the point where the business collects their personal information. This notice must clearly list: 

• categories of personal information collected, including sensitive personal information, if any
• purposes for which personal information will be used, including sensitive personal information, if any
• whether personal information or sensitive personal information is sold or shared
• how long the business will retain the personal information and sensitive personal information
• If the business sells or shares personal information, the notice must include a link with the specific words “Do Not Sell Or Share My Personal Information”, enabling consumers to easily opt out of such transactions.

The notice at collection should contain a link to the business’s privacy policy.

The CCPA privacy policy must include:  

• a description of consumers’ privacy rights and how to exercise them
• categories of personal information collected, sold, or shared in the preceding 12 months
• categories of sources from which personal information is collected
• business or commercial purpose for collecting, selling, or sharing personal information
• categories of third parties to whom personal information is disclosed

Businesses commonly make their privacy policy accessible on their websites, typically found via a link in the footer so that consumers can easily find and review the privacy policy.

Consent requirements under the CCPA/CPRA

In most cases, the CCPA/CPRA does not require explicit consent from consumers for the collection, use, or sharing of their personal information. It operates on an opt-out model, where consumers are assumed to consent to data use unless they choose to opt out. There is an exception for the personal information belonging to minors:

• For minors aged 13 to 16, businesses must obtain explicit, opt-in consent from the minor before selling or sharing their personal information
• For minors under 13 years of age, businesses must obtain explicit consent from a parent or guardian before collecting or selling their data

Consumers have the right to opt out of the sale and several other uses of their personal information and to limit the use or disclosure of sensitive personal information.

Opt-out requests under the CCPA/CPRA

Businesses must provide options for consumers to opt out of:

• sale or sharing of their personal information (and targeted advertising and profiling under the CPRA)
• use or disclosure of their sensitive personal information for unauthorized purposes 

The law mandates specific ways for businesses to provide consumers with opt-out options. 

1. Through a clear and conspicuous link on the business’s homepage titled “Do Not Sell Or Share My Personal Information,” which directs consumers to a page from which they can opt out of the sale or sharing of their personal information.
2. Through a clear and conspicuous link titled “Limit The Use Of My Sensitive Personal Information,” which enables consumers to limit the use or disclosure of their sensitive personal information.
3. If a business prefers, it can use a single link that combines both functions, as long as it effectively enables consumers to opt out of both, the sale, sharing, targeted advertising, or profiling from their personal information, and limiting the use or disclosure of their sensitive personal information.

Businesses must also respect universal opt-out mechanisms, such as Global Privacy Control (GPC) signals, through which consumers can set their consent preferences once and communicate them automatically across various websites and online services.

Consumer requests for right to know, correct, and delete

Consumers have the right to request information about the personal data collected about them, as well as to correct inaccuracies or to delete that data. 

The law requires businesses to provide at least two designated methods for consumers to submit their requests, which must include a toll-free telephone number. For businesses that operate exclusively online and have a direct relationship with consumers, an email address is sufficient.

If a business maintains a website, it should enable consumers to submit requests for information, correction, and deletion directly through the site. 

Consumers can request data that was collected up to 12 months prior to the date of their request. Businesses have 45 days from the date of the request to disclose the requested information, and they may seek an extension of an additional 45 days under certain circumstances

While businesses may require consumers to login to an existing account to verify identity and submit a request, they cannot require consumers to create a new account for this purpose.

Contracts under the CCPA/CPRA

Businesses that collect consumers’ personal information sometimes sell or share consumers’ personal information with a third party, or disclose the personal information to a service provider or contractor for business purposes.

The CCPA/CPRA requires businesses to enter into agreements with these third parties, service providers, or contractors. The agreement must outline that:

• the personal information is sold, shared, or disclosed only for limited and specific purposes
• the third party, service provider, or contractor must comply with the CCPA/CPRA obligations applicable to them
• the third party, service provider, or contractor must provide the level of data privacy protection required by the law
• the business is entitled to take “reasonable and appropriate steps” to ensure that any third party, service provider, or contractor uses the personal information shared in a way that aligns with the business’s CCPA/CPRA obligations
• the third party, service provider, or contractor must inform the business if it cannot meet its legal obligations
• the business has the right to take reasonable and appropriate steps to stop and remedy any unauthorized use of personal information, after providing notice

Contracts with service providers and contractors must also prohibit them from:

• selling or sharing personal information
• retaining, using, or disclosing personal information for any purpose other than that specific in the contract
• combining the personal information received from the business with personal information received by any other means, except for purposes exempted under the law

Data security under the CCPA/CPRA

Businesses that collect consumers’ personal information are obligated to safeguard the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure. The CCPA/CPRA requires businesses to implement “reasonable security procedures and practices” for this purpose.

Data minimization under the CCPA/CPRA

Under the CCPA/CPRA, businesses can collect, use, store, and share consumers’ personal information only to the extent needed to achieve the original purpose for collecting the information, or for another compatible purpose. The personal information must not be processed in ways that conflict with the original purposes.

This requirement is a key aspect of data minimization, which means that companies must limit their handling of personal data to what is essential for the intended purposes.

The CPPA, in its Enforcement Advisory No. 2024-1, has highlighted the various CCPA regulations that reflect the principle of data minimization by prohibiting businesses from requiring consumers to share additional information “beyond what is necessary.”

Enforcement and penalties under the California Consumer Privacy Act (CCPA)

The CCPA/CPRA has certain unique characteristics when it comes to enforcing the state’s consumer privacy law.

Unlike most states, where the Attorney General has sole enforcement authority, California permits both the Attorney General and CPPA to enforce the law. However, the CPPA cannot limit the Attorney General’s authority and must stay an administrative action or investigation when requested. A business cannot be penalized by both the Attorney General and the CPPA.

Violations of the CCPA/CPRA attract civil penalties of up to:

• USD 2,500 per non-intentional violation
• USD 7,500 per intentional violation and violation involving the personal information of minors

The CCPA/CPRA is also the only consumer privacy law in the US that grants consumers a private right of action, although it is limited to specific situations. Consumers can sue businesses in the event of a data breach or personal security information breach, which occurred because the business failed to implement reasonable security measures to protect the personal information and that results in non-encrypted or non-redacted data being stolen.

Consumers must give businesses 30 days to cure the violation in the event of a data breach before they can bring an action against the business. Of note is that when the CCPA came into effect, the Attorney General also provided a 30-day cure period; however, that has now sunset.

Consumers can bring an action: 

• to recover damages between USD 100 and USD 750 per incident, or actual damages suffered, whichever is greater
• for injunctive or declaratory relief

If a consumer believes their rights, other than those arising out of a data breach, have been violated, they may file a complaint with the Attorney General or the CPPA.

GDPR vs. CCPA: a summary

The EU’s General Data Protection Regulation (GDPR) and the CCPA/CPRA are landmark regulations when it comes to protecting data privacy. 

The GDPR is considered one of the most stringent data protection regulations worldwide, and has influenced many other regulations, such as Brazil’s General Data Protection Law (LGPD) and the CCPA.

The CCPA was the first state-level consumer privacy law passed in the US and has many unique provisions, such as dual enforcement and private right of action.

We look at the two regulations side by side to examine some of the similarities and differences.

What does the CCPA/CPRA mean for companies’ websites?

If a business meets one of the CCPA/CPRA thresholds and has an online property, it must take several steps to meet CCPA/CPRA obligations.

• The website must present visitors with a notice at collection that lists the categories and purposes of the personal data collected, whether personal information is sold or shared, and how long the business will retain the personal information. 
• The website must include a privacy policy that informs consumers of their privacy rights and how to exercise them, as well as the business’ privacy practices in more detail.
• If the business sells or shares personal data, it must present a link titled “Do Not Sell Or Share My Personal Information” to enable users to opt out of the sale of their personal data. It must also present a link titled “Limit The Use of My Sensitive Personal Information” to enable users to opt out of the use of their sensitive personal information.
• For personal information of minors, businesses must obtain explicit consent from the consumer (between 13 and 16 years) or their parent or guardian (when the minor is below 13 years) before their personal information can be shared or sold.

Businesses can use a consent management platform (CMP) like Usercentrics CMP to achieve CCPA compliance.

A CMP enables websites to display cookie consent banners with straightforward links or buttons that enable users to opt out of data processing. It can also handle cookies and other tracking technologies, blocking their use when a consumer exercises their right to opt out.

CMPs also help websites provide clear information to users about the types of data being collected, the purposes for collection, and the third parties that may receive this data, in accordance with the CCPA/CPRA and other data privacy laws.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

The Utah Consumer Privacy Act (UCPA) came into effect on December 31, 2023, and is one of the increasing number of statewide laws in the US that aim to protect the rights of consumers whose data is processed by businesses.

When it was passed, the UCPA was the fourth piece of legislation of its kind in the US. Lawmakers were able to draw on earlier regulations, like the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA), which were both based on the first and most stringent US privacy law: the California Consumer Protection Act (CCPA).

With this foundation, the UCPA strikes a finer balance between consumer rights and business responsibilities. Overall, the narrower scope of its definitions and compliance requirements means that it can be seen as “lighter” and more business-friendly than the majority of other state-level data privacy laws in place. 

What is the Utah Consumer Privacy Act?

The UCPA gives consumers in Utah a degree of control over how businesses are able to collect and use their data. Under the UCPA, individuals have the right to know if a business is processing their personal data, to access and have that data deleted, and to opt out from their data being sold.

Unlike other similar data privacy laws, the UCPA doesn’t place limits on the data that businesses can gather and what they can do with it. The responsibility for minimizing the collection and processing of data rests with the consumer.

UPCA summary

The UCPA protects the privacy rights of Utah residents and establishes data privacy responsibilities for companies that operate in the state and process the data of the nearly 4 million individuals who live there.

It requires businesses that collect data to protect the confidentiality and integrity of that data to reduce the risk of harm associated with processing it. Organizations must also provide consumers with clear and accessible privacy notices and inform them about how they can opt out of the sale of their data.

Like other US state laws, the UCPA uses an opt-out model for user consent, rather than the opt-in model in place for regulations such as the General Data Protection Regulation (GDPR). 

This means that consumers’ personal data can be collected, sold, or used for targeted advertising without first obtaining their explicit and informed consent. The only exception here relates to children’s data. In that case, consent must be obtained from a parent or legal guardian. 

Unlike most US data privacy laws, the UCPA does not require prior consent for the processing of data categorized as sensitive. Companies just need to notify consumers about collection and use and provide an opt-out option.

The sale of data is one of the key focuses for the UCPA. The Act defines any “exchange of personal data for monetary consideration by a controller to a third party” as a sale. 

This definition doesn’t include non-monetary exchanges, which means that it doesn’t apply to data sharing among businesses, differentiating it from the CCPA and California Privacy Rights Act (CPRA).

However, consumers do have the right — and must be provided with the option — to opt out of the sale of their data or its use for targeted advertising. If a consumer exercises this right, their data can no longer be used. 

Updates to the UCPA

On March 13, 2024, Utah became the first state to enact an AI-focused consumer protection law. The Utah Artificial Intelligence Policy Act (UAIP), which came into effect on May 1, 2024, modifies the UCPA and places certain duties on businesses using generative AI in the course of their business. 

The act focuses mainly on businesses operating in regulated industries, i.e. those where a person requires a license or state certificate to work. These businesses must disclose to customers that they are interacting with generative AI or materials that are created by generative AI. 

It also requires businesses in non-regulated sectors to disclose the use of this technology if asked or prompted by a customer. However, it’s not clear what mechanisms an organization must put in place to field these requests or how the disclosure should take place.

The UAIP has also created an Office of Artificial Intelligence Policy that is tasked with setting up an Artificial Intelligence Learning Laboratory Program. The goal is that this AI Lab will support AI-related regulation and development within the state.

Definitions under the Utah Consumer Privacy Act

The UCPA applies to controllers or processors of consumer data. It defines these terms as follows. 

Controller under UCPA

Controller means “a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.” (Section 101.12 UCPA)

Processor under UCPA

Processor means “a person who processes personal data on behalf of a controller.” In relation to controllers and processors, “person” includes natural persons or commercial or noncommercial entities, including third parties, that process data and meet the applicability criteria. (Section 101.26 UCPA)

Consumer under UCPA

Consumer means “an individual who is a resident of the state acting in an individual or household context” who is not “acting in an employment or commercial context.” (Section 101.10 UCPA)

Personal data under UCPA

“Personal data” refers to “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” (Section 101.24 UCPA)

There are specific forms of personal data that can make an individual directly identifiable (e.g. a name or email address), while others may not qualify on their own (e.g. an IP address). However, it’s important to note that non-identifying data may become identifying when it’s aggregated with other kinds of personal data.

Exclusions to the definition of personal data

The UPCA sets out a number of exclusions in relation to personal data. This includes information that:

• is publicly available 
• has been deidentified or anonymized
• relates to groups of consumers and has been aggregated to the extent that individuals cannot be identified

Sensitive data under UCPA

Unlike some other data privacy laws, the UCPA does not require businesses to obtain consent for processing sensitive personal data. 

However, controllers do have to clearly notify consumers and provide the opportunity for them to opt out of having their sensitive personal data processed before such data is collected and processed. Like non-sensitive data, consumers can also opt out of processing for sensitive data later, at which point processing must cease.

The Act (Section 101.32 UCPA) defines “sensitive data” as personal data that includes or reveals:

• racial or ethnic origin (unless processed by a video communication service or by a licensed healthcare provider)
• religious beliefs
• sexual orientation
• citizenship or immigration status
• medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional
• genetic or biometric data (if the processing is for the purpose of identifying a specific individual)
• geolocation data (if the processing is for the purpose of identifying a specific individual)

Who must comply with the Utah Consumer Privacy Act?

Similar to other data privacy laws, the UCPA has provisions that provide rights to consumers and place obligations on businesses, provided that they meet certain criteria. 

UCPA applies to businesses that: 

• Operate in Utah, either by conducting business there or by offering a product or service to consumers who reside in the state.

• Meet the annual earnings and data processing thresholds, meaning they report revenue of USD 25 million and either

• control or process the data of 100,000 consumers

or

• derive more than 50 percent of gross revenue from the sale or control of personal data of 25,000 or more consumers

The UCPA differs from some of the other data privacy laws as entities have to meet multiple criteria for it to apply. This narrows its scope. For example, the revenue threshold will exclude smaller SMEs from qualifying. Many of the more recently passed US state-level privacy laws do not include a revenue-centric threshold, though Utah is one of the earlier ones that does.

Unsure if the UCPA applies to your business? Use our UCPA checklist to understand if the Act applies to your business, and what you need to do to be compliant.

Exemptions to Utah Consumer Privacy Act compliance

Organizational exemptions

In addition to organizations that fall below the revenue or processing volume thresholds, the UCPA exempts a number of other entities, including:

• institutions of higher education
• nonprofit organizations
• government organizations and contractors
• Indigenous groups
• air carriers
• organizations covered by the Health Insurance Portability and Accountability Act (HIPAA)
• financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)

Data exemptions

The UCPA does not apply to information that’s already subject to the following regulations:

• Driver’s Privacy Protection Act (DPPA)
• Fair Credit Reporting Act (FCRA)
• Family Educational Rights and Privacy Act (FERPA)
• Farm Credit Act (FCA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)

Employment exemptions

Data processed or maintained during the course of an individual’s employment is exempt from the UCPA. 

This covers instances when an individual is applying for a job, as well as when they are “acting as an employee, agent, or independent contractor of a controller, processor, or third party,” provided that the data is “collected and used within the context of that role” (Section 102.2(o)(i) UCPA). 

Consumer rights under the Utah Consumer Privacy Act

Consumers have four primary rights under the UCPA: access, deletion, portability, and opting out.

• Right to access, including confirming whether a controller is processing their data, and the ability to request and receive that data
• Right to deletion of personal data, if the data subject directly provided the data to the controller
• Right to portability, obtaining a copy of their personal data from the controller, in a format that is:
  • portable to a technically reasonable extent
  • readily usable to a practical extent
  • enables the consumer to transmit the data to another controller reasonably easily, where the processing is carried out by automated means
• Right to opt out of certain processing, specifically for the sale of the personal data or the purposes of targeted advertising

Key differences with other privacy laws

While these rights are similar to those given to consumers under other data privacy laws, both within the US and globally, UCPA does not create other common rights, such as the right to appeal and the right to correct (to request and have omissions or inaccuracies rectified).

In addition to these exclusions, the UCPA does not provide for a private right of action (the ability for an individual consumer to sue a controller for noncompliance or a data breach). To date California is the only state that allows for this. Consumers also cannot use a violation of the UCPA to support a claim under other Utah laws.

What’s more, controllers under the Utah privacy law aren’t required to recognize “universal opt-out signals” as a method for consumers to opt out of data processing. This excludes global privacy control (GPC) measures, where users can set their consent choices once and have them respected across all other sites and properties on which they are active, instead of having to specify their choice at every online property they visit. 

What are controllers obliged to do under the Utah Consumer Privacy Act?

Under the UCPA, data controllers must outline exactly how consumers can submit a request and exercise their rights related to their data. They must also respond to any requests within 45 days. 

Transparency under the UCPA

Controllers must provide consumers with a privacy notice or policy that is “reasonably accessible and clear.” This notice would typically appear on a business’s website and must include:

• categories of personal data processed by the controller
• categories of personal data the controller shares with third parties
• categories of third parties with whom the controller shares personal data
• a clear explanation of how consumers can exercise their rights, including the right to opt out
• “clear and conspicuous” disclosure if personal data is sold to a third party or used for targeted advertising

A consent management platform (CMP) can make this easier for you. With the right tool, you can stay compliant by generating an accurate, comprehensive, and up to date privacy policy and notify consumers about any data collection that’s taking place. 

Consumer requests under the UCPA

 Consumer requests must be fulfilled free of charge to the consumer, unless the request is:

• the second or subsequent request within the same 12-month period
• “excessive, repetitive, technically infeasible, or manifestly unfounded” (Section 203.4.(b)(i)(A) UCPA)
• reasonably believed by the controller to have the primary purpose of “something other than exercising a right” (Section 203.4.(b)(i)(B) UCPA)
• intended to harass, disrupt, or impose undue burden on the resources of the controller’s business

Controllers must take action and notify the consumer of their actions within 45 days of receiving a request. If the controller cannot or will not respond to or fulfill the consumer’s request, e.g. if the consumer’s identity cannot be reasonably verified, they must communicate this during that same 45-day period.

However, there are exceptions. The response period can be extended by another 45 days if reasonably necessary, for example, if the request is very complex or the controller is dealing with a high number of requests. 

Where there is an extension, the consumer must be informed within the initial 45 days. The notification must include reasons for and the length of the delay.

Unlike some other laws, the UCPA does not have an appeal process for consumers whose requests are denied.

Data security under the UCPA

Controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices” that have been “designed to protect the confidentiality and integrity of personal data.” (Section 302.2(a) UCPA) 

This applies both to the controller and any third party services they use.

Third-party data processing under the UCPA

Controller organizations may use third parties to process data on their behalf, so long as there is a contract in place. 

The contract must include data processing instructions, as well as some of the same information that must be outlined in the consumer notification, including:

• the nature and purpose of the processing
• the type of data to be processed
• the duration of processing
• all parties’ rights and obligations, including a duty of confidentiality
• a provision that requires the processor to have a written contract with any subcontractor engaged to process personal data that mirrors the obligations on the processor

Under the UCPA, controllers don’t have to evaluate the risks of their data processing activities via data protection assessments. What’s more, a contract between a controller and processor does not need to stipulate that the processor must comply with any reasonable data privacy audits set in motion by the data controller.

Processing of children’s personal data under the UCPA

The processing of children’s data is the only activity under the UCPA that requires explicit consent. Under the Act, a child is defined as an individual known to be under the age of 13. 

Controllers must obtain verifiable parental or guardian’s consent prior to processing and process the data in accordance with the Children’s Online Privacy Protection Act (COPPA).

Nondiscrimination under the UCPA

Controllers may not discriminate against any consumer who exercises their privacy rights. Examples of potential discrimination include:

• denying goods or services
• charging a different price or rate for goods or services
• providing a different level of quality for goods or services

However, a controller is allowed to offer “a different price, rate, level, quality, or selection of a good or service to a consumer” (Section 302.4(b) UCPA) if that customer has opted out of targeted advertising, or if the offer relates to the consumer voluntarily participating in the controller’s loyalty program.

Enforcement of the Utah Consumer Privacy Act

Enforcement authority

The Utah attorney general has full enforcement authority of UCPA. However, the Division of Consumer Protection is responsible for administering consumer complaints and has the authority to investigate alleged violations.

Investigations and cure period

Where authorities find reasonable cause or evidence of a violation, it’s referred to the Attorney General. If the Attorney General pursues the investigation, their office must provide the data controller or data processor with a written notice about the violation.

The UCPA provides the offending party with a 30-day “cure” period. This is a grace period during which the controller is given the opportunity to rectify any violation and provide a statement to the Attorney General about what has been done to resolve the violation and ensure it won’t be repeated. Unlike many US data privacy laws, the UCPA’s cure period does not sunset.

Damages and fines

In cases where punitive action is required, for example, if the controller or processor fails to resolve, or repeats the violation after providing a written statement to the contrary, the Attorney General can initiate an enforcement action. This includes damages and fines up to USD 7,500 per violation.

Consent management and the Utah Consumer Privacy Act 

The UCPA uses an opt-out model to regulate data collection and processing in the state of Utah. As a data controller in Utah, you’re not required to obtain data subjects’ consent before collecting personal data, unless that data belongs to a child.

However, you are required to give consumers a clear notification that their data is being collected, inform them about their rights, and provide them with the means to opt out, either before or at the point of collection and processing.

To achieve and maintain compliance, use a CMP. A robust CMP can automate the process of notifying customers about data processing, tailoring consent messages, and managing their opt-out choices. This makes it easier to achieve and maintain compliance with the UCPA and other US privacy laws like the CCPA/CPRA and VCDPA.

A robust CMP helps your business obtain consent in a transparent manner, enabling you to collect valuable data while building trust with your customers.

Navigating UCPA compliance

While the requirements for UCPA compliance are less demanding than similar laws’, the potential fines and damage to brand reputation that can result from noncompliance mean that businesses must still be diligent.

Usercentrics can help you adhere to regulatory requirements of laws like the UCPA with its all-in-one CMP that enables you to produce content for privacy notices in just a few clicks. What’s more, our platform simplifies consumer consent management and helps you personalize the consent experience for your users.

If you have questions or interest in implementing our CMP to help you achieve compliance with privacy laws in the US and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Protecting personal data is more critical than ever. As organizations handle vast amounts of information, understanding the distinctions between various data types — such as Personally Identifiable Information (PII), Personal Information (PI), and sensitive data — becomes essential.

These classifications play a significant role in data privacy and security, helping companies determine compliance requirements with global privacy regulations while safeguarding individual privacy.

By differentiating among these types of data, organizations and website owners can implement appropriate security measures and build trust with their customers.

Understanding various data types

Understanding the nuances among different data types is essential for effective data privacy and security management. Distinguishing between Personally Identifiable Information (PII) vs Personal Information (PI) vs sensitive data enables companies to safeguard individuals’ privacy and comply with relevant regulations.

Before we delve into the specifics of each data type, here’s a brief overview of PII vs PI vs sensitive data:

• PII: This includes any information that can identify an individual, like names, Social Security numbers, or email addresses.
• PI: This broader category covers any information related to a person, even if it doesn’t identify them on its own, such as a common name or web browsing activity.
• Sensitive data: This subset of PI requires extra protection due to its potential for harm if exposed, like medical records, sexual orientation, or financial information.

Recognizing these data types is essential for regulatory compliance, as laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) have specific requirements for handling personal data.

Accurate classification supports compliance and enhances risk management by enabling organizations to implement tailored security measures that mitigate the risk of data breaches and data exposures. Moreover, a deep understanding of data types strengthens user trust, as companies that implement smart data collection strategies and prioritize data protection foster stronger, more reliable relationships with their customers.

What you need to know about Personally Identifiable Information (PII)

What is PII?

This definition is widely used by privacy professionals and aligns with interpretations from organizations like the National Institute of Standards and Technology (NIST) in the United States. We specify this because there is not a single, global definition of Personally Identifiable Information or what types of information it encompasses. As a result, specific definitions of PII can differ across organizations and borders. Different regulations also use different language and have different levels of detail in describing these categories.

What are the different types of PII?

There are two main types of PII:

1. Direct identifiers: Information that can immediately identify an individual, such as full name, Social Security number, or passport number.
2. Indirect identifiers: Data that, when combined with other information, can lead to the identification of an individual, like date of birth, place of work, or job title.

Additionally, PII can be classified as sensitive or non-sensitive, depending on the potential harm that could result from its disclosure or misuse.

Sensitive PII refers to information that, if disclosed or breached, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. This type of PII requires stricter protection measures due to its potential for misuse. Many data privacy laws specifically address sensitive data and apply additional restrictions and protection requirements to it.

Non-sensitive PII, on the other hand, is information that can be transmitted in an unencrypted form without resulting in harm to the individual. While it still requires protection, the security measures may not be as stringent as those for sensitive PII.

Examples of PII

PII encompasses a wide range of data points that can be used to identify an individual. So it’s important to understand specific examples for each category. Doing so enables your company to implement appropriate security measures and make it a consideration of data strategy for marketing and other operations.

Sensitive PII includes information that, if disclosed, could lead to significant harm or privacy violations. Examples of sensitive PII are:

• Social Security number
• driver’s license number
• financial account numbers (e.g., bank account, credit card)
• passport number
• biometric data (fingerprints, retinal scans)
• medical records
• genetic information

On the other hand, non-sensitive PII refers to information that is less likely to cause harm if disclosed but still requires protection. Examples of non-sensitive PII include:

• full name
• email address
• phone number
• physical address
• IP address
• date of birth
• place of birth
• race or ethnicity
• educational records
• employment information

It’s important to note that even non-sensitive PII can pose privacy risks when combined with other data. Therefore, it’s recommended that companies aim to protect all types of PII data that they collect and handle.

PII under GDPR

While the term “Personally Identifiable Information” is not explicitly used in the GDPR, the regulation encompasses this concept within its broader definition of “personal data.”

However, there are some key differences in how PII is treated under the GDPR compared to other data privacy laws:

• Expanded scope: The GDPR takes a more expansive view of what constitutes identifiable information. It includes data that might not traditionally be considered PII in other contexts, such as IP addresses, cookie identifiers, and device IDs.
• Context-dependent approach: Under the GDPR, whether information is classified as personal data (and thus protected) depends on the context and the potential to identify an individual, rather than fitting into specific predefined categories of PII.
• Pseudonymized data: The GDPR introduces pseudonymization, a process that changes personal data so it can’t be linked to a specific individual without additional information. While pseudonymized data is still classified as personal data under GDPR, it is subject to slightly relaxed requirements.
• Data minimization principle: The GDPR emphasizes the importance of data minimization, which aligns with but goes beyond traditional PII protection practices. Organizations are required to collect and process only the personal data that is necessary for the specific purpose they have declared.
• Risk-based approach: The GDPR requires companies to evaluate the risk of processing personal data, including what is traditionally considered PII. This assessment determines the necessary security measures and safeguards.

The key takeaway brands should understand is that the GDPR offers a detailed framework for protecting personal data, covering more types of identifiable information than traditional PII definitions. Companies need to understand these distinctions to achieve compliance and protect individuals’ privacy.

PII compliance best practices

To effectively protect PII data and enable compliance with relevant regulations, organizations can implement best practices tailored to their specific data handling processes. Doing so not only helps mitigate risks associated with data breaches but also fosters trust among customers and stakeholders.

Here are some key best practices for PII compliance:

• Conduct regular data audits to identify and classify PII.
• Use encryption and access controls to protect sensitive information.
• Develop and enforce clear policies for how PII is collected, processed, and stored.
• Train employees regularly on data protection and privacy best practices.
• Apply data minimization techniques to collect only necessary information.
• Implement secure methods for disposing of PII when it is no longer needed.
• Keep privacy policies updated and obtain user consent for data collection and processing.
• Perform periodic risk assessments and vulnerability scans to identify and address security weaknesses.
• Have an incident response plan ready to manage potential data breaches effectively.

PII violation and its consequences

Violations of PII protection can have serious consequences for both individuals and organizations. For individuals, this can lead to identity theft, financial fraud, and reputational damage, causing emotional and financial stress.

For organizations, the risks are significant. Non-compliance can result in hefty legal penalties, such as fines of up to EUR 20 million or 4 percent of global annual revenue under regulations like the GDPR. Companies may also face reputational damage, loss of customer trust, and reduced revenue. You could also experience operational disruptions and increased costs from addressing data breaches, including legal fees, new reporting requirements to data protection authorities, and the need to implement stronger security measures.

What you need to know about PI (personal information)

What is personal data?

In short, all PII is personal data, but not all personal data is considered PII.

Personal data is a key concept in data protection laws, including the GDPR and the California Consumer Privacy Act (CCPA).

Personal information examples

Personal information can include a variety of data types, both objective and subjective:

Objective data types are factual, measurable, and verifiable. This includes:

• full name
• date of birth
• Social Security number
• phone number
• email address
• IP address
• financial information (e.g., bank account numbers, credit card details)
• biometric data (e.g., fingerprints, facial recognition data)

Subjective data types are based on personal opinions, interpretations, or evaluations. This involves:

• Performance reviews
• Customer feedback
• Personal preferences
• Medical symptoms described by a patient
• Personality assessments

Both objective and subjective data can be considered personal information if they can be linked to an identifiable individual.

It’s important to note that even publicly available information can be considered personal data in some jurisdictions. For instance, under the CCPA, publicly available information is generally excluded from the definition of personal information. However, even publicly available information can be considered personal data under the GDPR.

Personal data under the GDPR

The GDPR defines personal data in Article 4(1) as, “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

This definition encompasses a broad scope and includes both direct identifiers (like names) and indirect identifiers (like location data). Given this definition, here are the key features of personal data as defined under the GDPR:

• Direct and indirect identifiers: Both are considered personal data, emphasizing the need to understand the context of information to identify individuals.
• Data collection context: The specifics of how and why data is collected and processed determine if it qualifies as personal data.
• Pseudonymized data: Even if data is pseudonymized, it is still classified as personal data if it can be re-identified. In contrast, anonymized data, where the possibility of re-identification has been eliminated, falls outside the scope of the GDPR.
• Applicability: The GDPR covers both automated and manual processing of personal data.
• Special categories: The regulation also includes sensitive data such as racial or ethnic origin, political opinions, religious beliefs, and health information.

PI compliance and best practices

To achieve and maintain compliance with data protection regulations and safeguard people’s personal information, companies can adopt the following best practices.

• Conduct regular data audits: Identify and classify all personal information within your company.
• Implement data minimization: Collect and retain only the personal data necessary for specific and legitimate purposes. Regularly delete unnecessary data.
• Manage consent and preferences: Use a consent management platform (CMP) to clearly explain how you’ll use personal information. Provide easy-to-use opt-in and opt-out options, allowing people to control their data preferences. A CMP can help automate this process, making it easier to comply with regulations and manage user choices across your digital properties.
• Check partners’ data collection: Make sure any third parties you work with protect personal information properly. Be transparent about your data-selling practices, and confirm that all partners have strong safeguards, as you could still be held responsible for how they handle data on your behalf.
• Train your team: Regularly educate all employees about the importance of protecting personal information and how to do it.
• Handle requests efficiently: Set up a system to quickly respond when people ask to see, change, or delete their personal information, depending on their particular rights.
• Assign responsibility: If required by law or as a best practice, designate a Data Protection Officer to oversee data protection compliance.

By implementing these best practices, companies can better protect personal information, build trust with their customers, and reduce the risk of data breaches and penalties.

What you need to know about sensitive information

What is sensitive data?

Examples of sensitive information

Sensitive information comes in various forms, and understanding these categories is essential for effective data protection. Common examples of sensitive personal data include:

• Personal data: Full names, home addresses, phone numbers, Social Security numbers, driver’s license numbers
• Financial information: Bank account numbers, credit card details, payment information
• Health data: Medical records, health insurance information, protected health information (PHI)
• Employee data: Payroll information, performance reviews, background checks
• Intellectual property: Trade secrets, proprietary code, product specifications
• Access credentials: Usernames, passwords, PINs, biometric data
• Industry-specific data: Retail sales figures, legal case information, research data
• Identity data: Political affiliation, religious beliefs, sexual or gender orientation

How GDPR treats sensitive data

Under the GDPR, sensitive personal data, also known as special categories of data, includes information about a person’s race, political beliefs, religion, union membership, genetic and biometric data, health, and sexual orientation.

Processing this type of data is generally only allowed if specific conditions are met. For instance, individuals must give explicit consent for their sensitive data to be used. It can also be processed if necessary for employment, legal claims, public interest, healthcare, or research.

How to safeguard sensitive data

Organizations must take extra precautions to protect sensitive data. So to safeguard sensitive information, here are some recommendations for companies.

• Implement data classification: Categorize data based on sensitivity levels to minimize processing and apply appropriate security measures.
• Limit access: Restrict access to sensitive data on a need-to-know basis and implement strong authentication methods.
• Use encryption: Encrypt sensitive data both at rest and in transit to prevent unauthorized access.
• Conduct regular audits: Perform security assessments to identify vulnerabilities, identify processes or data that are no longer needed, and maintain compliance with data protection regulations.
• Train employees: Educate staff on an ongoing basis about data security best practices and the importance of protecting sensitive information.
• Implement security technologies: Utilize firewalls, intrusion detection systems, and data loss prevention tools to safeguard sensitive data.
• Develop incident response plans: Create and maintain policies and procedures for responding to data breaches or unauthorized access attempts and communicating with authorities and affected data subjects.

By following these practices, companies can significantly reduce the risk of sensitive data exposure and maintain compliance with relevant data protection regulations

PII vs. PI vs. sensitive data comparison

Know your data types to better comply with global privacy laws

Safeguarding personal data — whether it falls under PII, PI, or sensitive data — is a fundamental responsibility of any organization. Each data type requires specific protection strategies, from encryption to strict access controls, to prevent unauthorized access and potential breaches.

Understanding the nuances between these data categories not only ensures compliance with global privacy laws but also fortifies the trust between your company and your customers. As the regulatory landscape continues to evolve, maintaining a proactive approach to data protection will be key to securing both sensitive information and organizational reputation.

Minnesota became the nineteenth state in the United States to pass a consumer privacy bill with the Minnesota Consumer Data Privacy Act (MCDPA) when Governor Tim Walz signed it into law on May 24, 2024. The law goes into effect on July 31, 2025, with the compliance deadline extended to July 31, 2029 for postsecondary institutions regulated by the Minnesota Office of Higher Education.

We look at how the MCDPA protects consumers’ information, and the broader implications for organizations under its jurisdiction.

What is the Minnesota Consumer Data Privacy Act (MCDPA)?

The Minnesota Consumer Data Privacy Act (MCDPA) is a regulation designed to protect the privacy and personal data of Minnesota’s residents by regulating how data is collected, processed, and used. The state-level law imposes specific obligations on businesses that either operate in Minnesota or offer products and services to its residents, known as “consumers” under the law, and process their personal data.

Under the MCDPA, a consumer is “a natural person who is a Minnesota resident acting only in an individual or household context.” The law explicitly excludes any natural person acting in a commercial or employment context.

Like most other US states with similar laws, Minnesota follows an opt-out consent model. Businesses must clearly inform consumers about:

• what personal data they collect
• the purpose(s) for collecting this data
• any third parties with whom the data may be shared
• how consumers can opt out of the collection and processing of their personal data for specific purposes.

Who must comply with the Minnesota Consumer Data Privacy Act?

The Minnesota privacy law applies to businesses that operate in the state and produce products or services targeted at Minnesota residents, and during a calendar year:

• control or process the personal data of at least 100,000 consumers, except if the personal data is controlled or processed only for the purposes of completing a payment transaction
  or
• control or process the personal data of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data

The MCDPA applies to any business that fulfills these conditions, regardless of where the business is located.

Minnesota data privacy law sets itself apart from some other state laws such as the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), as it does not require businesses to comply based on annual revenue alone.

Exemptions to Minnesota Consumer Data Privacy Act compliance

The Minnesota data privacy law exempts certain entities from complying, including:

• government entities
• federally recognised Indian tribes
• covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
• state or federally chartered banks or credit unions, or their affiliates or subsidiaries primarily engaged in financial activities
• insurance companies, insurance producers, third-party administrators of self-insurance, or their affiliates or subsidiaries primarily engaged in financial activities
• small businesses as defined under the U.S. Small Business Act, unless they sell consumers’ sensitive data without obtaining prior consent
• air carriers subject to the Airline Deregulation Act where the personal data collected relates to prices, routes, or services
• nonprofit organizations established to detect and prevent insurance fraud

Data that is exempt from the law includes:

• protected healthcare-related information, research data, and employment-related data
• data collected or maintained as emergency contact information for a natural person if used for emergency contact purposes only
• data created for or collected under several federal laws, including, among others:
  • Gramm-Leach-Bliley Act (GLBA)
  • HIPAA
  • Health Care Quality Improvement Act
  • Family Educational Rights and Privacy Act (FERPA)
  • Farm Credit Act (FCA)
  • Minnesota Insurance Fair Information Reporting Act
  • Driver’s Privacy Protection Act
  • Fair Credit Reporting Act (FCRA)

Definitions under the Minnesota Consumer Data Privacy Act

The Minnesota privacy law defines key terms that explain the types of data it covers and the data processing activities involved.

Personal data under the MCDPA

The Minnesota privacy law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition specifically excludes de-identified data or publicly available information.

Common types of personal data that businesses collect include name, phone number, email address, Social Security number, or driver’s license number.

Sensitive data under the MCDPA

Sensitive data is personal data that could harm consumers if abused. Under the MCDPA, it includes:

• racial or ethnic origin
• religious beliefs
• mental or physical health diagnosis
• sexual orientation
• citizenship or immigration status
• genetic or biometric data processed for the purpose of uniquely identifying an individual
• personal data collected from a known child (under 13 years of age)
• precise geolocation data that can accurately identify an individual’s specific location within an accuracy of more than three decimal degrees of latitude and
• longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates

Controller under the MCDPA

Controller under Minnesota’s privacy law is “a natural or legal person who, alone or jointly with others, determines the purpose and means of processing personal data.“

A controller, also known as a “data controller” under some laws, is responsible for protecting personal data under the law.

Processor under the MCDPA

A processor under the law is “a natural or legal person who processes personal data on behalf of a controller.”

Sale of personal data under the MCDPA

Sale of personal data means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.“

The MCDPA’s definition specifically excludes the following:

• disclosure of personal data to a processor that processes the personal data on the controller’s behalf
• disclosure of personal data to a third party for the purposes of providing a product or service the consumer has requested
• disclosure or transfer of personal data to the controller’s affiliate
• disclosure of information that the consumer has intentionally made available to the public through a mass media channel not restricted to a specific audience
• disclosure or transfer of personal data to a third party as an asset that is part of a proposed or completed merger, acquisition, bankruptcy, or other transaction
• exchange of personal data between the producer of goods or services and its authorized agents who sells these goods and services, to enable both parties to provide the goods and services

Targeted advertising under the MCDPA

The MCDPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”

Targeted advertising under the MCDPA does not include:

• ads based on activities within a controller’s own websites or online apps
• ads based on the context of a consumer’s current search query, visit to the website, or online app
• ads directed to a consumer in response to the consumer’s request for information or feedback
• processing of personal data solely for measuring or reporting ad performance, reach, or frequency

Consent under the MCDPA

The Minnesota privacy law defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer.”

Excluded from the definition are:

• acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
  hovering over, muting, pausing, or closing a given piece of content
• consent obtained through the use of dark patterns

Consumer rights under the Minnesota Consumer Data Protection Act

Consumers have several rights under the MCDPA that enable them to protect their personal data and control how it’s used, in particular:

• Right to access: consumers can confirm if the controller is processing their personal data and can access this data, with some exceptions
• Right to correction: consumers have the right to have any inaccurate personal data about them corrected, taking into account the nature of the personal data and purposes of processing
• Right to deletion: consumers can request the deletion of their personal data, with exceptions
• Right to data portability: where the processing is carried out by automated means, consumers can obtain a copy of their personal data that they previously provided to the controller, in a portable and readily usable format, with some exceptions
• Right to information: consumers can obtain a list of specific third parties to whom the controller has disclosed their, or any consumer’s, personal data
• Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling

Consumers have the following additional rights if their data is used for profiling that affects legal decisions about them:

• to question the outcome of the profiling
• to know why the profiling led to that outcome
• if possible, to learn what actions they could have taken to achieve a different outcome and what they can do in the future to achieve such an outcome
• to review the personal data used in the profiling, and, if the decision was based on incorrect data, to correct this data and request a reevaluation of the profiling decision with the corrected data

There is no private right of action that gives consumers the right to directly sue a controller for violations of the Minnesota privacy law.

Controllers’ obligations under the Minnesota Consumer Data Privacy Act

Under the Minnesota data privacy law, controllers are required to meet specific obligations to protect consumers’ personal data.

Consumer rights requests under the MCDPA

Controllers must provide one or more secure and reliable methods for consumers to exercise their rights. While consumers can be asked to log in to an existing account for identity verification, requiring them to create a new account is not permitted under the law.

Controllers have 45 days to respond to consumer requests, with the option to extend this period by another 45 days if reasonably necessary. If an extension is required, the controller must inform the consumer before the initial 45-day period expires.

If the controller is unable to reasonably verify the consumer’s identity, they may request additional verification or decline the request. In cases where a request is declined, the controller must notify the consumer within 45 days of receiving the request, providing the reason for the denial and information on how to appeal the decision.

Controllers must respond to appeals within 45 days, and they may extend this period by an additional 60 days if reasonably necessary. If an appeal is denied, the controller must provide a written explanation with reasons for denial and inform the consumer how to submit a complaint to the Attorney General.

Controllers are required to maintain records of all appeals and their responses for a minimum of 24 months, and they must provide the Attorney General with copies of the records if requested.

Privacy notices under the MCDPA

Under the Minnesota data privacy law, controllers must publish a clear, accessible, and comprehensive privacy notice that includes the following information:

• categories of personal data processed
• purposes for processing personal data
• what rights consumers have under the law
• how consumers may exercise their rights
• how consumers may appeal the controller’s decision regarding a request
• categories of personal data sold to or shared with third parties, if any
• categories of third parties to whom the controllers sells or shares personal data, if any
• contact information for the controller
• a description of the controller’s retention policies for personal data
• date of the last update to the privacy notice

Controllers that sell consumers’ personal data to third parties, or process personal data for targeted advertising purposes or profiling, must disclose this in the privacy notice. They must also provide consumers with a prominent method to opt out of the sale, processing, or profiling for these purposes. A link provided for these purposes must use the words “Your Opt-Out Rights” or “Your Privacy Rights”.

Typically, the privacy notice or privacy policy is posted in a highly visible location on the controller’s website, such as the footer, ensuring it’s easy to locate. The MCDPA mandates that controllers use the word “privacy” in the link to the privacy notice on a website, mobile app’s app store page, or download page.

The MCDPA also requires controllers who maintain apps — whether they’re mobile, tablet, web, or smart device apps — to include a link to the privacy notice in the settings menu of the app.

If a controller doesn’t maintain a website, they must make the privacy notice accessible to consumers through the regular means of communication with them, which may include postal mail.

Purpose limitation under the MCDPA

The law requires controllers to disclose the specific purposes for which they are collecting personal data and to restrict their data collection to what is “adequate, relevant, and reasonably necessary” for these identified purposes. Controllers cannot retain personal data if it is no longer needed for the original purposes of collection and processing, unless the law requires or permits it in certain circumstances.

Data security under the MCDPA

Controllers have an obligation to protect the confidentiality, integrity, and accessibility of consumers’ personal data. The Minnesota data privacy law requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical security measures for this purpose, which are appropriate to the volume and nature of the personal data being processed.

Notably, Minnesota is the first state to mandate that controllers maintain data inventories to fulfill these requirements.

Compliance policies and data privacy and protection assessments under the MCDPA

Controllers are required to document a description of the policies and procedures adopted to comply with the MCDPA, including:

• name and contact information for the controller’s chief privacy officer, or, if one is not appointed, another individual with responsibility to monitor and achieve
• the controller’s compliance with the law
• description of the controller’s data privacy policies and procedures that enable controllers to fulfill their obligations under the law
• description of any policies and procedures established to:
  • ensure that their systems are designed to comply with the law
  • identify and provide personal data to a consumer as required under the law
  • comply with the obligation for ensuring data security
  • comply with the obligation for purpose limitation
  • prevent data that is no longer required from being retained unless required by law
  • identify and rectify violations of the law

The MCDPA also requires controllers to conduct and document a data privacy and protection assessment, known as a data protection impact assessment under some laws, when processing personal data:

• for the purposes of targeted advertising
• for sale
• classified as sensitive data under the law, including children’s data
• that presents a heightened risk of harm to consumers
• for profiling that presents a reasonably foreseeable risk of the following on consumers:
  • unfair or deceptive treatment, or disparate impact
  • financial, physical, or reputational injury
  • physical or other intrusion into private affairs
  • other substantial injury

Data privacy and protection assessments under the MCDPA must include the description of policies and procedures that the controller has adopted to comply with the law.

The Attorney General can request the controller to disclose a data privacy and protection assessment during its investigations into any alleged violations, and the controller is obligated to make it available.

The law considers data privacy and protection assessments or risk assessments conducted by a controller for compliance with other laws as valid if the assessments share a similar scope and effect.

Consent requirements under the MCDPA

Minnesota has adopted an opt-out model for processing personal data, consistent with the other US state-level privacy laws. This means that controllers can collect and process personal data without obtaining prior consent from consumers in most cases. However, an important exception exists for sensitive personal data, where controllers must obtain explicit consent before processing.

Controllers must clearly inform consumers about their data processing activities and provide options for consumers to opt out of the sale of their personal data and its use for targeted advertising or profiling. Additionally, Minnesota law mandates that controllers provide an effective way for consumers to revoke previously given consent. This revocation mechanism must be as easy to use as the method used to give consent initially. Once consent is revoked, controllers are required to stop processing the relevant data as soon as practicable, and no later than 15 days after receiving the revocation request.

The MCDPA aligns with the Children’s Online Privacy Protection Act (COPPA) concerning children’s personal data, which is standard among US data privacy laws. This requires controllers to obtain consent from a parent or guardian before processing any personal data of children under 13 years old, as all personal data of children in this age group is classified as sensitive data under Minnesota law.

Controllers are prohibited from processing the personal data of consumers known to be between the ages of 13 and 16 for the purposes of targeted advertising or selling their data without obtaining prior consent from the individual.

Nondiscrimination under the MCDPA

The MCDPA explicitly prohibits controllers from discriminating against consumers who exercise their rights under the law. This means businesses cannot deny goods or services, charge different prices or rates for goods or services, or offer varying quality levels or experiences (e.g. website access) to consumers based on their choices to exercise their data privacy rights.

However, controllers may offer incentives, such as discounts or rewards, to consumers who voluntarily participate in activities involving the processing of personal data. These incentives must be reasonable and proportionate to avoid being considered coercive rather than optional and voluntary.
Certain website functions that rely on essential or necessary cookies may not operate effectively if a consumer declines these cookies. Such limitations are not regarded as discriminatory under the law.

Controllers are not obligated to provide a product or service that depends on personal data they do not collect or keep.

The MCDPA specifically prohibits controllers from processing personal data on the basis of certain characteristics, including, among others, race, ethnicity, religion, gender identity, familial status, or disability in a manner that unlawfully discriminates against consumers with respect to the provision of:

• housing, employment, credit, or education
• goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation

Data processing agreement under the MCDPA

The Minnesota privacy law requires controllers to enter into contracts with processors that govern data processing procedures. While the law does not explicitly use the term “data processing agreement,” this contract serves the same purpose as data processing agreements in other data privacy laws, such as the European Union’s General Data Protection Regulation (GDPR) and the Virginia Consumer Data Protection Act (VCDPA).

The contract or data processing agreement must clearly outline:

• instructions for processing data
• nature and purpose of processing
• type of data subject to processing
• duration of processing
• rights and obligations of both parties
• processor’s duty of confidentiality
• conditions under which the processor may engage a subcontractor

Processors must assist controllers in meeting their obligations under the MCDPA, including ensuring security of personal data being processed.

Universal opt-out mechanism under the MCDPA

Similar to data privacy laws in states like California, Nebraska, and Texas, the MCDPA includes provisions for universal opt-out mechanisms, such as the Global Privacy Control (GPC). These mechanisms enable consumers to set their privacy preferences once via browser settings or extensions, and these preferences are then automatically applied to all websites and online services they visit.

Under the MCDPA, controllers must respect universal opt-out signals that express a consumer’s choice to opt out of activities such as targeted advertising or the sale of personal data. Controllers that recognize opt-out preference signals approved by other state laws or regulations will be deemed compliant with this requirement under the MCDPA.

The law requires that the mechanism a controller employs must:

• not unfairly disadvantage another controller
• require consumers to make “an affirmative, freely given, and unambiguous choice“ to opt out rather than use a default opt-out setting
• be user-friendly
• be consistent with other similar technologies or mechanisms
• enable the controller to determine whether the consumer is a resident of Minnesota, either through the consumer’s IP address or other means, and has made a
• legitimate opt-out request

Enforcement of the Minnesota Consumer Data Privacy Act

The Minnesota Attorney General has exclusive authority to enforce the MCDPA. While the law does not grant consumers a private right of action, they can still file complaints about alleged violations or denials of their privacy rights directly with the Attorney General’s office. Before initiating an enforcement action, the Attorney General must issue a written notice to the implicated party, detailing the alleged violations.

The MCDPA includes a 30-day cure period for organizations to address and rectify any alleged violations after receiving the notification. This cure period has a sunset date of January 31, 2026, after which this provision will no longer apply, and any cure period will be at the discretion of the Attorney General’s office.

Fines and penalties under the MCDPA

The Minnesota Attorney General can initiate enforcement actions against controllers or processors if they fail to remedy a violation within the 30-day cure period. An enforcement action might include seeking injunctive relief and/or imposing civil penalties, which can reach up to USD 7,500 per violation, along with recovering reasonable costs related to investigating the violation.

Consent management and the Minnesota Consumer Data Privacy Act

Like consumer privacy laws in other US states, the Minnesota privacy law adopts an opt-out consent model. This means businesses can collect and process personal data without obtaining prior consent, except for sensitive personal data and data belonging to children.

Consumers have the right to opt out of the collection and processing of their personal data for purposes such as sale, targeted advertising, or profiling. Businesses are required to clearly present this opt-out option on their websites, typically within the privacy policy or privacy notice.

Many websites use cookie consent banners that include clear links or buttons that enable users to opt out of data processing. A consent management platform (CMP) like Usercentrics CMP can automate this process by managing cookies and other tracking technologies and blocking their use until the consumer gives consent, or by enabling opt-out, depending on the relevant legal model.

CMPs also enable websites to offer clear information to users regarding the types of data collected, the purposes for collection, and the third parties that might receive this data, in line with the MCDPA and other data privacy regulations.

Since there is currently no unified federal privacy law in the US, businesses that operate around the country and/or internationally likely need to comply with multiple state and international privacy regulations. CMPs can assist in this by customizing cookie banners based on the user’s location, helping businesses meet the requirements of state-level laws like the MCDPA as well as international regulations such as the GDPR.

Preparing for the Minnesota Consumer Data Privacy Act

Businesses operating in Minnesota have until the effective date of July 31, 2025, to prepare for compliance with the MCDPA. Those that are already compliant with privacy regulations in other states may find themselves ahead, as there are several overlapping requirements. However, businesses must also prepare for specific MCDPA provisions, such as the obligation to maintain data inventories and to document data privacy policies and processes. Integrating a privacy by design approach not only benefits compliance efforts but also enhances overall organizational operations.

Companies must assess whether they meet the MCDPA compliance thresholds, and, if applicable, take steps to provide users with clear opt-out options and accessible privacy notices. Using a Consent Management Platform (CMP) like Usercentrics CMP can assist in managing cookies on websites and apps.

As the MCDPA adapts to technological advancements and shifts in consumer expectations, it is crucial for businesses to consult with qualified legal professionals or data privacy experts, such as a Data Protection Officer, to maintain compliance.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.