California Privacy Laws
The California Consumer Privacy Act (CCPA), signed on June 28, 2018, established a series of consumer rights for the protection of personal data and obligations for businesses regarding collecting and processing such data. The CCPA came into effect on January 1, 2020. The California Privacy Rights Act (CPRA), also known as "Proposition 24," was approved by California voters on November 3, 2020. It significantly amended and expanded the CCPA, sometimes called "CCPA 2.0." The CCPA and CPRA set a comprehensive standard for consumer privacy protection and data security, influencing many companies' approaches to these issues.
Delaware Privacy Laws
In contrast, Delaware's privacy law is among the most business-friendly. It is not as stringent as California's CCPA and CPRA. Delaware's law applies to a broader range of companies of all sizes, unlike Florida's privacy law, which targets large companies, or Texas's Data Privacy and Security Act (TDPSA), which excludes small businesses.
Scope and Applicability
California
CCPA and CPRA impose obligations on businesses, service providers, and third parties. CPRA adds a fourth category: contractors. A "business" under CPRA is defined as a business enterprise that:
Collects consumer personal data either independently or through efforts by others
Determines the purposes and means of processing the personal data
Operates in California
Meets at least one of the following criteria:
- Has an annual gross revenue of over $25 million
- Annually buys, receives, sells, or shares the personal information of 100,000 or more consumers or households
- Derives 50% or more of its annual revenue from selling consumers' personal data
Delaware
Delaware's compliance threshold is lower, unsurprisingly, given the state's small population—about one million compared to California's 40 million. Delaware's privacy law applies to more small businesses as it has no revenue threshold. Compliance is required:
If an organization controls or processes the personal data of at least 35,000 consumers, excluding data controlled or processed solely for completing a payment transaction
or if it controls or processes the the personal data of at least 10,000 consumers and derives over 20% of its gross revenue from selling personal data
Consumer Rights and Requests
Delaware's Data Protection and Privacy Act (DPDPA) grants consumers a range of rights similar to those in other state data privacy laws, including access, correction, deletion, obtaining a copy of personal data, and opting out of the sale of personal data and/or targeted advertising. Parents and guardians can exercise rights on behalf of their children as defined by the Children's Online Privacy Protection Act (COPPA). DPDPA also grants rights regarding "sensitive data," which includes racial or ethnic origin, religious beliefs, health status, sexual orientation, and precise geolocation data, among others.
CCPA established specific rights for consumers:
The right to know what personal information is collected and processed
The right to delete such personal information
The right to opt out of the sale of personal information to third parties
The right to non-discriminatory treatment when exercising any rights
The right to bring a civil action in case of data breaches
CPRA expanded the list of rights with two additional rights:
The right to correct inaccurate personal information
The right to limit the use and disclosure of sensitive personal information
Enforcement and Penalties
CCPA imposes civil penalties, with the potential for fines up to $7,500 for intentional violations and $2,500 for unintentional violations, with a 30-day period for correction after notice. Consumers can also seek damages for data protection violations, ranging from $100 to $750 per incident or actual damages, whichever is greater. Businesses may also face injunctions in cases prescribed by the California Attorney General.
In Delaware, the enforcement of DPDPA is entrusted to the state's Department of Justice. Before initiating actions, the Department must determine if the violation can be corrected and provide 60 days. Afterward, the Department can initiate a lawsuit against the controller or processor. This provision will be effective until December 31, 2025, but may be extended at the Department's discretion until January 1, 2026. Unlike most state data privacy laws, DPDPA does not cap the amount of civil penalties for violations.
Although California and Delaware laws provide robust consumer privacy protections, they differ significantly in scope, compliance thresholds, and enforcement mechanisms. California's CCPA and CPRA set high standards with strict requirements and severe penalties. Delaware's DPDPA is more accessible for small businesses with fewer consumers, offering a broader spectrum of consumer rights and emphasizing flexibility in compliance and a more organized enforcement approach.
Comments