The Rising Stakes of Compliance: GDPR, CCPA, and Others

October 29, 2020
Steve Fox

Data privacy and protection is not a new initiative. The 1998 Data Protection Act aimed at addressing this very issue as our society quickly embarked on the digital age. Now, more than 20 years later, the conversation has continued with new and revised regulations to protect consumers and businesses. Among these regulations are the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Nevada’s Privacy Law, Washington State’s Privacy Bill, and New York’s Privacy Bill, among others.

In a time when everyone seems to be online and sharing more than ever before, the topic of privacy is rising to the top of legislative agendas. Let’s take a good, fresh look at some of these data privacy regulations and the rising stakes associated with compliance.


Adopted in 2016 and effective in 2018, GDPR replaced an outdated data protection law that simply did not cover the new challenges and threats presented by the current digital environment. This revamped data privacy regulation specifically targets the protection of basic identity information, web data (e.g., location, IP data, cookies, RFID tags), health and genetic data, racial or sexual orientation information, as well as political views.

GDPR is rooted in seven key principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

Are you required to comply with GDPR if your business is based in the United States? Yes. If your business conducts transactions or otherwise collects personal information from citizens residing in one of the EU member states, you must comply with GDPR. In fact, according to a PwC survey, 92% of U.S. businesses consider GDPR compliance a top priority.


The first, and probably most obvious, the risk for non-compliance with GDPR is the issuance of one or more fines. There are two tiers for administrative fines for non-compliance, which applies to data controllers and processors:

  • Tier 1: Up to approximately $11.6 million, or 2% of the company’s worldwide annual revenue from the previous fiscal year (whichever is higher)
  • Tier 2: Up to approximately $23 million, or 4% of the company’s worldwide annual revenue from the previous fiscal year (whichever is higher)

Many companies opt to use a third-party service to manage transactions and data storage in an effort to protect themselves. However, despite using a third-party service, you will ultimately still be responsible for the transactions and data usage within your company, so it’s critical that you choose your partners wisely and monitor all activity to ensure compliance.


Similar to GDPR, CCPA is intended to protect the personal data of California citizens, placing rules and regulations on the types of personal information that can be collected and how that information will be stored and used in the future. Under CCPA, California citizens are granted four distinct rights:

  1. The right to know about the personal information a business collects about them and how it is used and shared;
  2. The right to delete personal information collected from them (with some exceptions);
  3. The right to opt-out of the sale of their personal information; and
  4. The right to non-discrimination for exercising their CCPA rights.


The California State Attorney General will first issue a warning to give your business an opportunity to comply with CCPA within a 30-day window. If you do not comply, your business will then be faced with a civil lawsuit. “Civil penalties can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation.”


In addition to California, there are other U.S. states who have elevated data privacy and protection as a legislative priority, including Washington, New York, and Nevada.

  • Washington State’s Privacy Bill: With overwhelming majority support in the Washington Senate, the data privacy bill passed in 2019. Taking cues from CCPA, this bill “allows for fines up to $7,500 per violation. If passed, the bill could be effective as soon as December 31, 2020.”
  • Nevada’s Privacy Law: Effective October 1, 2019, this law is very similar to CCPA with the primary difference noted in the way “sale” is defined. Nevada’s law is more lenient on financial institutions and does not cover all service providers.
  • New York’s Privacy Bill: In an effort to protect the citizens of New York, legislators introduced a privacy bill that would allow New York citizens to access, correct, delete, and withhold personal data from third parties. Citizens will also have the right to file a lawsuit against companies that breach their data.

In this digital age, data flows like water. But the more data flows, the more careful we all need to be about what types of data are collected, how they are stored, and how they will be used. State and Federal legislations are on the rise as legal authorities and consumers alike push for data protection and privacy. Is your business compliant?

join our email list