The EU General Data Protection Regulation and the California Consumer Privacy Act took different paths to come into existence, but as Greenberg Traurig Co-Chair, U.S. Data, Privacy & Cybersecurity David Zetoony writes, the two bills are still related. Zetoony looks back at the creation of the bills, and explains that when looking at future privacy

  1. EEA Cross-Border Transfers. The U.S. and the EU will work towards, and hopefully reach, a cross-border data transfer solution.
  2. Ransomware. More ransomware attacks and increased regulatory scrutiny of companies that pay ransom demands.
  3. Digital Advertising. Development of alternate marketing strategies, and perhaps more reliance on consumer opt-in, as privacy laws further erode traditional tracking


The European GDPR does not use the term “service provider” and, instead, refers to “processors.” While processors within the GDPR are defined in a similar manner to service providers under the CCPA, the GDPR is far more proscriptive regarding the contractual terms that must be present in a processor agreement. Specifically, the GDPR requires

Greenberg Traurig invites you to join us for an informative discussion on the recently enacted Proposition 24, the California Privacy Rights Act (CPRA), and how it builds on the compliance issues created by the California Consumer Privacy Act (CCPA).

Thursday, Jan. 14, 2021
10:00 – 10:30 a.m. MST / 12:00 – 12:30 p.m. EST


On December 10, 2020, the California Attorney General (AG) released the Fourth Set of Proposed Modifications to the California Consumer Protection Act (CCPA) Regulations, styled as “Modifications to Proposed Modifications.” The Fourth Set comes shortly after the comment period for the Third Set of Proposed Modifications closed on Oct. 28.  Per the AG’s Notice

Deidentified information is defined within the CCPA to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

  1. Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information


The CPRA adds “sensitive personal information”[1] to the examples of data types that may constitute personal information. The term “sensitive personal information” is itself defined within the CPRA to include 20 data fields. Some, but not all, of these data fields already existed in the CCPA, and their inclusion with the personal information

The CCPA requires that a service provider agree to three substantive restrictions involving the retention, use, and disclosure of personal information.  The CPRA ostensibly expands upon the three substantive contractual restrictions by referring to nine additional provisions that should be included within a service provider agreement.  The following chart compares the substantive service provider contractual

It depends.

The CPRA ostensibly expanded the three substantive contractual restrictions identified in the CCPA by referring to nine additional provisions that should be included within a service provider agreement by January 1, 2023.  Many of the new requirements, however, may be redundant of, or subsumed within, contractual provisions that were put in place to