by Nathan Sisodia

Demystifying Data Privacy: an Overview and Compliance Discussion of Major Data Privacy Laws

This blog post will explore the intricacies of major data privacy law frameworks applicable organizations and businesses, including the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). While these regulations may be specific to only those jurisdictions, they are important to understand because the CCPA is rooted in GDPR principles, and the CCPA has influenced a wave of other similar data privacy laws being enacted by other states in the United States. So while specific to the EU and California, the data privacy concepts covered by these regulations may likely become more normalized by other state statutes in the near future across the United States. This blog will discuss these two regulations generally, and will explore each of their legal obligations, potential consequences of non-compliance, and best practices for compliance.

 

European Union’s General Data Protection Regulation (GDPR)

GDPR: Applicability

The General Data Protection Regulation (GDPR) is the European Union’s (EU) data privacy law designed to give EU-based individuals more control over how their data are collected, used, and protected online. Under certain conditions, the GDPR applies to companies that are not located in Europe.[1] For example, a New York-based company may be selling software services to mostly New York businesses. But if it intends to sell such services to EU customers or if it tracks and analyzes EU visitors to its website, then that company may be subject to the GDPR and need to comply with its various requirements.

Accordingly, an organization operating with a potentially global presence, should first determine whether it needs to comply with the GDPR because the law applies to organizations that handle such data even when the organization is not based in the EU:

“2. [The GDPR regulation] applies to the processing of personal data of data subjects who are in the [EU] by a [data] controller or processor not established in the [EU], where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”[2]

Under this GDPR article, a US-based organization will be subject to the law’s requirements if the conditions under (a) or (b) are met. However, if those instances of processing data are only occasional, the GDPR may not apply. Rather, GDPR Recital 23 makes clear that if a non-EU-established controller’s website is merely accessible by an EU data subject, that does not by itself mean that the GDPR applies. [3] A business must show intent to draw EU data subjects as customers. Non-EU-based organizations processing personal data of data subjects in the EU in connection with offering goods and services in the EU must therefore analyze their intent to target those data subjects as their customers. The following factors can help organizations make this assessment. Organizations should consider whether they are: [4]

  • offering goods or services in an EU language or currency;
  • allowing data subjects in the EU to place orders in the local language;
  • referring to the EU or at least one EU member state by name when referencing the goods or services;
  • offering delivery in EU member states;
  • directing marketing campaigns at an EU member state; and
  • using country-specific top-level domains or the top-level domain “.eu.”

Where Article 3(2) above applies (non-EU organization processing EU personal data in connection with offering goods/services or monitoring data), the organization will be subject to the GDPR.

GDPR Compliance obligations: The Six Principles

If an organization is subject to the GDPR’s application, it must both demonstrate specific compliance with the GDPR’s six principles governing personal data,[5] and certain other requirements generally.[6] If you find your organization is subject to the GDPR, compliance with its requirements can be complicated. We will discuss these below, but please note, our aim is to provide an overview of the major areas of compliance; not to provide an exhaustive list of all steps and documentation needed to demonstrate compliance. Certain requirements can be satisfied in different ways. If your organization thinks it may need to comply with the GDPR, we strongly suggest having an attorney with the required expertise provide guidance.

First, the organization should be able to demonstrate compliance with the GDPR’s six principles governing personal data under GDPR Article 5. Compliance means personal data shall be handled in accordance with the following principles:[7]

  1. Lawfulness, fairness and transparency: data should be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  2. Purpose limitation: data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Data minimization: processing should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accuracy: data processing should be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure inaccurate personal data are erased or rectified.
  5. Storage limitation: data should be kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Integrity and confidentiality: data should be processed in a manner that ensures appropriate security against unauthorized or unlawful processing, and against accidental loss, destruction or damage.

GDPR: Additional compliance obligations

Apart from these six specific principles, the GDPR imposes various obligations on organizations processing data of EU subjects and requires the organization to demonstrate compliance with these obligations.

Data protection compliance program. First, the organization is tasked with reviewing the GDPR and its principles, and then establishing and maintaining a comprehensive data protection compliance program (including, by implementing appropriate technical and organizational measures) to ensure it can demonstrate that its data processing is performed in accordance with the GDPR.[8] Such measures should be reviewed and updated where necessary. This program may include appointing individuals responsible for overall data protection matters, including, as necessary under the GDPR in either case, an EU representative[9] and a data protection officer.[10] Practical measures to accomplishing this obligation could include: establishing a privacy officer with the responsibility of implementing and maintaining a privacy compliance program, developing a privacy framework, and educating management about the GDPR’s requirements and the impact of non-compliance.

Data protection by design and default. Additionally, organizations are responsible for embedding privacy measures into their operations. Importantly, this includes implementing “data protection by design and default,” which requires organizations to integrate data protection into their core systems, services, and product designs to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.[11] This obligation asks the organization to take into account the nature, scope, context, and amount of data being collected when designing its protection measures, so that they are designed to provide a level of security that is appropriate to the risk created by processing the relevant data.[12]

Processing and documenting this compliance. Importantly, there are specific obligations related to the act of a business processing personal data, and documenting compliance with these processing obligations. Under the GDPR, these requirements include the organization:

  • having a justification for lawfully processing the data. Under the GDPR, sufficient justifications include: consent of the EU subject (freely given, specific to the data processing activities, and informed); or where necessary to fulfill a contractual agreement with the EU data, to comply with a legal obligation, to protect the interest of the data subject or another individual, to perform a task in public interest, or to pursue the legitimate interests of organization or a third party.[13]
  • maintaining an electronic record of data processing activities and making the record available to supervisory authorities on request.[14]
  • providing a GDPR-compliant privacy notice/policy (i.e., concise, transparent, intelligible, easily accessible, and in clear and plain language).[15]
  • if relying on consent as a justification for processing, obtaining consent that must be freely given, informed, unambiguous, and revocable. Consent must also be presented in a manner or form that is clearly distinguishable from other matters, intelligible and easily accessible, and in clear and plain language.[16]
  • complying with additional requirements when processing special categories of personal data, including data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, and sexual orientation.[17]
  • providing data subject with, and honoring, specific rights relating to their data (these rights are further detailed below).[18]
  • complying with cross-border data transfer restrictions and maintaining compliant data transfer mechanisms.[19]

Data protection training. Organizations must also deliver ongoing data protection training internally through formalized training and communication efforts, including training employees involved in any personal data processing. Notably, if the organization is required to have a data protection officer, one of that officer’s responsibilities is to advise employees of their obligations under the GDPR and other applicable data protection laws.[20]

Data Subject Rights. EU data individuals are granted certain rights under the GDPR, regarding their personal data which organizations must honor. These rights include:

  • right to receive certain information about the organization’s personal data collection and data processing activities.[21]
  • right to access the personal data processed and obtain certain information about the processing activities.[22]
  • right to correct inaccurate personal data held by the organization, and to complete incomplete personal data.[23]
  • right to have personal data erased when certain conditions apply (such the data no longer being needed for the collection purpose, the individual withdrawing consent, and the organization unlawfully processing the data).[24]
  • right to restrict the processing of their personal data when certain conditions apply (such as the individual contesting the accuracy of the data, the organization unlawfully processing the data, and the organization no longer needing to process the date). [25]
  • right to receive a copy of their personal data the organization holds.[26]
  • right to object to processing for certain purposes (such as for direct marking, scientific or historic purposes under certain circumstances, and public interest purposes).[27]
  • right to not be subject to a decision based solely on automated data processing where the decision has a legal or other significant effect.[28]
  • right to be notified of a data security breach where the organization is subject to a data breach that is likely to result in a high risk to the individual’s rights under the GDPR.[29]

Obligations with third party data processing. Finally, organizations must follow certain steps when engaging third parties for the data processing. The GDPR only permits transfers to third party data processors when the processor provides sufficient guarantees that it has implemented appropriate technical and organizational measures to protect personal data in accordance with the GDPR. Further, these processor relationships must be governed by a contract (or legal act) that binds the processor, and the processor must have written authorization form the controller before engaging another processor.[30]

GDPR: Potential consequences of non-compliance

The GDPR provides EU individuals with remedies for violations of these regulations, which remedies may be sought by lodging a complaint with the relevant EU state supervisory authority (these are the independent public authorities of each EU state responsible for monitoring application of the GDPR).[31] Furthermore, the GDPR sets out penalties that these supervisory authorities may impose on organizations processing or controlling EU data and who are in violation of the GDPR.[32] Organizations failing to comply with applicable GDPR requirements may be subject to various types of penalties.

First, organizations may face civil and administrative penalties imposed by the relevant supervisory authorities. These include specific enforcement actions, such as exercising corrective powers, issuing warnings or reprimands, ordering the organization to comply with the GDPR or individual’s requests under the GDPR (including exercising any of the individual’s rights listed above), and ordering the organization to come into compliance with the GDPR by a certain date.[33]

In addition to the civil and administrative penalties, the GDPR also provides for monetary fines. Supervisory authorities may issue two types of fines, depending on the type of violation.[34] For most types of violations, they may charge fines up to  £10 million or 2% of the organization’s total worldwide annual turnover, whichever is greater. For more serious offenses (such as infringements of the GDPR six core data processing principles, outlined above), they may charge fines of up to £20 million or 4% of the organization’s total annual worldwide annual turnover, whichever is greater.

The GDPR does not specifically provide criminal penalties for violations. However, the GDPR generally permits each EU country to “lay down the rules on other penalties applicable to infringements of [the GDPR]” for infringements which are not subject to the administrative fines outlined above. [35] These could include rules on criminal penalties for GDPR violations.

Finally, organizations could face damages as a result of private lawsuits brought by EU data subjects. These individuals have the right to file a complaint with supervisory authorities where organizations do not process their data in compliance with the GDPR.[36]

GDPR: Best practices for compliance and safeguarding user data

As mentioned before, the best way to exercise compliance is to consult with an attorney with expertise in GDPR compliance. Otherwise, GDPR.eu, a project co-funded by a European Union research initiative, provides certain resources to guide compliance efforts. They provide a compliance checklist, and even a privacy policy template. However, these alone may not be enough for compliance. In accordance with the GDPR’s accountability principle, organizations subject to the legislation should implement a formal data protection compliance program and familiarize themselves with the GDPR and its various requirements.

 

The United States and the California Consumer Privacy Act  (CCPA)

Unlike the European Union, the United States has historically allowed businesses and institutions to collect personal information without express consent, while regulating those uses to prevent or mitigate harms in specific sectors. The U.S. has also left data privacy regulation up to the individual states for the most part. The state of California was the first to adopt a privacy framework that mirrored the rights-based approach of the EU’s GDPR. More recently, following California’s lead, other states such as Colorado, Connecticut, Utah, Virginia, and Nevada, have begun enforcing similar GDPR-inspired privacy statutes. Thus, California’s privacy law framework is important to discuss here because of its influence on comprehensive privacy regulations in the United States.

The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”) is a comprehensive personal information privacy statute that provides California consumers with certain significant rights regarding their personal information, including notice, access, deletion, correction, to opt-out of sales and sharing, to limit sensitive personal information use and disclosure, and non-retaliation. It also imposes various data protection duties on businesses subject to its application, including data minimization and purpose limitation, and includes a private right of action with statutory damages for certain data breaches.[37] The CCPA takes inspiration from the GDPR’s approach to privacy and is discussed further in detail below.

CCPA: Applicability

The CCPA does not apply to everyone. The CCPA applies to for-profit businesses that do business in California and meet the following requirements: (a) it collects a California consumer’s personal information (directly or on its behalf) and determines the purposes and means of processing that information (alone or jointly with others); and (b) meets any of the following three thresholds: (i) has a gross annual revenue of over $25 million; (ii) buys, sells, or shares the personal information of 100,000 or more California residents or households; or (iii) derives 50% or more of their annual revenue from selling California residents’ personal information.  The CCPA does not apply to nonprofit or public entities. Personal information use by those entities is regulated by other laws, such as the California Public Records Act.[38] However, any for-profit subsidiaries or commercial joint ventures of non-profit organizations meeting the CCPA’s jurisdictional thresholds may fall under its requirements.

CCPA: Compliance obligations

The CCPA obligates businesses to take several measures to comply with its requirements. These are discussed below. However, businesses should review their data inventory, collection, and sharing practices to determine which sections of the CCPA apply to their business, particularly if they sell or share consumer personal information or process sensitive personal information.  Finally, there are additional obligations under the CCPA that are not discussed here as they are not applicable to all businesses, and only apply under specific circumstances. If your business thinks it may need to comply with the GDPR, we strongly suggest having an attorney with the required expertise provide guidance.

Data Minimization, Purpose Limitations, and Data Retention. The CCPA requires a business to collect, use, retain, and share consumers’ personal information only as reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.[39] Further, a business’s initial collection purposes and any secondary data uses must be consistent with the consumer’s reasonable expectations.[40]  Data minimization is an important CCPA principle, and businesses must apply data minimization to every purpose for which they collect, use, retain, and share consumers’ personal information. Finally, businesses must set retention periods for how long they will keep personal information. The CCPA requires businesses collecting personal information to inform consumers of the length of time it intends to retain each category of personal information collected, or to inform them of the criteria used to determine the expected retention period (if a providing a definite period is not possible).[41]

Implement Reasonable Security Practices and Procedures. Under the CCPA, businesses must implement reasonable security procedures and practices to protect collected personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.[42] This obligation requires businesses to provide security and integrity to the extent necessary and proportionate to the business’s purpose for collecting the data in the first place. Providing security and integrity measures requires the ability of a business’s systems to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions and to help prosecute those responsible for those actions.[43]

Publish and Maintain Required Notices. Businesses subject to the CCPA must provide various notices to consumers regarding the business’s personal information practices. These public disclosures include:[44]

  • Collection: notices at collection, which must include what categories of personal information are collected (including categories of any sensitive personal information), the business’s intended purpose of such collection, whether that information is shared or sold, the retention period, and links to the privacy policy.
  • Privacy policy: which is a notice provided on an online platform (i.e., website or app) that includes comprehensive information about the consumers’ CCPA rights and how to exercise them. They must be provided with a conspicuous link and must be reviewed and updated every twelve months. These often include the other disclosures listed here.
  • Opt-out right: for businesses that sell or share personal information, a notice informing the consumer of their right to opt out of personal information sales or sharing and instructing consumers how to submit a request to opt out.
  • Sensitive personal information limitations: for business that use or disclose sensitive personal information (such as social security number, financial information, racial or ethnic origin, login information), a notice informing consumers of their rights to limit processing of that sensitive personal information.
  • Financial incentives: a notice regarding financial incentives if the business is providing financial incentives related to the collection, retention, sale or sharing of personal information, which may result in price, quality or service differences. The notice must summarize the financial incentive, its terms, instructions for opting in, and how it relates to the value of the consumer’s data.

Notably, activities like providing financial incentives, or using a consumer’s previously collected personal information for new purposes, also require the business to first obtain the consumer’s informed consent. Consent must be freely given, specific to the activity at hand, informed (i.e., they understand the benefits and risks), and unambiguous.[45]

Consumer Rights Under the CCPA and Responding to Requests. The CCPA provides various rights to consumers regarding their personal data (similar to the GDPR). To exercise these rights, the CCPA empowers consumers to make requests to businesses, who must comply with those requests under the CCPA. These rights include:[46]

  • right to know what personal information a business collected, sold, shared, or disclosed about them;
  • right to have their personal information deleted;
  • right to have the business correct any inaccuracies in the personal information it holds about them;
  • right to non-discrimination for exercising their CCPA rights;
  • right to opt-out of personal information sales and sharing (as discussed above);
  • right to limit the use and disclosure of sensitive personal information the business processes (as discussed above); and
  • right to portability, requiring a business to provide the consumer its collected personal information in a readily useable format to enable a consumer to transmit the information from one entity to another entity without hindrance.

The CCPA provides detailed requirements for enabling these rights and responding to consumer rights requests, and businesses often use privacy policies to inform consumers of these rights and the processes they can use to exercise these rights. Further, businesses should establish and document clear procedures for honoring these consumer rights within the required timeframes. They must also train their employees on directing consumers to submit rights requests and providing appropriate responses.[47]

Notably, the CCPA explicitly prohibits any agreement or provision that seeks to have consumers waive or limit their rights under the CCPA, including rights to any remedy or specific means of enforcement.[48]

Recordkeeping Obligations. The CCPA regulations also impose specific recordkeeping obligations on businesses, specifically with respect to consumer requests. Businesses are required to maintain records of rights requests made by consumers under the CCPA, and how it responded to the requests, for at least twenty-four months.[49] All records must be maintained using reasonable security procedures and practices. Further, businesses must not use these records for any other purpose, and must not share information associated with these records with any third parties, except as needed to comply with any legal obligations.[50]

CCPA: Potential consequences of non-compliance

The CCPA is enforced by the California Privacy Protection Agency (created by the CCPA regulations, the “Agency”) and the California Attorney General (“California AG”). The Agency is empowered to enforce the CCPA and its regulations through administrative proceedings that may result in cease-and-desist orders and administrative fines.[51] The California AG has the power to investigate CCPA violations and seek the same civil penalties and injunctions.[52]  The Agency may also audit a business’s personal information processing activities if they present a significant risk to consumers’ privacy or security.[53]

Both of these enforcers may seek civil penalties up to either $2,500 per violation and $7,500 per intentional violation or for violations involving minors under 16 years of age.[54] Notably, though, the CCPA limits enforcement actions from both of these enforcers for the same violation. For example, the California AG cannot bring a civil action against the same business for the same violation after the Agency has already issued either a decision with respect to a complaint or administrative fine, or an order based on a CCPA violation.[55]

The CCPA also provides consumers with a private right of action against businesses for unauthorized access, theft, or disclosure of nonencrypted and nonredacted personal information due to the business failing to implement reasonable security practices and procedures appropriate to protect the specific personal information at issue.[56]  Consumers’ potential remedies in such a private action include: either statutory damages between $100 to $750 per California resident and per incident, or actual damages, whichever is greater; injunctive or declaratory relief; and any other relief a court deems proper.[57] Notably, statutory damages are only available if the consumer provided written notice of the CCPA violation, and the business failed to cure the violation within a thirty-day period.[58]

Finally, poor data privacy practices can just be a tough look for any business. If a business faces a data security breach, the resulting negative publicity and loss of consumer trust could harm the business’s reputation.

CCPA: Best practices for compliance and safeguarding user data

Best practices for complying with the CCPA start with understanding whether the CCPA applies to your business, and if so, understanding the statutory requirements generally. Further, businesses should also try to stay current on any changes to the CCPA regulations, as with privacy law is constantly evolving, requirements under these statutes may change.

Importantly, if subject to the CCPA, the business should implement a privacy policy on their website and application (if applicable) that includes the required disclosures discussed above. We also suggest designing processes to effectively respond to consumer requests exercising CCPA rights (such as rights to information, deletion rights, opting out of sales/sharing, etc.) Further, the business should implement reasonable security procedures and practices appropriate to the nature of the personal information collected to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure. For example, these systems might include features such as encrypting sensitive data, restricting access to personal information, and regularly updating security protocols. Finally, to design an effective security system, it will be useful to identify what personal information is collected, processed, and shared throughout the organization; conduct an assessment of the data security measures in place for all personal information the business collects; establish written security policies and procedures designed to protect the information; and ensure that employees can implement and maintain these policies and procedures.

For businesses that want to implement security controls, but do not know where to start, California provided various recommendations in the California Attorney General’s 2016 Data Breach Report. While these are recommendations from California’s Attorney General, they are not the only controls that can achieve the level of security suggested by the CCPA. If curious about your level of security, we suggest conferring with a data privacy specialist.

The CCPA imposes significant responsibilities on businesses to protect consumers’ data privacy . By understanding the law’s applicability, compliance obligations, potential consequences of non-compliance, and implementing best practices for safeguarding user data, businesses will be well equipped to uphold their legal obligations under the CCPA, and potentially under the series of privacy laws that follow from other U.S. states.

[1] GDPR.EU, Does the GDPR apply to companies outside the EU?, available at https://gdpr.eu/companies-outside-of-europe/.

[2] GDPR Art. 3(2).

[3] GDPR Recital 23.

[4] GDPR Recital 23.

[5] GDPR Art. 5(1) & (2).

[6] GDPR Art. 24(1).

[7] GDPR Art. 5(1).

[8] GDPR Art. 24.

[9] GDPR Art. 27 (A non-EU organization subject to the GDPR must designate, in writing, a representative in the EU whose responsibility is to be addressed on behalf of the organization by EU supervisory authorities and individuals regarding all issues related to data processing or GDPR compliance.  The representative must be established in one of the EU Member States where the organization’s relevant data subjects. However, there is an exception to this appointment requirement where the organization’s data processing is occasional, does not include large scale processing of special categories of data (such as data revealing ethnic or racial origins, religious beliefs, genetics, or data revealing criminal conviction information), and is unlikely to result in a risk to the rights and freedoms of natural persons. Unless this exception applies, the organization must appoint a representative).

[10] GDPR Art. 37 (Data protection officers are only necessary when the core activities of the controller or processor consist of regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of personal data relating to criminal convictions and offenses).

[11] GDPR Art. 25(1).

[12] GDPR Art. 32(1).

[13] GDPR Art. 6(1).

[14] GDPR Art. 30(1), (2), & (4).

[15] GDPR Art. 12(1), 13, & 14.

[16] GDPR Art. 7.

[17] GDPR Art. 9(1).

[18] GDPR Art. 12, 14-18, 20, & 21.

[19] For more information, see the European Data Protection Board’s Guidelines 05/2021 on the Interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V of the GDPR, available at: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052021-interplay-between-application-article-3_en

[20] GDPR Art. 39(1)(a), (b).

[21] GDPR Art. 12 & 14.

[22] GDPR Art. 12 & 15.

[23] GDPR Art. 16.

[24] GDPR Art. 17.

[25] GDPR Art. 18.

[26] GDPR Art. 20.

[27] GDPR Art. 21.

[28] GDPR Art. 22.

[29] GDPR Art. 34.

[30] GDPR Art. 28.

[31] GDPR Art. 77.

[32] See, generally, GDPR Art. 77 – 84.

[33] GDPR Art. 58.

[34] GDPR Art. 83.

[35] GDPR Art. 84.

[36] GDPR Art. 77.

[37] Cal. Civ. Code §§ 1798.100 to 1798.199.100; Cal. Code Regs. tit. 11, §§ 7000 to 7304.

[38] Cal. Gov’t Code §§ 7920.100 to 7931.000).

[39] Cal. Civ. Code § 1798.100(c).

[40] Cal. Code Regs. tit. 11, § 7002.

[41] Cal. Civ. Code § 1798.100(a)(3).

[42] Cal. Civ. Code § 1798.100(e).

[43] Cal. Civ. Code § 1798.140(ac).

[44] Cal. Civ. Code §§ 1798.100(a), (b), 1798.125(b), 1798.130(a)(5), and 1798.135(a); Cal. Code Regs. tit. 11, § 7010.

[45] Cal. Civ. Code § 1798.140(h).

[46] Cal. Civ. Code § 1798.110, 1798.105, 1798.106, 1798.120, and 1798.121.

[47] Cal. Civ. Code §§ 1798.130(a)(6); Cal. Code Regs. tit. 11, § 7100(a).

[48] Cal Civ. Code § 1798.192.

[49] Cal. Code Regs. tit. 11, § 7101(a).

[50] Cal. Code Regs. tit. 11, § 7101(d).

[51] Cal. Civ. Code §§ 1798.155(a), 1798.199.45, and 1798.199.55.

[52] Cal. Civ. Code § 1798.199.90(a).

[53] Cal. Code Regs. tit. 11, § 7304(a) to (b).

[54] Cal. Civ. Code § 1798.150(b).

[55] Cal. Civ. Code § 1798.199.90(d).

[56] Cal. Civ. Code § 1798.150(a)(1).

[57] Cal. Civ. Code § 1798.150(a)(1)(A)-(C).

[58] Cal. Civ. Code § 1798.150(b).