Privacy Laws: How Do I Comply With The GDPR and The CCPA?

By: Edward B Woodall & Gordon Wikle

In our last blog post on internet privacy law, we outlined who has to comply with the GDPR and the CCPA, who is protected by those laws, and what information or data is covered. If you need a refresher, review the following table:

If the GDPR or the CCPA applies to your business, you need to understand the basics of handling personal data, consent, and accountability. This blog will provide highlights of what each law requires.

How Can I Use The Data?

As noted previously, the GDPR is seen as the gold standard of privacy law. Under the GDPR, businesses may only use personal data for specific purposes or “legal bases.” The most common  legal basis is processing with the data subject’s prior consent. Typically, this means that businesses must communicate to the individual (a “data subject” under the GDPR and a “protected person” in this blog post) how the business will use and store their personal information.

The CCPA gives businesses much more latitude. Generally, the CCPA doesn’t restrict the purposes for which a business can use collected personal information – it merely limits the business’s right to sell the information without the protected person’s consent. An amendment to the CCPA, the CCPR, also forbids businesses from sharing information without the protected person’s approval; the CCPR will take effect in 2023.

What Rights are Protected?

The GDPR and the CCPA provide protected persons with extensive rights concerning the collected information. For convenience, we’ll break down these rights into several categories and compare the GDPR and the CCPA in each category.

1. The right to erasure. Both the GDPR and the CCPA allow protected persons to request the deletion of their information. While the CCPA provides for more exceptions to this right, both laws require companies to create a process for receiving, processing, and complying with removal requests unless an exception applies. In addition, the GDPR has an additional requirement that companies keep personal data for the shortest time possible, given all the circumstances. Hence, a company must develop, document, and implement compliant data retention and destruction policies.

2. The right to be informed. The GDPR and the CCPA require that businesses make certain disclosures to protected persons. For example, both require that the collector inform the protected persons of the information categories and how the information will be used.

The GDPR further requires that businesses inform the data subject of their rights concerning the personal data and several other aspects of the business’s data collection and processing operations. The CCPA does not require such a disclosure, but it does require that the company provide the consumer with an option to opt out of having his or her data sold.

3. The right to opt-out. As we mentioned above, the CCPA gives consumers the right to opt-out of having their personal information sold. However, the GDPR goes much further.

Under the GDPR, data subjects may opt-out of the processing of their data subject by:

(a) withdrawing consent for processing – recall that the data subject’s consent is typically the legal basis for personal data collection and processing and that without consent, the personal data processing must stop;

(b) if the personal data was collected on a basis other than the data subjects consent, by objecting to the legitimacy of the basis; or

(c) generally objecting to the use of their personal data for marketing purposes.

4. The right of access. Under the GDPR and the CCPA, protected persons have a right to know:

    • what information is being collected,
    • the purpose or use of that information, and
    • who is the receiver of the data.

Both laws also require businesses to provide protected persons a copy of the collected information if requested. The right of access also implicates the right of data portability, meaning companies must provide a copy of the collected information free of charge and in a format that a third party can read or process.

5. The right of non-discrimination. The CCPA expressly states that a business may not discriminate against a consumer (e.g., by denying goods or services or charging a higher price) for exercising rights under the CCPA. While the GDPR does not expressly require non-discrimination, it has been interpreted similarly to the CCPA.

Trust The Process

We covered only a few of the key requirements and obligations of the GDPR and CCPA. To truly understand what your business needs to do to comply with each law, you need experienced counsel. The attorneys in Venn Law Group’s corporate law practice group can help you understand the implicated aspects of your business and how you can comply. Additionally, we can draft a set of interlocking contracts and policies that comply with privacy law requirements and ensure compliance without causing undue disruption.

Edward B. Woodall is an attorney at Venn Law Group who works incorporate law and commercial real estate, including leasing, financing, taxation, business structures, and dispute resolution. He is passionate about helping business owners solve a variety of complex legal problems and has performed more than 100 hours of pro bono work. In addition to his law degree, he also has a background in history and Spanish.

Gordon Wikle is an attorney at Venn Law Group with more than 14 years of experience serving as an assistant district attorney with the State of North Carolina. He focuses on commercial litigation and enjoys analyzing problems and finding creative solutions that are in the best interest of his clients. Navigating difficult situations and resolving business disputes are areas where he excels. Gordon earned his J.D. from Duke University School of Law and has his B.A. in Economics from Vanderbilt University.

Stay informed about how business and legal intersect.

Sign up for our free monthly newsletter.

Our Location

Providence Park, Building H
10700 Sikes Place
Suite 120
Charlotte, NC 28277

Phone Number

(704) 274-1741

info@vennlawgroup.com

© 2026 Copyright Venn Law Group All Rights Reserved – Website Powered by Woland Web.

Privacy Policy

In Remembrance of Garth Dunklin

We at Venn Law Group are saddened to announce that our partner, mentor, and friend, Garth Dunklin, passed away on January 14, 2021.

As many attorneys and clients in Charlotte and all over North Carolina can attest, Garth was a true “lawyer’s lawyer.” He relished in the practice of law, teaching legal and real estate concepts, and just being a lawyer serving the community.

Garth’s accolades after over 30 years of practice are simply too many to mention in full, but we particularly want to note that over the years he served on the Boards of the North Carolina Association of REALTORS®, the North Carolina CCIM (Certified Commercial Investment Member) and the Charlotte Region Commercial Board of REALTORS® (“CRCBR”). Garth taught classes for CRCBR, among other groups, for over 23 years, and wrote many instructional texts and forms. He was also an adjunct professor for the UNC-Charlotte Belk College of Business, and a Board Member and former Chair of the North Carolina Rules Review Commission.

Garth was a consummate legal professional, and always endeavored to provide quality service and counsel to his clients and colleagues. He will be missed greatly by everyone at the firm and the Charlotte real estate community. Having practiced with Garth and knowing him for close to 20 years, we, in particular, will miss his boisterous laugh and patience as a mentor. We will also fondly remember the first few days of this firm spent at its “World Headquarters”… which was his kitchen table.

We want to publicly thank Garth’s wife, Helen, and his children, Macy and Garth, Jr., for sharing him with us and to assure them that there is a large community of people that will miss Garth with them.

Garth’s family has asked that in lieu of flowers, those that would like may make contributions in Garth’s honor to the American Cancer Society.

There will be an in-person service to honor Garth on Saturday, January 23, 2020, at 11:00 am, at Heritage Funeral Home located at 3700 Forest Lawn Dr, Matthews, NC 28104. Masks will be required. The service will also be live-streamed as well for those that are not able to attend in person. Below is a link to Garth’s obituary, details about the service, and how to give flowers or donations in his name.

Link to Garth's Obituary

We at Venn Law Group are saddened to announce that our partner, mentor, and friend, Garth Dunklin, passed away on January 14, 2021.

There will be an in-person service to honor Garth on Saturday, January 23, 2020, at 11:00 am, at Heritage Funeral Home located at 3700 Forest Lawn Dr, Matthews, NC 28104. Masks will be required. The service will also be live-streamed as well for those that are not able to attend in person. Below is a link to Garth’s obituary, details about the service, and how to give flowers or donations in his name.

Link to Garth's Obituary