ARTICLE | Better Than Xanax: A Comparative Analysis of GDPR v. CCPA
I. Introduction
The concept of privacy has evolved with the development of new technology. Personal data has now been described as surpassing oil as the world’s most valuable resource.[1] Companies routinely “collect, analyze, share, and sell” consumers’ personal information and many consumers are unaware of the amount of information they are providing to businesses as well as the ways in which companies are using their data.[2] While some consumers believe they are taking full advantage of these free benefits of a particular service, they usually do not realize that they are paying currency in the form of their personal data.[3]
Unless a person refuses to get a driver’s license, make all of their calls from pay phones, and transact only in cash, his or her personal information, behaviors, and preferences are available to anyone who may be interested on the Internet.[4] Data protection as a concept is itself a novel and a rapidly changing field.[5] Developments in how data is used and managed electronically quickly changes, and legislators globally fight a constant battle to keep up with such technological advances.[6]
This Note will provide a comparative analysis of the European Union’s (EU) General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of the United States (U.S.) and make the argument that there is a need for a transatlantic, global data privacy standard.
Part II of this Note will describe the history of the enactment of the GDPR. Part III of this Note will describe the enactment of the CCPA. Part IV of this Note will discuss how the fundamental right to data privacy has shaped each country’s data privacy regulations. Part V compares the EU and U.S. data privacy frameworks. Part VI will provide a comparative analysis of the EU’s GDPR and the CCPA, focusing specifically on territorial scope, enforcement, penalty and fines as well as some privacy rights. Part VII will make the recommendation that there is a need for a transatlantic, globalized privacy regulation. Finally, Part VIII will conclude that in implementing a globalized privacy regulation, developed countries need to think holistically in providing assistance to developing counties to be successful.
II. General Data Privacy Regulation
In an effort to harmonize European law, the EU enacted several directives and regulations. [7] In 1995, the European Parliament adopted the EU Data Protection Directive (DPD) with two major goals: to protect the fundamental right of data protection and to guarantee the free flow of personal information between member states.[8] Prior to the enactment of the GDPR there was Directive 95/46/EC[9] on the protection of personal data and Directive 2002/58/EC[10] on the processing of personal data and privacy protection of electronic communications.
As directives, the legislation set out goals or minimum requirements, but member states had to pass their own national laws to implement these goals. [11] Directive 95/46/EC and Directive 2002/58/EC were replaced by the GDPR and laid the foundation for many its provisions. [12] For example, the directive addressed a number of areas that subsequently became the legal bases for the GDPR including: the definition of personal data[13] and data controller, [14] processing requirements,[15] rights afforded to the data subject,[16] remedies for breach, and transferring of data.[17]
To meet new privacy challenges brought by the development of digital technologies, the EU spent years drafting the GDPR to strengthen its data protection standards.[18] The GDPR is the most comprehensive EU regulation dealing with personal data and privacy and is a binding framework across all twenty-eight member states,[19] defining the rules for processing, storing, managing the data of EU citizens. [20]
The key provisions of the GDPR are: (1) an expanded jurisdictional reach applied to non-European companies processing the data of European consumers; (2) the duty to notify consumers of a data breach within twenty-four hours; (3) a requirement that companies obtain “specific, informed and explicit” consent before collecting personal data (opt-in provision); and (4) a company’s duty to erase personal data upon demand (right to be forgotten). [21]
III. California Consumer Privacy Act
In the early 1970s, Congress considered enacting a comprehensive privacy legislation, but was unable to do so.[22] In the intervening years, information privacy laws enacted by Congress have been referred to as weak or sector specific.[23] Signaling a new direction in state data privacy and consumer protection, the CCPA establishes important rights and protections for California residents with regard to the collection, use, disclosure, and the sale of their personal information.[24]
The CCPA is the “brainchild” of Alastair Mactaggart, a wealthy Californian who spent millions of dollars gathering signatures to place an initiative on the state’s November 2018 ballot and “subsequently negotiated a deal with lawmakers to enact a scaled-back version of his desired legislation.”[25] Governor Jerry Brown signed into law the CCPA on June 28, 2018 which went into effect on January 1, 2020, and is said to be the most aggressive privacy law in the U.S.[26] The CCPA statute, similar to the GDPR,[27] defines personal information broadly to include any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a parituclar consumer or household.”[28]
Broadly, the CCPA grants California residents several important privacy rights with respect to their personal information: (1) the right to be informed of the categories of personal information being collected and the purposes for which such information shall be used,[29] (2) the right not to have additional personal information collected without further information collected without further notice, (3) the right to request deletion of personal information,[30] (4) the right to know whether personal information is being sold or disclosed and to whom, [31] (5) the right to opt out of the sale of personal information,[32] and (7) the right to equal services and prices regardless of whether they exercise prices regardless of whether they exercise privacy rights under the CCPA. [33] The first, second, third, fourth and sixth rights are similar to that data subjects have under the GDPR. [34]
IV. A Fundamental Right to Data Privacy
Europeans have long recognized the importance of data protection and privacy. Privacy has been established as a fundamental right in The Charter of Fundamental Rights of the European Union. [35] Article 8 of the Charter explicitly recognizes the right to protection (of personal data). [36] Therefore, it is unsurprising that the EU has enacted expansive data privacy laws. [37]
On the other hand, the right to privacy[38] is not considered to be a fundamental right in the U.S. [39] As such, U.S. citizens do not have an explicit federal constitutional right to data privacy.[40] This attitude towards data privacy rights has thus shaped the poor data privacy framework in the U.S. However, certain states have begun taking measures to enact their own data privacy regulations. [41] For example, California is one of only ten states to incorporate privacy as an enumerated right into its constitution. [42]
V. The EU and U.S. Data Privacy Frameworks
In comparing the U.S. and EU models of data privacy, one can see more differences than similarities. At the legislative level, the EU model is more streamlined and less complex than the U.S. The EU relies primarily on one law, the General Data Privacy Regulation (GDPR) which replaced the DPD as the EU’s primary data protection framework.[43]
On the opposite end of the spectrum, the U.S. has no comprehensive law guaranteeing privacy rights of personal information.[44] Instead, the U.S. has developed its data privacy laws through a series of unconnected pieces of legislation targeting specific markets or sectors, to reactively address concerns such as to combat waste, fraud and abuse in health insurance and healthcare delivery, leaving state and federal laws often inconsistent with one another.[45]
Among some the most important federal laws are the Health Insurance Portability and Accountability Act (HIPAA)[46] (personally identifiable health information) and the Gramm–Leach–Bliley Act (GLBA) (financial information).[47] Each law is also enforced by a different agency or state body.[48] It is hard to develop a coherent privacy policy with such a scattershot regime.[49] Where there may be gaps in this industry-specific approach, state privacy laws, self-regulatory guidelines, and general-purpose consumer protection laws are supplemented, creating a patchwork system of state and federal laws that often “overlap, dovetail and contradict one another.” [50]
Academics have often argued that the U.S. has a weak tradition of data privacy that is diametrically opposed to the EU’s expansive data protection laws, which is often portrayed as the “golden standard.” Since the EU has passed the GDPR, several other countries have also followed their footsteps, such as Brazil[51] and Japan[52], by passing their own data protection laws. [53] The U.S. has yet to adopt a national federal privacy regulation; however, California has taken the nation’s lead by enacting the CCPA.
Due to California’s economic importance and the borderless world of ecommerce, the impact of this legislation transcends state borders and forces technology companies to comply. When one considers the size of the economy of California and combines this with the fact that 6.9% of the U.S. GDP in 2017 was driven by the digital economy, it is no surprise that organizations are taking CCPA seriously. [54]
VI. Comparative Analysis: GDPR v. CCPA
The CCPA was enacted only one month after the enactment of GDPR. Therefore, it is no surprise that the two laws are often compared with one another. While the drafters of the CCPA referenced EU’s GDPR as a model, they did not necessarily echo the GDPR language, adopt all of its requirements or limit themselves to the GDPR’s provisions. [55] Although the GDPR and CCPA do contain many similarities, the differences between the two laws should also be recognized. Conducting a comparative analysis of the two laws is useful for evaluating the differences between the EU and U.S. data privacy laws.
A. Territorial Scope
The GDPR and CCPA both have extraterritorial reach, as both apply to companies outside their borders if the companies collect the personal data of consumers located within their borders.[56] A consumer or California resident, is defined by the law to include every individual who is in California for other than for a temporary or transitory purpose as well as every individual domiciled in California but who is outside California for a temporary or transitory period.[57] Similarly, the GDPR makes clear that anyone processing the data of residents of the EU regardless of whether or not they have an office in the EU is subject to the regulation.[58]
While the GDPR applies to all companies that sell, collect or store EU residents’ data or offer any goods or services in any of the nations in the EU, but the CCPA applies minimum thresholds that companies must meet in order to be subject to the law.[59] For example, the CCPA will regulate some, but not all, for-profit entities that do business[60] in California, that “collect consumers’ personal information, and that meet at least one of three financial thresholds, including having annual gross revenues in excess of $25 million[61]; annually purchasing, receiving for commercial purposes, selling, or sharing for commercial purposes the personal information of fifty thousand or more consumers, households or devices; or deriving 50 percent or more of annual revenues from selling consumers’ personal information.” [62]
As a result of these thresholds, smaller companies that would be subject to the GDPR could be exempt from the CCPA.[63] Unless a website, for example, explicitly blocks visitors from California, the CCPA would thus apply, even if the company does not reside in California. [64] This concept is similar to the GDPR which takes a strong stance to ensure that companies, both internal and external to the EU, comply with its high standards for citizen data protection.[65] The GDPR is applicable to all public and private sector individuals/entities that process personal data for more than household purposes, whereas the CCPA is limited in scope to entities that are for profit, meet the specific criteria above, and do business in California as mentioned above.[66]
B. Enforcement
Enforcement mechanisms are instrumental in securing compliance with the privacy laws. Both the CCPA and GDPR do not apply to law enforcement or national security, but they may apply to businesses providing services to law enforcement or national security agencies.
While both the GDPR and the CCPA have established supervisory authorities to oversee the enforcement of these newer legislations, the enforcement powers are fairly inconsistent. Article 58 of the GDPR established the Data Protection Agency’s (DPA), which requires member states to establish independent DPAs to address compliance concerns.[67] The CCPA did not establish a new authority but instead, grants the Attorney General in California the right to investigate and enforce the CCPA.[68] Both the DPA and the Attorney General have the authority to enforce non-compliant behavior such as penalties and fines.[69]
The DPAs’ enforcement responsibilities can be categorized in two ways: individual rights protections and compliance with data processing.[70] DPAs have the goal of promoting awareness and providing guidance on the GDPR. The agency is also granted investigative powers and can audit, review certifications, get access to equipment used for data processing, and reach the location where the data controller or processor processes data.[71] Additionally, the DPAs are empowered to warn data controllers and processors of likely non-compliance, issue warnings to data controllers and processors who have already breached and stop data processing altogether.[72]
Unlike the DPA, the enforcement responsibilities of the Attorney General is slightly more vague. The Act provides that the Attorney General may also pursue any other regulations “as necessary to further the purposes” of the Act to “solicit broad public participation.” The Attorney General may: adjust monetary threshold to reflect any increase in the Consumer Price Index,[73] establish additional rules to ensure information and notices provided to consumers are easily understood and, establish additional rules to further consumers’ privacy rights, with the goal of minimizing the administrative burden on consumers. Without effective enforcement provisions, these regulations would not be able to compel compliance.[74]
C. Fines and Penalties
The laws carry significant potential liabilities, permitting fines to be imposed on companies that do not comply, but the severity of the fines differ.[75]
If a company is not in compliance with GDPR, they may face severe penalties, including fines of a minimum two-percent of 10 million euros and maximum up to four-percent of global revenue, or 20 million euros or more, whichever is higher.[76] Although it may seem like four-percent may not be substantial to encourage a company to be compliant with GDPR, for a multibillion dollar company, this low percentage can add up to hundreds of millions of dollars in violations and noncompliance.[77] For example, on September 25, 2018, Facebook experienced a data breach incident, which impacted 50 million accounts.[78] Although less than five million of the users affected were European citizens, the incident may still result in a fines up to $ 1.63 billion.[79]
On the other hand, the CCPA penalties of non-compliance seem to be harsher than the GDPR.[80] In certain cases involving unauthorized access to or theft of particular categories of personal information, as well as various cases involving other violations, the CCPA provides for civil damages, civil penalties, injunctive or declaratory relief that a court may deem appropriate. [81]
Under the CCPA, each business has 30 days to cure violations and inform consumers that they have done so.[82] After these 30 days, if the business still doesn’t comply, it can receive a fine from $2,500 to $7,500.[83] The business may also need to pay $100 to $750 per consumer per incident after civil action.[84] Of the proceeds of any such lawsuits, 20% goes to a new “Consumer Privacy Fund,” which would fund further lawsuits against violators.[85] The remaining 80% goes to “the jurisdiction on whose behalf the action leading to the civil penalty was brought.” [86] These provisions overall are intended to deter unlawful conduct and compensate individuals whose statutory privacy rights have been violated.[87] To avoid these penalties, companies are required to overhaul their existing practices to achieve compliance.[88]
D. Privacy Rights
The GDPR and the CCPA increases the privacy rights and protections for EU citizens and California residents. Both laws have somewhat similar definitions of personal information which could be considered to be broad.[89] The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’).” [90] Likewise, the CCPA defines personal information broadly to include any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” [91]
i. Right to Notification
The GDPR and CCPA grant residents the right to receive notice of the data that is being collected and how it will be used and restrict the ability of companies to use data in a way that has not been described in a prior notice. [92]
According to the GDPR, data controllers must provide detailed information about its personal data collection and data processing practices. [93] In other words, certain key requirements, a data controller must inform the data subjects of the following: the purpose for processing their personal data, the legal basis for processing personal data, the categories of personal data that will be collected and processed, who the recipients of their personal data are, the contact details of those processing their data, if the data will be transferred to a third country, the period that the personal data will be stored, the existence of automated decision-making, and all of the data subjects rights defined by the GDPR.[94] If the business is not collecting the information directly from the resident, it must provide the notice within a reasonable period not to exceed one month, the point of the first communication with the resident, or at the time of the first disclosure of the data to another party.[95] Additionally, the GDPR requires a disclosure of any cross-border transfer of data as well as contact details of data processors.[96]
In contrast, the CCPA requires businesses to inform consumers at or before the point of collection of personal information what categories and purpose of the personal information will be collected.[97] Businesses must provide additional notice before collecting additional information for a different purpose. Specific disclosures must be included in business’s privacy policies.[98] The CCPA notice requirements on personal information disclosed or sold to third parties only covers the 12 months preceding the request.[99]
Both laws generally require this notice to be provided at or before the time information is collected from the resident but differ in the specific information required and the delivery methods vary.[100]
ii. Right to Opt-Out
The GDPR does not provide for a separate right to exclude businesses from selling personal data.[101] However, withdrawing consent for processing activities or objecting to processing for marketing purposes offers a comparable level of protection for data subjects.[102] The CCPA attempts to outline the use of data outside the organization collecting that data and give the consumer rights to refuse the monetization of their data even when no actual money is exchanged.[103] The GDPR grants the right to withdraw consent from processing activities as well as to object to processing for marketing purposes also in cases where the data controller does not rely on consent.[104]
In contrast, according to the CCPA, businesses must comply with consumers’ request to cease from selling (as defined under CCPA as a “sale”) their personal information to third parties.[105] To facilitate the exercise of those consumer rights, businesses must among other things: implement the organizational and technical requirements to be able to comply with such consumer requests, and include on their website clear and conspicuous “Do Not Sell My Personal Information” link for consumers to exercise their rights.[106]
VII. Recommendations
Ultimately, conducting a comparative analysis of the two laws indicates that while they appear to be similar, there are significant differences between the laws, and the GDPR is generally stricter than the CCPA.[107] However, as the CCPA matures, we may begin to see amendments which mimic the GDPR. The upside however is that the CCPA is more stringent than most of the existing privacy laws in the U.S.[108] The differences in the two laws and their extraterritorial reach suggests that companies must closely evaluate their practices to determine whether they are in compliance.[109] Organizations should realize however, that compliance with the GDPR does not equate to compliance with the CCPA.[110]
A. U.S. Requires an Omnibus Data Privacy Law
A growing number of foreign countries, and some U.S. states have articulated distinct visions for how to address privacy concerns, leading to a nationally and globally fragmented regulatory landscape. Such fragmentation disincentivizes innovation by increasing regulatory costs for compliance and product development.[111] Consistent data privacy laws between the U.S. and the EU would result in virtually complete harmonization in transatlantic privacy law.
Generally, countries will move to comply with the strictest privacy standard in order to obtain equal bargaining power and reduce their own costs of compliance.[112] Therefore, the U.S. should strongly consider developing a policy in hopes to articulate a renewed vision, one that reduces fragmentation nationally and increases harmonization globally.[113]
B. Towards a Globalized Privacy Protection
Given the recent technological advances that have changed how information is both created and used, there is certainly a case to be made for taking a look at whether there are smarter ways to protect privacy in this technical age. By doing this, it is hard to argue with seeking an approach that produces desirable privacy outcomes in a way that maximizes benefit while minimizing costs and that promotes regulatory harmony.
Data privacy and the international flow of personal information is an important global, social and economic issue and differences in transatlantic data privacy laws threaten this data trade. [114] According to one estimate, the EU-U.S. economic relationship involves $ 260 billion in annual digital services trade.[115] Cross-border information flows represent the fastest growing component of trade in both the EU and the U.S. As one technology reporter noted, “international data transfers are the lifeblood of the digital economy.” [116]
Although sometimes presented as separate rights in legal systems, the right to data protection is an essential component of the right to privacy.[117] Consequently, where data protection cannot be guaranteed, the respect of the privacy is equally impossible to ensure. Developing a compatible international framework to protect personal information that enables responsible data sharing and cross-border data transfers would be beneficial to all parties. Without a globalized standard, the fragmentation of the Internet would worsen due to multiple cyberspace “checkpoints,” ultimately worsening overall data transfer efficacy. Such fragmentation naturally disincentivizes innovation by increasing the regulatory costs for products that require scale.
VIII. Conclusion
When working on a globalized border transfer regime, developed countries should strongly consider the costs and impacts on developing countries’ economies. Seemingly the most important factor would be the costs associated in adopting the regulations under the new globalized data transfer regime, as similar issues are being seen with GDPR. Developing countries will also lack the resources, both financial and technical, to implement and enforce the new law. When a developing country lacks resources such as clean water, education and health services, investments in data privacy training are not a top priority. However, it is significant to note the spectrum of developing economies and their range of abilities to have a technically educated workforce.
The use of the Internet leaves individuals susceptible to various invasions of privacy. Across the globe, governments have begun to realize that data protection is of vital importance as the internet grows. Different regions have attempted to regulate the behavior of data processors in different ways. Both the GDPR and CCPA are complex laws that will significantly change the data privacy landscape both internal and external to the borders of their respective jurisdictions. While their expansive scope and areas of overlap invite comparisons, they in fact differ in significant ways that will require businesses to carefully design their data privacy compliance programs to account for the unique requirements of the data privacy laws.
[1] Keith Johnson, What is Consumer Data Privacy, and Where is it Headed?, Forbes (July 9, 2018) https://www.forbes.com/sites/forbestechcouncil/2018/07/09/what-is-consumer-data-privacy-and-where-is-it-headed/#5cc4ab811bc1
[2] Senate Judiciary Committee Report, supranote 3, at 1.
[3] See, e.g., Kurt Wagner, 8 Ways Facebook Changed the World, MASHABLE (Feb. 4, 2014), https://mashable.com/2014/02/04/facebook-changed-the-world/#ziCS5YCLTaqV; Jessica Elgot,From Relationships to Revolutions: Seven Ways Facebook Has Changed the World, GUARDIAN (Aug. 28, 2015), https://www.theguardian.com/technology/2015/aug/28/from-relationships-to-revolutions-seven-ways-facebook-has-changed-the-world.
[4] S. Judiciary Comm., 2017-2018 Reg. Sess., Rep. On Internet Service Providers: Customer Privacy 1-2 (June 25, 2018) available at https:digitalcommons.law.scu.edu/historical/1748
[5] Debra J. Farber, Foresight Is 20/20: How to Prepare for the California Consumer Privacy Act Now, CMSWiRE (Oct. 18, 2018), https://www.cmswire.com/information-management/foresight-is-2020-how-to-prepare-for-the-california-consumer-privacy-act-now [https://perma.cc/TU3A-JA54].
[6] Id.
[7] Humerick, Matthew, Article: The Tortoise and The Hare of International Data Privacy Law: Can the United States Catch Up to Rising Global Standards, 27 Cath. U. J. L. & Tech. 77
[8] See Regulations, Directives, and Other Acts, Eur. Union, https://europa.eu/european-union/eu-law/legal-acts_en [https://perma.cc/T2AZ-AEU3].
[9] Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31.
[10] Directive 2002/58/EC, of the European Parliament and of the Council of 19 July 2002 on the Processing of Personal Data and on the Free Movement of Such Data, 2002 O.J. (L 281) 31. https://eur-lex.europa.eu/eli/dir/2002/58/oj32002L0058 (last updated Dec. 2019).
[11] Id.
[12] Id.
[13] Article 4 of the GDPR states:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR, supra note 1, art. 4.
[14] GDPR, supra note 95, at 33. GDPR defines a data "controller" as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law."
[15]15 Article 32 of the GDPR states:
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
GDPR, supra note 1-4, art. 32.
[16] Article 14 of the GDPR states:
1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;”
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
GDPR, supra note 1, art. 14.
[17] Article 24 of the GDPR states:
‘1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.’
GDPR, supra note 4, art. 24, at 47.
[18] Id.
[19] The United Kingdom (UK) will still be bound by these rules until the end of the Brexit transition period, currently set for December 31, 2020 in which it will still face the same obligations and challenges as the US in terms of processing EU citizen’s personal data.
[20] Layton, Roslyn & Elaluf-Calderwood, Silvia. (2019). A Social Economic Analysis of the Impact of GDPR on Security and Privacy Practices. 1-6. 10.1109/CMI48017.2019.8962288.
[21] Id.
[22] Mark A. Rothstein Stacey A. Tovino, California Takes the Lead on Data Privacy Law, https://onlinelibrary.wiley.com/doi/abs/10.1002/hast.1042 (2019).
[23] Id.
[24] California Consumer Privacy Act of 2018, CAL. CIV. CODE § 1798.100 (2018) (effective Jan. 1, 2020).
[25] California Amends Online Privacy Policy Law to Require Tracking Disclosures, HUNTON ANDREWS KURTH PRIVACY & INFO. SECURITY LAW BLOG (Sept. 30, 2017), https://www.huntonprivacyblog.com/2013/09/30/california-amends-online-privacy-policy-law-to-require-tracking-disclosures/.
[26] Id.
[27] A detailed comparison of personal scope and personal data (personal information) will be discussed in Part IV.
[28] Cal. Civ. Code § 1798. 140 (o) states:
“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”
§ 1798. 140 (o) (1) (effective Jan. 1, 2020).
[29] Id. § 1798. 100.
[30] Id. § 1798. 105(a) .
[31] Id. § 1798. 120(b).
[32] Id. § 1798. 120(a); Id. § 1798. 120 (c).
[33] Kristen J. Mathews & Courtney M. Bowman, The California Consumer Privacy Act of 2018, PROSKAUER ROSE LLP: PRIVACY L. BLOG (July 13, 2018), https://privacylaw.proskauer.com/2018/07/articles/data-privacy-laws/the-california-consumer-privacy-act-of-2018.
[34] Id.
[35] See Charter of Fundamental Rights of the European Union, arts. 7, 8, 2010 O.J. (C 83) 389, 393
[36] Article 8 provides that "[e]veryone has the right to respect for his private and family life, his home and his correspondence." Convention for the Protection of Human Rights and Fundamental Freedoms, Apr. 11, 1950, E.T.S. No. 005, https://www.echr.coe.int/Documents/Convention_ENG.pdf [hereinafter ECPHR].
[37] See Aisha Gani, What Is the European Convention on Human Rights?, GUARDIAN (Oct. 3, 2014), https://www.theguardian.com/law/2014/oct/03/what-is-european-convention-on-human-rights-echr.
[38] There are various potential Constitutional sources for privacy, such as the First and Fourth Amendments. However, together they are not considered the type of overarching protection to establish a fundamental right to privacy in any broad meaning of the term. The right to be left alone includes merely the right of privacy recognized by the US Supreme Court in Griswold v. Connecticut, 318 U.S. 479, 483 (1965) but includes the right of associational privacy, see e.g., NAACP v. Ala., 357 U.S. 449, 462, (1958) as well as the right to be left alone within those physical spaces over which one has the right to control physical intrusions, such as one’s home, see, e.g., Kyello v. United States, 533 U.S. 27, 31-33 (2001).
[39] Tan, Domingo R., COMMENT: Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the U.S. and the European Union, 21 Loy. L.A. Int'l & Comp. L.J. 661 (Aug. 1999).
[40] Privacy Protections in State Constitutions, NAT'L CONFERENCE OF STATE LEGISLATURES (Nov. 7, 2018), http://www.ncsl.org/research/telecommunications-and-information-technology/privacy-protections-in-state-constitutions.aspx
[41] Hudson, Nevada's Online Privacy Law Takes Effect, Offers More Control of Info, L.V. Rev.-J. (Sept. 30, 2019, 7:49 PM), https://www.reviewjournal.com/business/nevadas-online-privacy-law-takes-effect-offers-more-control-of-info-1860566 https://perma.cc/JE6K-QLNQ.
[42] Privacy Protections in State Constitutions, NAT'L CONFERENCE OF STATE LEGISLATURES (Nov. 7, 2018), http://www.ncsl.org/research/telecommunications-and-information-technology/privacy-protections-in-state-constitutions.aspx.
[43] See 27 Cath. U. J. L. & Tech. 77
[44] Paul M. Schwartz, The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures, 126 HARV. L. REV. 1966, 1989 (2013) ("U.S. information privacy regulation was based on liberal norms and market forces, while the EU's information privacy regulations were based on 'social-protection norms' according to which 'data privacy is a political imperative anchored in fundamental human rights protection.'") (quoting Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in Cyberspace, 52 STAN. L. REV. 1315, 1347 (2000)).
[45] NOTE: NAVIGATING THE ATLANTIC: UNDERSTANDING EU DATA PRIVACY COMPLIANCE AMIDST A SEA OF UNCERTAINTY, 91 S. Cal. L. Rev. 163, 178-179
[46] What Is Individually Identifiable Health Information?, HIPAA JOURNAL (Jan. 11, 2018), https://www.hipaajournal.com/individually-identifiable-health-information/.
[47] Gramm-Leach-Bliley Act, FED. TRADE COMM'N, https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act (last visited Feb. 17, 2019).
[48] Rustard, Michael L. Koenig, Thomas H. ARTICLE: TOWARDS A GLOBAL DATA PRIVACY STANDARD , 71 Fla. L. Rev. 365, 435.
[49] McIntosh, Jennifer. ARTICLE: PRIVACY BASICS A COLORADO LAWYER SHOULD KNOW: THE CALIFORNIA CONSUMER PRIVACY ACT AND THE COLORADO CONSUMER DATA PRIVACY ACT, 97 Denv. L. Rev. Online 54, 57-58.
[50] Drake, Griffin. NOTE: NAVIGATING THE ATLANTIC: UNDERSTANDING EU DATA PRIVACY COMPLIANCE AMIDST A SEA OF UNCERTAINTY, 91 S. Cal. L. Rev. 163, 178-179.
[51] In 2018, Brazil’s President signed the country’s comprehensive data protection regulation into law, which closely mimics the GDPR and went into effect this past February 2020.
[52] Japan’s new data protection statute went into effect on May 30, 2017, making Japan the first country to be recognized as an EU “white listed” jurisdiction. Japan and the European Union have recently announced a GDPR safe harbor agreement, which is an EU approval of Japan’s data protection regime.
[53] See 71 Fla. L. Rev. 365, 435.
[54] See, e.g., Mike Khoury, California's Mini-GDPR? The Newly-Enacted California Consumer Privacy Act of 2018, LEXOLOGY (July 10, 2018), https://www.lexology.com/library/detail.aspx?g=60487525-76ea-44e3-97a8-3b9b02987c2e/; Allison Grande,Calif. Privacy Law to Spark GDPR-Like Compliance Efforts, LAW360 (July 3, 2018, 10:13 PM), https://www.law360.com/articles/1059877/calif-privacy-law-to-spark-gdpr-like-compliance-efforts.
[55] Id.
[56] See Allison Grande, Calif. Enacts Internet Privacy Law, Erasing Ballot Effort, Law360 (June 28, 2018, 11:01 PM), https://www.law360.com/articles/1058573/calif-enacts-internet-privacy-law-erasing-ballot-effort [https://perma.cc/WSZ3-WB5G].
[57] Cal. Civ. Code § 1798. 140 (o)(1) (2019).
[58] Kessler, Joanna. NOTE: DATA PROTECTION IN THE WAKE OF THE GDPR: CALIFORNIA'S SOLUTION FOR PROTECTING “THE WORLD'S MOST VALUABLE RESOURCE”, 93 S. Cal. L. Rev. 99, 112.
[59] See 71 Fla. L. Rev. 365, 435.
[60] Cal. Civ. Code § 1798. 140(c) states:
‘(c) “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
(2) Any entity that controls or is controlled by a business as defined in paragraph (1) and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, service mark, or trademark.’
Cal. Civ. Code § 1798. 140 (c)(1)-(2).
[61] Id § 1798. 140.
[62] Id § 1798. 140(g).
[63] See 93 S. Cal. L. Rev. 99, 112.
[64] Id.
[65] Id. at 113.
[66] Cal. Civ. Code § 1798. 155 (2019).
[67] Id.
[68] Id.
[69] NOTE: COMPARATIVE ANALYSIS OF THE EU'S GDPR AND BRAZIL'S LGPD: ENFORCEMENT CHALLENGES WITH THE LGPD, 44 Brooklyn J. Int'l L. 859, 885-888
[70] Id. at 886.
[71] Id. at 887.
[72] Id. at 885-888.
[73] Cal. Civ. Code § 1798. 185 (a)(4)(C)(5) (2019) (Effective January 1, 2020).
[74] Cal. Civ. Code § 1798. 185 (a) (2019) (Effective January 1, 2020).
[75] See 93 S. Cal. L. Rev. 99, 112.
[76] See 44 Brooklyn J. Int'l L. 859, 885-888.
[77] ARTICLE: THE TORTOISE AND THE HARE OF INTERNATIONAL DATA PRIVACY LAW: CAN THE UNITED STATES CATCH UP TO RISING GLOBAL STANDARDS?, 27 Cath. U. J. L. & Tech. 77, 108.
[78] Id. at 109.
[79] Andrew Rossow, The Birth of GDPR: What is It and What You Need to Know, Forbes (May 25, 2018), https://www.forbes.com/sites/andrewrossow/2018/05/25/the-birth-of-gdpr-what-is-it-and-what-you-need-to-know/#47aabd8f55e5
[80] See 93 S. Cal. L. Rev. 99, 112.
[81] See Natasha Lomas, Europe's Top Court Takes a Broad View of Privacy Responsibilities Around Platforms, TECHCRUNCH (June 5, 2018), https://techcrunch.com/2018/06/05/europes-top-court-takes-a-broad-view-on-privacy-responsibilities-around-platforms/ [https://perma.cc/56XR-AMPV].
[82] Cal. Civ. Code § 1798. 155 (b)(1).
[83] Id. § 1798. 155 (b).
[84] Cal. Civ. Code § 1798. 150 (a)(1)(A).
[85] Oliver Smith, The GDPR Racket: Who’s Making Money From This $ 9bn Business Shakedown, Forbes (May 2, 2018 2:30 AM), https://www.forbes.com/sites/oliversmith/2018/05/02/the-gdpr-racket-whos-making-money-from-this-9bn-business-shake down/#3b0ff15234a2 [https://perma.cc/VV2H-Q7MW].
[86] Id.
[87] See GDPR Compliance Top Data Protection Priority for 92% of US Organizations in 2017, According to PwC Survey, PWC (Jan. 23, 2017) [hereinafter GDPR Compliance Top Priority], https://www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.html [https://perma.cc/X2E6-MUEX].
[88] See 93 S. Cal. L. Rev. 99, 112.
[89] Id.
[90] GDPR supraArticle 4 GDPR
[91] Cal. Civ. Code §1798. (o) (effective Jan. 1, 2020)
[92] Marc Rotenberg & David Jacobs, Updating the Law of Information Privacy: The New Framework of the European Union, 36 HARV. J.L. & PUB. POL'Y 605, 617 (2013).
[93] Id.
[94] Id.
[95] Id.
[96] Id.
[97] Cal. Civ. Code §1798. 150 (b)(2).
[98] Cal. Civ. Code §1798. 150 (b) (3).
[99] See 71 Fla. L. Rev. 365, 453.
[100] Carol, ARTICLE: In the Middle: Creating a Middle Road Between U.S. and EU Data Protection Policies, 32 J. Nat'l Ass'n L. Jud. 810, 811.
[101] Nicholas F., III. ARTICLE: DATA PROTECTION IN AN INCREASINGLY GLOBALIZED WORLD, 94 Ind. L.J. 297, 327-329.
[102] Leonid Bershidsky, Opinion, Europe's Privacy Rules Are Having Unintended Consequences, BLOOMBERG OPINION (Nov. 14, 2018, 1:00 AM), https://www.bloomberg.com/opinion/articles/2018-11-14/facebook-and-google-aren-t-hurt-by-gdpr-but-smaller-firms-are .
[103] Border, Amanda, NOTE: UNTANGLING THE WEB: AN ARGUMENT FOR COMPREHENSIVE DATA PRIVACY LEGILSATION IN THE UNITED STATES, 35 Suffolk Transnat’l L. Rev. 363, 373
[104] Gilbert, European Data Protection 2.0: New Compliance Requirements in Sight--What the Proposed EU Data Protection Regulation Means for U.S. Companies, 28 SANTA CLARA COMPUTER & HIGH TECH. L.J. 815, 843-45 (2012).
[105] Id.
[106] See 91 S. Cal. L. Rev. 163, 178-179
[107] See 93 S. Cal. L. Rev. 99, 112.
[108] Id.
[109] Id.
[110] Id. at 111.
[111] Id.
[112] See 32 J. Nat'l Ass'n L. Jud. 810.
[113] Luis Alberto Montezuma, The Case for a Hybrid Model on Data Protection/Privacy, IAPP (Feb. 27, 2018), https://iapp.org/news/a/the-case-for-a-hybrid-model-on-data-protectionprivacy/ (describing the U.S. privacy regime as a "sectoral model" and the European approach as a "comprehensive model").
[114] ARTICLE: Transatlantic Data Privacy Law, 106 Geo. L.J. 115, 117
[115] Id. at 117.
[116] Id.
[117] See DANIEL J. SOLOVE, UNDERSTANDING PRIVACY 10-11 (2008) (creating sixteen categories of processing activities that can result in harm to individuals).
