Following our recent Privacy webinar, we held a Q&A with expert D. Reed Freeman, Jr.—a lawyer and co-chair of the Cybersecurity and Privacy Practice at WilmerHale in Washington, DC.
We asked him a few questions about the impact of the General Data Protection Regulation (GDPR) and how the California Consumer Protection Act (CCPA) might affect the future of state-led privacy initiatives.
1. Looking back, do you think GDPR lived up to the hype? Has it had the impact that it was projected to have?
Freeman: I think it’s too early to tell. At least from my experience, most US companies that are subject to it, and especially those that are mid-to-large-cap companies, have expended significant resources to develop compliant programs, and succeeded, thereby demonstrating that they take the regulation very seriously.
So from a business perspective, I do think it has had a very significant impact, as intended. But from a regulatory viewpoint, I think it is too early to judge its impact. I think it will be several years; and the number, types, and outcomes to determine that.
2. Can you touch on the common comparison floating around that the CCPA is the US version of the GDPR?
Freeman: CCPA and GDPR aren’t as similar as the headlines would suggest. From the outset, there’s a fundamental technical difference. GDPR is, fundamentally, an opt-in regime, meaning in most cases that processing can be performed only on the basis of express consent. There are other options available for legitimate processing, including in connection with performing a contract and a balancing test of the organization’s legitimate interests in processing against EU residents’ privacy rights, and we’ll have to wait and see how regulators enforce on those and how courts decide those cases. The CCPA, on the other hand, is fundamentally a transparency and opt-out regime enabling California consumers access to their personal information (a very broadly defined term), deletion of their personal information, and do-not-sell rights, where, again, the term sell is very broadly defined.
Beyond that, there’s the difference in reach. Given its territorial scope in Article 3, the GDPR has fundamentally changed the way global businesses handle and process personal data, whether they operate in Europe or not. CCPA has a fairly limited remit of who is protected under the act (California natural residents, with limited exceptions, for one year, for employees and information gained solely in a B2B context) and what types of companies are subject to the Act (see Section 1798.140 of the law here).
There are other differences, of course—including in the definitions; the requirement for DPOs and DPIAs, which do not appear in the CCPA; and the data subject rights to not line up cleanly between the two laws, to name a few, but in the end both are trying to put control over consumers’ personal data back in the hands of consumers.
3. Is CCPA the beginning of more state-led regulations, or do you think we’re moving toward one federal regulation?
Freeman: It may very well be that the CCPA is just the beginning of a flurry of comprehensive state privacy laws. Numerous bills similar to the CCPA were introduced this year; and Nevada’s law, although narrower than the CCPA, passed and took effect on October 1. Next year we will see activity in a number of states; and new laws may well pass in Washington, Illinois, New Jersey, Rhode Island, and elsewhere.
We may very well be moving toward a comprehensive federal law, and the chances of that, whenever it happens, if it does, will be increased to the extent that several states ultimately pass comprehensive privacy laws that are conflicting or similar but different enough to create significant compliance challenges for companies that operate nationally.
4. What else are you keeping an eye on around the globe (regs such as ePrivacy, Brazil, China)?
Freeman: New laws across Asia and Latin America have not received the attention that GDPR or the CCPA received. Some of these are modeled closely on the GDPR; and some, like the laws of South Korea and China, are very different. These regions are just a few years behind Europe, are ramping up their regulatory arms, and enforcement is not a question of if, but rather, when.
Want to understand more about the privacy regulations facing the digital advertising industry? Watch our recent CCPA webinar: