'Catalyzing Privacy Law' by Anupam Chander, Margot E. Kaminski and William McGeveran
comments
The United States famously lacks a comprehensive federal data privacy law. In the past year, however, nearly half of state legislatures have proposed or enacted broad privacy bills or have established privacy legislation task forces, while Congress has scrambled to hold hearings on multiple such proposals. What is catalyzing this legislative momentum? Some believe that Europe’s General Data Protection Regulation (GDPR), which came into force in 2018, is the driving factor. But with the California Consumer Privacy Act (CCPA) scheduled to take effect in January 2020, California has emerged as an alternate contender in the race to set the new standard for privacy.
Our close comparison of the GDPR and California’s privacy law reveals that the California law is not GDPR-lite: it retains a fundamentally American approach to information privacy. Reviewing the literature on regulatory competition, we argue that California, not Brussels, is catalyzing privacy law across the United States. And what is happening is not a simple story of powerful state actors. It is more accurately characterized as the result of individual networked norm entrepreneurs, influenced and even empowered by data globalization. Our account has implications not just for companies that must comply with both laws, but for policymakers and citizens at both state and federal levels.