13 October 2021

GDPR and CCPA

'Catalyzing Privacy Law' by Anupam Chander, Margot E. Kaminski and William McGeveran in (2021) Minnesota Law Review comments 

When the General Data Protection Regulation (GDPR) took effect in May 2018, it positioned the European Union as the world’s privacy champion. A flurry of emails updating privacy policies landed in in-boxes across the globe, attesting to the international reach of the European rule.  A month later, California enacted the California Consumer Privacy Act (CCPA), establishing the nation’s most stringent omnibus privacy protections, effective as of January 1, 2020. California, the home of many of the world’s largest data-based enterprises, emerged as a dark horse contender in the privacy regulator race. In the past year, state after state considered broad data privacy legislation, and eleven comprehensive federal privacy bills were introduced in Congress. 

What is catalyzing U.S. privacy law? The conventional wisdom holds that Europe is setting the global standard for information privacy. There is much truth to this—some 142 countries and counting now have a broad data privacy law, typically modeled on the GDPR. Scholars writing insightfully about the global race to information privacy have tracked the spread of data privacy laws across the world, noting Europe’s influence on these developments.  In a recent article, Paul Schwartz observes that the European Union pioneered international privacy law to enable commerce among nations within the bloc itself. He argues that other countries largely adopted the European Union’s data privacy model, reflecting its “success in the marketplace of ideas.” 

Schwartz cites the CCPA as an example of Europe’s success in spurring other jurisdictions to enact similar laws. Journalists reporting on the CCPA’s enactment, too, have frequently referred to it as “GDPR lite” and “California’s version of GDPR.” And as the push for federal legislation intensifies, many characterize it as a national response to the GDPR. 

This Article challenges this emerging consensus. Despite decades of European privacy law, the United States showed little appetite until now for broad privacy legislation.  Instead, norm entrepreneurs in California helped establish a new privacy framework that, as we show, differs significantly—and consciously—from the European model. Our close comparison of the new California and European laws reveals that the CCPA is not simply GDPR-lite: it is both more and less demanding on various points. It offers a fundamentally different regime for data privacy. And the numerous legislative proposals in state houses show greater fealty to California’s model than to the European antecedent.  Bills pending before Congress reflect pressure not from Brussels, but from Sacramento. 

Thus, California has emerged as a kind of privacy superregulator, catalyzing privacy law in the United States. Rather than the supranational EU, the subnational state of California — and, more specifically, a small network of determined individuals within that state — is now driving privacy in a significant part of the world. The emergence of the CCPA demonstrates the central role of local networks and norm entrepreneurship, contesting on the ground of what we call “data globalization.”  

We are thus witnessing a paradigm shift in the policy conversation around data privacy law. Until now, the rules of transatlantic privacy rested on awkward negotiated mechanisms to transfer data between two seemingly irreconcilable regimes. Now we are witnessing what might be characterized as a regulatory race on both sides of the ocean. 

This Article is the first to critically evaluate the relationship between California’s privacy law, Europe’s data protection regulation, and possible future state and federal privacy law.  This study is also of practical interest, answering questions for individuals and businesses alike: For businesses, whose laws should I follow? For individuals, who will protect my privacy? Studying these questions leads, in turn, to another set of inquiries about the ways in which catalysis from the GDPR and CCPA govern privacy outside either Europe or California. When Europe’s laws meet California’s, who wins? If indeed European or Californian regulation will be applied globally de facto, why then should anyone else legislate? 

The answers to all of these questions have implications not only for the shape of information privacy law but for understanding inter-jurisdictional regulatory dynamics in the digital economy. While data shares some characteristics with cars, pollution, and corporate charters—all the subject of prior globalizations of legal compliance and legal rules — it also differs because of its simultaneous and instantaneous global effects. Data disobeys borders and operates at Internet speed. Equally important, the answers to these questions shed light on the prospects of countries across the world as they vie for advantage in the information age. Ultimately, our account of privacy catalysis tests the operation of both federalism and international regulatory competition in the twenty-first century. Our analysis proceeds as follows. Part I situates our discussion of regulatory catalysis in data privacy within the broader frame of the theory of regulatory competition, borrowing lessons from areas such as corporate and environmental law. Part II compares the substance of the GDPR and the CCPA and the ways in which their structures promote catalysis in other jurisdictions. Part III turns to the race for data privacy law. We are the first to disentangle the catalytic effects on U.S. federal and state laws coming from both Brussels and Sacramento and to show that the resulting proposals are distinctly American and owe a greater debt to the CCPA than to the GDPR. As it once did with pioneering environmental regulation, California has emerged as a super-regulator again, this time with respect to data in the information age.