Highlights: The GDPR and CCPA as benchmarks for federal privacy legislation

In the United States, many businesses find themselves in an unusual stage of privacy regulatory compliance: implementing the European Union’s General Data Protection Regulation (GDPR) while preparing for enforcement of the California Consumer Privacy Act (CCPA). On Dec. 13, Brookings scholars Cameron Kerry and Nicol Turner-Lee joined Jeff Brueggeman of AT&T, Roslyn Layton of the American Enterprise Institute, and Joseph Wender of Senator Ed Markey’s (D-MA) office to discuss the potential effects of the GDPR and CCPA on U.S. businesses and consumers—and how both laws drive the privacy conversation on Capitol Hill.

The General Data Protection Regulation

When the GDPR came into effect on May 25, 2018, it changed the privacy dialogue for businesses and governments around the world. In addition to imposing new limitations and accountability measures on businesses, the law creates privacy rights for EU residents to access, correct, delete, and export personal information. These provisions apply to almost all organizations that collect data from EU individuals—including small businesses, non-profits, non-technology companies, and organizations operating outside of Europe—and imposes monetary penalties of up to 20 million euros or four percent of an organization’s worldwide annual revenue.

To comply with the GDPR, many companies adopted separate privacy policies in Europe and the rest of the world. A few companies, such as Microsoft, chose to offer GDPR protections worldwide. Others, including the Chicago Tribune and LA Times, kept their existing privacy policies but temporarily or permanently stopped offering services in Europe.

By heightening regulatory standards for a significant number of organizations, the GDPR has introduced some concerns that added compliance costs could disproportionately affect small and medium-sized businesses. For example, preliminary research from groups such as IAB Europe suggests that Google and Facebook—two of the world’s largest digital advertising companies—have increased their EU digital advertising market share since May 2018. While antitrust is an issue that likely falls outside the scope of most privacy laws, the interplay of big data and competition, as well as any secondary effects for organizations and individuals, is a relevant consideration for any privacy regulation.

The California Consumer Privacy Act

The CCPA, which will become effective on January 1, 2020, creates rights for California residents to access, correct, delete, and opt out of the sale of personal information. It applies to all businesses that operate in California but exempts those that do not meet minimum revenue or size requirements.

California has the fifth largest economy in the world by GDP, and for many U.S. businesses, the costs of CCPA compliance could exceed that of the GDPR. In August, the California government released a third-party report which estimated that companies could collectively spend up to $55 billion on initial CCPA compliance, including legal, technical, and operational costs.

However, the CCPA has another and potentially more complicated effect—not only does it induce compliance costs in California, but it increases the possibility that other states may consider similar or competing privacy legislation. For example, Washington introduced a comprehensive privacy bill earlier this year, and other states may consider additional legislation in 2020. Should state laws differ, companies that operate in multiple states might encounter conflicting regulatory standards. In this case, the proposed Washington Privacy Act includes provisions on facial recognition and data-based decision-making that the CCPA currently lacks.

Impact on U.S. federal privacy legislation

Over the past eighteen months, the GDPR and CCPA have helped shape both the interest and scope of privacy legislation on Capitol Hill. Some of these reasons are legal or practical: a federal privacy law could help the United States meet GDPR adequacy requirements for international data transfers, and either supplement or preempt state privacy laws such as the CCPA. Other reasons are moral- or principle-based: the GDPR and CCPA have both helped heighten public awareness of online data collection and processing, and federal privacy legislation could help establish U.S. leadership on privacy.

In addition, the GDPR and CCPA each set benchmarks against which Congress can compare and consider privacy provisions. For example, many federal bills echo the GDPR and CCPA by including rights for individuals to access, modify, delete, and export data. Some also go above these requirements; Senate Commerce Chairman Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA) recently released bill proposals that place stricter limitations on algorithmic decision-making, biometric data, and data minimization, beyond what the CCPA currently provides.

How Europe and California regulate data privacy has enormous implications for the United States; it is no small matter that EU countries are collectively the largest U.S. trading partner and that California makes up approximately 14 percent of U.S. GDP. Accordingly, both the GDPR and CCPA offer guidelines and lessons as Congress considers how to promote the consumer benefits of data use (e.g., low-costs, convenience, innovation, and customization) while also create parameters for businesses to minimize privacy risks.