Last month, the Pepperdine Law Review cohosted a symposium with the Regulatory Transparency Project on "Regulating Tech: Present Challenges and Possible Solutions". The first panel dove straight into the topic, focusing on the EU General Data Protection Regulation and the California Consumer Privacy Act. The moderator, Anna Hsia, began with an overview of the statutes before inviting the panelists to engage with high-level remarks from their expertise. Below is her transcription, and we encourage you to listen to the full podcast below:

I'm sure all of you have some sense as to what the GDPR (General Data Protection Regulation) is because I'm sure last year you were bombarded with inbox messages about “how we've updated our privacy policy”. The GDPR became effective last May and it's a pretty landmark piece of legislation that effectively applies to all personal data of EU residents and personal data is defined very broadly in the EU to be anything that relates to an identified or an identifiable individual. So typically in the US when we think of personal data we think of a name, something specific to your address your email address, but the EU takes a much broader view so like an IP address would be considered personal data because it's identifiable to someone. Your device identifier on your phone would be similar. One key difference between how your PNC personal data versus the US is that in the U.S. you can typically do whatever you want with personal data as long as there's not a law that says you can't do it or there's a law that says this is how you have to do it, and in the EU you can't collect that store it or process it in any way unless you have a legal basis to do so. That's a huge difference between the U.S. and the EU.

So the CCPA (California Consumer Privacy Act), which is California law is going into effect in 2020, is similar to the GDPR but is different in a number of material respects. CCPAs focus is not so much on “you have to have a legal basis” again because in the U.S. you don't need to add that. It's more on giving consumers notice as to what you're collecting and control over what you collect about them. So, one of the main things about the CCPA is that it requires companies that sell personal data (again, no one really knows what sell means) of California consumers to have to, for example, include a conspicuous opt-out link and basically allow consumers to opt out of that sale. Both the GDPR and CCPA also afford individuals with these individual rights to be able to access their data and in some instances delete data that companies have about them, and both statues carry some type of private right of action and they have fines for violation.