Last month, the Pepperdine Law Review cohosted a symposium with the Regulatory Transparency Project on "Regulating Tech: Present Challenges and Possible Solutions". The first panel dove straight into the topic, focusing on the EU General Data Protection Regulation and the California Consumer Privacy Act. The moderator, Anna Hsia, began with an overview of the statutes before inviting the panelists to engage with high-level remarks from their expertise. Below is her transcription, and we encourage you to listen to the full podcast below:
So the CCPA (California Consumer Privacy Act), which is California law is going into effect in 2020, is similar to the GDPR but is different in a number of material respects. CCPAs focus is not so much on “you have to have a legal basis” again because in the U.S. you don't need to add that. It's more on giving consumers notice as to what you're collecting and control over what you collect about them. So, one of the main things about the CCPA is that it requires companies that sell personal data (again, no one really knows what sell means) of California consumers to have to, for example, include a conspicuous opt-out link and basically allow consumers to opt out of that sale. Both the GDPR and CCPA also afford individuals with these individual rights to be able to access their data and in some instances delete data that companies have about them, and both statues carry some type of private right of action and they have fines for violation.