Both the CPRA and the CDPA come into effect from 1 January 2023. The two US laws are not comprehensive, but focus on protecting personal information not covered by existing sectoral laws. Although the US laws state or imply some privacy principles, the more focused approach makes them feel more pragmatic than the GDPR.

One strength of the GDPR is the fact that it is the law in one of the largest economies in the world. The US economy is large enough, and its influence is strong enough, to establish an approach to privacy that can compete with the GDPR. Although there is no US privacy law at the federal level, the CPRA and the CDPA may provide an early look at this developing US consensus on privacy.

What is personal information?

Let's start at the beginning. The core definition of personal information is very similar across all three regimes.

The CDPA and the CPRA exempt from their rules personal information covered by existing sectoral laws including, for example:

• health information protected under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') and related laws;
• banking and financial information covered by the Gramm-Leach-Bliley Act of 1999 ('GLBA'); and
• credit information regulated under the federal Fair Credit Reporting Act of 1970.

As it is a comprehensive law, the GDPR does not make these exceptions.

At this point, one of the major differences between the US laws and the GDPR arises. The US laws exclude not only publicly-available information but also information about people in an employment or commercial (B2B) context. These three categories of information are at the heart of many complaints about the GDPR, and the application of GDPR-principles led to arguably unreasonable outcomes in some cases, prompting questions such as:

• Why do I need to have consent or a 'legitimate interest' to collect publicly-available data?
• Why is it a problem for my employees to have work clothes with a name tag on the front? Is there really a difference if the tag says 'Smith,' 'J. Smith,' or 'James Smith?'
• Why can't I keep the work email addresses and work phone numbers of contacts at key vendors or customers, without writing a formal memo to justify it?
• Do I really need to collect consent from a person my employee lists as an emergency contact?

These requirements did not make sense to many people in the US (and in Europe), so the US laws specifically excluded them.

What is 'sensitive' or 'special category' personal information?

All three laws use the concept that some private information is more private than others. This 'sensitive' or 'special category' personal information is defined similarly in the laws, but the CDPA rules regarding the collection and processing of the information are more similar to the GDPR than to the CPRA.

The rules regarding processing of 'special category' data under the GDPR are very strict. In most cases, processing is prohibited unless the data subject provides explicit consent. The CDPA takes the same 'opt-in' approach, requiring covered entities to 'not process sensitive data concerning a consumer without obtaining the consumer's consent.' The CPRA uses an 'opt-out' approach, although it goes to great lengths to ensure the 'opt-out' process is readily available and easy to use for the data subject.

It is also interesting that, under the CPRA, 'sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer … shall be treated as personal information,' rather than sensitive information. An example of this is a photograph of a person, which could reveal race, ethnicity, or religious beliefs even if that were not the purpose for taking the photograph. The CDPA gets to a similar result by declaring that 'biometric data' does not include physical or digital photographs, video or audio recordings, or data generated from such images and recordings.

What entities are required to follow these rules?

The CDPA and the CPRA are much more focused than the GDPR when it comes to the entities covered by the law. The US laws try to avoid burdening small businesses with privacy requirements, while recognising that some small businesses may process a lot of personal information. The US laws also exclude government entities and non-profits, either explicitly or implicitly. As a principles-driven, comprehensive law, the GDPR is not flexible enough to make these exceptions.

Who enforces the rules?

Each of the laws identifies one or more regulators that will provide enforcement.

The regulators may issue warnings or orders to cease violations, may require violators to suspend certain operations entirely, and may levy fines or penalties, as noted below:

One difference that could become quite important over time is the manner in which the regulators are funded. Under the GDPR, EU countries fund their own DPAs. The DPAs cannot generate additional funding through fines. This is not the case under the US laws. In addition to state funding, the CDPA and the CPRA each establish a process through which funds raised through fines may be appropriated by the relevant regulator. Some EU DPAs are finding it difficult to handle the volume and complexity of the cases they face, given their budgetary constraints. It will be interesting to see if the US approach is more successful in this regard.

Data subject rights

The rights of data subjects are very similar across the three laws. All three require notices to be provided to the consumers or data subjects, as well as the following:

The GDPR's right to object to processing includes processing for direct marketing purposes, which matches up well with the more detailed items in the US laws.

Controls

All three laws require implementation of controls.

The differences are minimal. The use of 'reasonable' in the CDPA and the CPRA seems to match up well with the GDPR's 'taking into account the state of the art (and) the costs of implementation.' None of the laws specify particular controls, although the GDPR provides a few examples, notably pseudonymisation and encryption. There seems to be an agreement that the list of generally-accepted controls or best practices is better developed, maintained, and controlled elsewhere, such as in the the Center for Internet Security ('CIS') Top 20 Critical Security Controls, the National Institute of Standards and Technology's ('NIST') Framework for Improving Critical Infrastructure Cybersecurity, the Cloud Controls Matrix of the Cloud Security Alliance, and similar documents.

Some requirements are similar across all three laws, although the words used are different. These requirements include:

• the GDPR's Data Protection Impact Assessments, the CDPA's Data Protection Assessments, and the CPRA's periodic Risk Assessment are all risk-based assessments weighing the benefits of processing against the possible risk to the data subjects; and
• vendors who process personal information on behalf of a covered entity are drawn into virtually the same requirements faced by the covered entity itself. This potential loophole was closed in all three laws.

The GDPR contains some requirements that don't exist in the CDPA and the CPRA. These requirements include:

• appointing a data protection officer;
• a Register of Processing Activities; and
• special handling of most international transfers of personal information.

In conclusion, authors of the two US laws clearly observed and learned from the GDPR experience. They were able to incorporate most of the strengths of the GDPR while eliminating or reducing the impact of some of its weaknesses. They have established a US approach to data privacy that is not the same as GDPR. The GDPR is probably still the global standard, but with the CDPA and the CPRA spurring other US states to adopt privacy laws of their own, and perhaps leading to a US federal privacy law in a few years, other countries may consider the US approach as a viable alternative when they establish or modify their own privacy and data protection laws.

John Pilch Cybersecurity/Privacy Analyst
[email protected]
Woods Rogers PLC, Richmond