U.S. Markets open in 3 hrs 54 mins

GDPR vs. CCPA: Privacy Counsel Weigh In on Compliance Challenges

(L to R): Barbara Lawler, vice president and chief privacy and data ethics officer at Looker Data Sciences; Lydia de la Torre, a privacy law fellow at Santa Clara Law and former in-house privacy lawyer for Axiom and PayPal; Anna Gassot, associate at FieldFisher; and Jestlan Hopkins, a manager at KPMG (Photo: Caroline Spiezio/ALM)

Sweeping privacy and data protection regulatory changes in California and the European Union are keeping in-house counsel busy, especially at tech companies.

In May 2018, the European Union implemented its General Data Protection Regulation, which expanded consumers' rights over their data. Later that year California became the first U.S. state to pass a privacy law, the California Consumer Privacy Act. It's set to go into effect in 2020.

The laws have similarities. But panelists at a Santa Clara University event Thursday said the laws are also different, a challenge for in-house counsel whose companies need to comply with both. Panelist Anna Gassot, an associate at Fieldfisher and former in-house counsel, said GDPR's definition of personal data is broad. And unlike CCPA, its definition of data controllers isn't limited to for-profit organizations.

"If I'm a privacy officer or a compliance manager and I'm thinking about GDPR's and CCPA's definitions, quite frankly I'm going to take a fairly practical broad view and say, a controller is like a covered business, which is the same as a covered entity in the Health Insurance Portability and Accountability Act," said Barbara Lawler, vice president and chief privacy and data ethics officer at Looker Data Sciences.

Lawler said the broad definition of processing data was unclear at first but is "helpful now" that she's framed it to include "anything you do with data."

Unlike GDPR, CCPA explicitly includes data that could identify a "household" as well as a person, a source of confusion for some in-house counsel that panelists said could be clarified before the law goes into effect next year.

CCPA also includes a clause intended to prevent discrimination, such as varying prices for consumers based on their data, which Gassot said could impact loyalty programs. Lawler said companies seek clarity on this clause as well.

Because of CCPA and GDPR's differences, panelists debated whether or not companies should offer different privacy notices to California and European Union residents. Panelist Lydia de la Torre, a privacy law fellow at Santa Clara Law and former in-house privacy lawyer for Axiom and PayPal, favored separate notices with local language and concepts.

But Gassot noted that could get complicated as more countries and U.S. states move toward implementing privacy laws. Lawler proposed a middle ground. Companies could issue one standard privacy notice, with specifics for each country or region listed outside of the main text.

"I think the bottom line is, how are you delivering notices today? And building on that," Lawler said. She said she hasn't yet decided whether Looker's privacy notice will combine California and the EU.

In-house lawyers still figuring out what CCPA compliance will look like should, panelists said, at least take the first step: mapping their data collection and processing. Then, they can share that information with information technology and other departments.

Gassot said companies who mapped their data for GDPR should still conduct a similar exercise in preparation for CCPA because the "questions were not exactly the same and the information that was needed was not exactly the same."

Complying with changing privacy regulations can be stressful, but Lawler said companies should view it as a business opportunity to increase consumer trust.

"This is a chance to think about how you communicate, and be more transparent about your data handling practices with consumers," she said. "And I think that's just good consumer relations."

Read More: 

Dazed and Confused: Gray Areas in the Golden State's New Privacy Law



House Hearing on Federal Privacy Law Takes Aim at GDPR, CCPA



Real World Scenarios for the California Consumer Privacy Act



Business Groups Lobby for Changes to California Data Privacy Law