California Dreamin’ & “GDPR Lite”
Last week, the General Data Protection Regulation (GDPR) celebrated its first birthday. And now it’s about to get a baby sister. Or maybe an American cousin might be a more appropriate way to put it.
As discussed here last week about the survey “GDPR +1 Year: Businesses Struggles With Data Privacy Regulations Increasing,” companies around the world are still trying to comply with GDPR and its strict, often complex data privacy requirements. More than half of companies are either failing to comply, are having trouble staying up-to-date, or are falling behind, according to the survey.
At the same time, they are also bracing for a tsunami of similar laws and regulations going into effect around the world, including in California and other major economic hubs.
A new two-part analysis from Thomson Reuters Regulatory Intelligence (TRRI) turns the focus to what’s ahead even as the impact of GDPR is still reverberating.
The first part of the TRRI analysis echoes the survey findings, with Cynthia Cole from Baker Botts noting that, “even now a year later [after GDPR went into effect], most companies are still nowhere near compliant.”
The second part discusses how other jurisdictions are not standing still, even while businesses are still having trouble meeting GDPR. Canada, Australia and other countries have recently adopted new laws and regulations, or updated guidance to bring them closer to GDPR.
The California Consumer Protection Act — dubbed “GDPR Lite” by some — goes into effect on January 1, 2020, less than seven months away. CCPA “is currently considered the most expansive state data privacy law.” And while GDPR preparations put companies “in a better starting position for the preparation efforts,” successful compliance is by no means guaranteed.
While GDPR and CCPA have significant overlap, CCPA carries exceptions not generally found under GDPR, including certain medical, health, and financial information covered by other laws such as HIPAA and the Gramm Leach Bliley Act. And there are major differences in requirements for consumers’ agreements with service providers, and handling of data involving children.
As we discussed here last week, four in 10 businesses – both in the U.S. and globally – say they do not consider themselves knowledgeable about CCPA. Meanwhile, the clock is ticking, and more than a dozen other states have adopted or are considering legislation similar to CCPA.
Together, the Thomson Reuters Regulatory Intelligence analyses and the Thomson Reuters survey issued last week raise concerns about businesses’ level of preparedness and, at the same time, offer suggestions. The Regulatory Intelligence analyses state that, “as with any significant regulatory change, planning and preparation are essential.” They go on to provide a helpful list of “to-do” items for law firms and businesses to consider.
But they also caution about the “rapidly changing landscape when it comes to privacy data.” The signs are increasingly clear: data privacy laws and regulations are not only here to stay, but are spreading and evolving quickly.