The California legislature passed AB-375, the California Consumer Privacy Act (CCPA), on June 28, 2018. It was signed into law that same day by Governor Brown. Commentators noted at the time that the legislation was hurried through to forestall an impending ballot initiative, and the legislation had a number of technical problems, including grammar and syntax issues that would complicate later administrative rulemaking, interpretation, and enforcement. Less than three months later, on August 31, the legislature passed SB-1121. That bill makes several technical corrections to the original legislation, as well as some substantive amendments. As of this writing, SB-1121 is on Governor Brown’ desk, and there is no indication that it will not be signed into law shortly.
While the original CCPA would not be implemented until January 1, 2020, and the revised CCPA delays implementation until six months after the California Attorney General promulgates regulations (but no later than July 1, 2020), the privacy and legal communities are scrambling now to fully understand the requirements of the Act and put compliance procedures in place. One recurring question is the extent to which CCPA overlaps with other data privacy laws in other jurisdictions, and whether compliance can be streamlined by finding a “common denominator” across jurisdictions and industries.
Alas, the CCPA defies such simple analysis. It is the most far-reaching law of its type in the United States, and while there may be some superficial similarities to data protection laws in other states, the CCPA is sui generis. The closest analogs may be the General Data Protection Act (GDPR) in the European Union or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. But CCPA has significant differences with these similarly comprehensive laws.
To assist legal practitioners and scholars in developing their analyses of CCPA over the next few months, especially members of The Sedona Conference Working Group 11 on Data Security and Privacy Liability, we are tracking the evolution of the CCPA and comparing its provisions – to the extent possible – to other data protection statutes, pointing out the similarities and differences. To get this effort off the ground, we selected only a handful of comparators – GDPR, PIPEDA, some U.S. federal statutes, and two sets of state statutes (Illinois and Massachusetts). The resulting spreadsheet is not intended to provide any analysis beyond providing the statutory language, and it is far from the “non-partisan, dialogue-based consensus” commentary that is the hallmark of The Sedona Conference Working Group Series. It is intended simply as a reference work, pulling together the disparate threads of data protection laws and placing them into a useful framework for analysis.
We plan to periodically update and expand this spreadsheet. We have no doubt that it contains some errors and inaccuracies, and we welcome corrections and comments on the substance. We hope that the spreadsheet format is helpful, and we are open to suggestions regarding the arrangement, links, and other ways to make it more useful.
Finally, I want to acknowledge the work that two dedicated volunteers put into making this resource a reality. Daniel Neally, Arizona State University Law School Class of 2019, spent countless hours of what would otherwise have been an enjoyable summer assembling and parsing the language of various data privacy laws. California attorney Will Hoffman, who lives for editing and proofreading, painstakingly combed through the language of SB-1121 to create an updated version of CCPA in advance of codification and continues to review the summaries of other laws for accuracy and clarity. The Sedona Conference relies on such volunteer efforts, and I thank them.
The current version of the spreadsheet is posted here. It is too large to present as a web page, so please download it to your device.
Deputy Executive Director, The Sedona Conference
September 23, 2018