UC Irvine Law Review Volume 10 Issue 4 Article 11 6-2020 The Changing Wind of Data Privacy Law: A Comparative Study of the European Union’s General Data Protection Regulation and the 2018 California Consumer Privacy Act Grace Park Follow this and additional works at: https://scholarship.law.uci.edu/ucilr Part of the Privacy Law Commons Recommended Citation Grace Park, The Changing Wind of Data Privacy Law: A Comparative Study of the European Union’s General Data Protection Regulation and the 2018 California Consumer Privacy Act, 10 U.C. IRVINE L. REV. 1455 (2020). Available at: https://scholarship.law.uci.edu/ucilr/vol10/iss4/11 This Note is brought to you for free and open access by UCI Law Scholarly Commons. It has been accepted for inclusion in UC Irvine Law Review by an authorized editor of UCI Law Scholarly Commons. Second to Printer_Park.docx (Do Not Delete) 6/17/20 8:02 PM The Changing Wind of Data Privacy Law: A Comparative Study of the European Union’s General Data Protection Regulation and the 2018 California Consumer Privacy Act Grace Park* On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect. The GDPR is expected to reshape web use and overhaul data privacy laws beyond Europe in how businesses and organizations can handle customer and user information. Only a month after, California passed the California Consumer Privacy Act of 2018 (CCPA). The CCPA is one of the most significant regulations overseeing data-collection practices of businesses in the United States. It is the first of its kind and is expected to provide the most comprehensive data privacy measures in the United States. As such, the combined CCPA and GDPR data privacy regulations will likely usher in a tidal wave of changes, most likely setting new data privacy standards for other jurisdictions to model. Drawing from these events, this Note will examine the EU’s and California’s newest data privacy laws, studying the immediate and potential effects of GDPR and CCPA regulations on the existing data privacy regime. Through a comparative study of GDPR and CCPA provisions, this Note attempts to answer key questions in discourse today—to what extent are the CCPA and GDPR moving towards convergence or divergence, and how will the laws affect businesses and consumers? Is the U.S. data privacy environment veering away from its hands-off approach and drawing closer to the comprehensive approach of the EU data privacy regime? This Note will explore these questions looking at two particular provisions in the GDPR and CCPA: (1) the opt-in vs. opt-out consent and (2) the right to be forgotten/right to delete personal data. Lastly, this Note analyzes the practical implications of the GDPR and CCPA regulations on businesses in terms of how receptive businesses are to the regulations, how well businesses strive to conform to the regulatory boundaries of data privacy regimes, and whether the regulations will have the intended effect of strengthening consumer rights by putting heavier restrictions on businesses. * Ms. Grace Park is a member of the Class of 2019 of the University of California, Irvine School of Law. Many thanks to Professor David Kaye for his guidance and suggestions to pursue and research this topic. 1455 Second to Printer_Park.docx (Do Not Delete) 6/17/20 8:02 PM 1456 UC IRVINE LAW REVIEW [Vol. 10:1455 Introduction .................................................................................................................. 1456 I. The Data Privacy Framework ....................................................................... 1458 A. What is Data Privacy Law? .................................................................... 1458 B. The Development of Internet Law ...................................................... 1461 C. Data Privacy Regulatory Environment in the United States and the European Union .............................................................................. 1464 1. The EU Model and the GDPR ..................................................... 1465 2. The California Model and the CCPA ........................................... 1468 II. Comparative Study of the GDPR and the CCPA ...................................... 1473 A. Opt-In vs. Opt-Out Consent ................................................................ 1473 1. Application ....................................................................................... 1476 B. The Right to be Forgotten .................................................................... 1479 1. Application ....................................................................................... 1483 III. The Effects of the European Union and California’s Data Privacy Laws on Businesses and Organizations ....................................................... 1485 Conclusion ..................................................................................................................... 1488 INTRODUCTION The year 2018 was a huge step forward for advocates who have long pushed for stronger data protection for individuals. On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) came into effect with fanfare, as businesses and organizations impacted by the law scrambled to meet the new benchmark for data protection. The GDPR is expected to reshape web use and overhaul data privacy laws beyond Europe, altering how businesses and organizations can handle customer and user information. Coming on the heels of GDPR’s effective date, the California state legislature hastened to pass the California Consumer Privacy Act of 2018 (CCPA) a month later. The CCPA is one of the most significant regulations overseeing data-collection practices of technology companies in the United States.1 Going into effect in January 2020, the California law is the first of its kind in the United States and is expected to provide the most comprehensive data privacy measures in the United States. The CCPA is being closely watched because California has been a forerunner in enacting various laws protecting consumer rights. Data privacy rights are no different. The combined CCPA and GDPR data privacy regulations will likely usher in a tidal wave of changes because these initiatives are being carried forth by the world’s major economic powers2 and will most likely set new data privacy standards for other jurisdictions to model. 1. Daisuke Wakabayashi, California Passes Sweeping Law to Protect Online Privacy, N.Y. TIMES ( June 28, 2018), https://www.nytimes.com/2018/06/28/technology/california-online-privacy- law.html [https://perma.cc/4R83-SVZD]. 2. See Kieran Corcoran, California’s Economy Is Now the 5th-Biggest in the World, and Has Overtaken the United Kingdom, BUS. INSIDER (May 5, 2018), https://www.businessinsider.com/ california-economy-ranks-5th-in-the-world-beating-the-uk-2018-5 [https://perma.cc/2S4B-GYN6]. Second to Printer_Park.docx (Do Not Delete) 6/17/20 8:02 PM 2020] THE CHANGING WIND OF DATA PRIVACY LAW 1457 The focus on laws fortifying data protection comes at the same time that 2018 became the year that consumers intensified demands for greater corporate accountability. Reports after reports of massive data breaches or privacy intrusions have come to light. In March 2018, news broke that Cambridge Analytica had collected and sold personal data of millions of Facebook users without their knowledge or consent. In August 2018, a user sued Google after reports emerged of Google Maps storing users’ location data even when “Location History” was turned off.3 One month later, Facebook revealed that hackers had breached and gained access to more than thirty million users’ personal data.4 Most recently, investigation by the Irish Data Protection Commissioner divulged information that Microsoft’s LinkedIn professional networking application (“app”), i.e., a software program run on computers or mobile devices to perform specific tasks, misused email addresses of eighteen million nonmembers in the United States.5 According to reports, LinkedIn used the emails to get more people to sign up for the service by using them in hashed form to place targeted ads on Facebook’s platform.6 The constant media stream of corporations mishandling personal data has steadily contributed to the growing awareness of Internet privacy issues. Users are “very concerned” about companies like Facebook that have failed to institute policies safeguarding personal data and have indeed profited from the misuse of users’ personal data.7 Thus, recent events have united voices calling for stronger data protection regulation to the forefront of national discourse. The public seems to be at a turning point in what it expects governments to do in order to curb corporate misuse of personal data and strengthen data privacy laws to protect consumer rights.8 Accordingly, this Note conducts a study into the EU’s and California’s newest data privacy laws in order to examine the immediate and potential effects of the GDPR and CCPA regulation on the existing data privacy regime. This Note will compare and analyze where the GDPR and CCPA provisions align and where they 3. Cyrus Farivar, Man Sues Over Google’s “Location History” Fiasco, Case Could Affect Millions, ARS TECHNICA (Aug. 20, 2018, 10:55 AM), https://arstechnica.com/tech-policy/2018/08/did- google-violate-users-privacy-when-it-secretly-kept-location-data/ [https://perma.cc/N5CK-QRNT]. 4. Allen St. John, Facebook Breach Exposed Personal Data of Millions of Users, CONSUMER REPORTS (Oct. 12, 2018), https://www.consumerreports.org/digital-security/facebook-data-breach-