A new report from the Center for Long-Term Cybersecurity examines how firms have responded to two major privacy laws: the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The white paper, Privacy Legislation on the Ground: Effects of and Responses to the GDPR and CCPA, was authored by Saba Chinian, a third-year law student at the UC Berkeley School of Law and a Graduate Student Researcher at the Center for Long-Term Cybersecurity. The paper is based on a synthesis of research findings from a series of symposia that CLTC convened to enable scholars from diverse institutions to share academic research on the effects of the two laws. (Summaries are available on the CLTC Bulletin for the 2021 and 2022 symposia.)
“The GDPR and CCPA are the most consequential data information regulations since the development of intellectual property law,” Chinian explains in the report’s executive summary. “But from a long-term perspective, the GDPR and CCPA are ultimately ‘first drafts’ in privacy protection. How we conceive of ‘privacy’ and the tools we use to manage it are likely to change. This empirical research on the GDPR and CCPA gives us an opportunity to evaluate these first drafts in order to not only observe their effects on protecting privacy, but also to improve subsequent privacy regulations in the United States and beyond.”
As Chinian explains, the scholars who presented at the symposia used diverse research methods — from interviews with tech-sector employees and regulators, to analyses of companies’ website content and SEC filings — to uncover how companies did (or did not) change their practices in response to the two laws. “Combined, these papers answer questions regarding how these laws have affected individuals and organizations, whether they have effectively protected data privacy, and how they anticipate the effects of emerging privacy laws,” Chinian explains. “Further, these findings suggest how to better enforce and comply with these laws.”
Initial Impacts: Strengths and Shortcomings
To date, the GDPR and CCPA have had a variety of positive impacts, Chinian says; for example, they have led companies to reduce their use of data-intensive practices, such as behavioral targeting, and have led to increased levels of peer accountability. The GDPR has additionally helped maintain accountability and transparency among EU member states.
Yet the laws also have created challenges for companies, in part because of vague language that has created confusion over what compliance entails. Many firms may be more focused on meeting legal requirements than improving their users’ awareness; for example, “cookie banners” shown on websites are not always designed with users in mind. The costliness of compliance with both laws has also created barriers to entry for smaller businesses and has incentivized some to cut corners in their compliance strategies.
“Companies report that complying with the GDPR and CCPA requires difficult, if not impossible, data inventory, mapping, and retention obligations,” Chinian writes. “Additionally, lack of clarity about their obligations for consent interfaces and user-access request processing has increased the risk of noncompliance, harm to user privacy, and abuse.”
Meanwhile, enforcement of the GDPR has been uneven due to a lack of resources and expertise among EU member states. In some cases, there has been disparately heavy enforcement on smaller businesses and individuals, and the GDPR and CCPA may in some cases be affecting innovation and product development, Chinian explains.
Recommendations for Companies and Regulators
Beyond synthesizing the findings from the research symposia, the paper introduces recommendations for how companies can more effectively comply with the privacy laws, and how regulators can better enforce them.
“For companies, viewing privacy as a business and investment risk can better motivate compliance,” Chinian explains. “Encouraging organizational cohesion, accountability, and transparency can improve compliance and prevent deceptive designs.”
Companies can also do a better job of responding to user requests for data, which can be prone to inadvertent leaks to impersonators; to prevent such leaks, firms should use multi-factor authentication, notify users through other communication channels, or require users to submit verification information.
For regulators, the paper suggests creating safe harbors for small businesses and individuals to prevent excessive punishment. “For both laws, clarifying ambiguous language can improve compliance and reduce regulatory uncertainty,” Chinian says. “Creating more explicit guidelines and enforcement consequences can help eliminate deceptive designs in consent interfaces…. Employing a more explicit advisory function to provide guidance and interact with regulated entities or individuals can help prevent infringements from occurring in the first place. In addition, by ensuring that the laws allow companies to share some information with verified researchers, companies can help prevent, address, and remedy infringements.”
Guidance for the Future
The third section of the report examines how the research on the GDPR and CCPA can inform emerging privacy laws at both the state and federal levels. Chinian notes that it will be important to maintain a degree of consistency as laws develop so that companies do not have to comply with a “patchwork of distinct privacy laws,” but she discourages the wholesale copying of laws from state to state, which could “amplify their negative consequences” and reduce the potential for innovation.
“A federal privacy law that preempts existing state law could help companies avoid patchwork compliance,” Chinian writes. “But states can operate as ‘laboratories’ of privacy law that can better react to unforeseen and unintended consequences, such as those resulting from the GDPR and CCPA. Policy experimentation is particularly helpful in this field.”
“The GDPR and CCPA were the first ventures into the world of data privacy protection laws, and although numerous U.S. state laws have emerged in their wake, we are still on a long road to finding solutions to privacy issues,” Chinian concludes. “Viewing the GDPR and CCPA as ‘first drafts’ of how to regulate data protection and privacy reminds us that these laws, although they were among the first, are not the only methods of protecting data privacy. Future research on how other regulatory frameworks could more effectively protect privacy — rather than how to circumvent or correct the GDPR’s and CCPA’s misaligned results — could get us closer to the intended goals of data protection and privacy regulation.”