Download This PaperCalifornia’s CCPA 2.0: Does the US Finally Have a Data Privacy Act?
(2020) 168 Privacy Laws & Business International Report, 13-17
8 Pages Posted: 24 Mar 2021
Date Written: December 01, 2020
Abstract
On the day of the US Presidential election, Californians voted to pass Proposition 24, enacting the California Privacy Rights Act of 2020 (CPRA), in order to amend the current California Consumer Privacy Act (CCPA), which took effect earlier in 2020. The new law is known as ‘CCPA 2.0’ to indicate it is the combined effect of the CCPA as amended by the CPRA. In its combined effect, it is the most ambitious US legislation affecting privacy more broadly than in a specific sector.
This article considers ‘where does California fit?’ in the framework of an analysis of how many countries have data privacy laws, which now recognises 145 countries with such laws, but the US only in relation to the federal public sector (Privacy Act of 1974). This is a formal analysis, based on the extent to which California’s law can be mapped against the requirements of the three ‘generations’ of international data privacy instruments over the last forty years. It is not (and as yet, could not be) a substantive analysis of CCPA 2.0’s effectiveness for privacy protection.
The article commences by asking whether the CCPA 2.0 a data privacy law at all, based primarily on whether it provide a set of basic data privacy principles, which at least include almost all the principles (or standards) required by both the OECD privacy Guidelines (as at 1980) and Council of Europe data protection Convention 108 (as at 1981), plus some method(s) of officially-backed enforcement (i.e. not only self-regulation). The rationale is that it was these two international instruments which, at the outset of the 1980s, provided the first international consensus on what is required for data privacy protection, sufficient to justify free flow of personal information between compliant countries. On the basis of both the principles that it includes, and its scope, we may conclude that CCPA 2.0 is a data privacy law. After 40 years, the US has a data privacy law for a significant part of its private sector.
A further stage of this analysis asks to what extent CCPA 2.0 adopts ‘second generation’ principles similar to those required by the European Union’s data protection Directive of 1995. We can conclude that CCPA 2.0 approximates the current international standard for data privacy laws outside Europe, by inclusion of about 7 of the 10 additional principles.
However, CCPA 2.0 still only includes a small number of the twenty or more innovations found in the EU’s GDPR of 2016 – ‘third generation’ principles. The CCPA 2.0 is not ‘America’s GDPR’ as some have claimed.
Keywords: United States, California, privacy, data protection, GDPR
Suggested Citation: Suggested Citation