What the GDPR and CCPA Mean for Your Legal Teams


By Jamy J. Sullivan

The landscape of consumer privacy protection is rapidly evolving and mushrooming. 2018 was a watershed year, as the European Union’s General Data Protection Regulation (GDPR) took effect that May. Even though the law is perceived as an EU-only regulation, its reach is much broader, and organizations worldwide felt the repercussions: As long as a company handles the personal data of data subjects in the EU, it had new compliance requirements.

A month after the GDPR went into effect, the California Consumer Privacy Act (CCPA) was signed into law. Effective January 1, 2020, residents of the U.S.’s largest state will benefit from similar protections as those in the EU.

Businesses have already implemented policies and procedures to comply with the GDPR. However, the California law presents new requirements, some of which are still being finalized; the CCPA has already been amended several times, and some other matters remain unsettled. GDPR requirements will also likely change in the future as litigation and guidelines crop up.

Meanwhile, a growing number of U.S. states are developing similar privacy measures. According to the International Association of Privacy Professionals (IAPP), Nevada and Maine have also passed their own comprehensive data privacy law, and nine other states’ privacy bills are in various stages of the legislative process.

Comparing and contrasting the GDPR and CCPA

Both the EU and California privacy law strive to increase transparency about how companies collect, use and share consumers’ personal information. They also aim to protect residents’ (in the case of California) data from misuse. However, these laws have some differences in how they achieve these goals.

  • The laws’ reach. The GDPR affects any company — European or non-European, for-profit or nonprofit — that processes the personal data of data subjects in the EU. This processing can relate to offering goods and/or services or to monitoring consumer or employee behavior. The CCPA applies only to larger for-profit businesses that collect California residents’ data.

  • Definition of natural persons. Under the EU law, the term natural persons (also called “data subjects”) includes all individuals currently in a member state. The California law calls a natural person a “consumer,” the definition of which is not as broad — for now. Assembly Bill 25 specifies that for all of 2020, the CCPA will not cover the personal data of California employees, independent contractors and job applicants, except in limited situations. Also exempt are a business’s owners, directors, officers and medical staff members.

  • Opting in vs. out. Individuals in the EU must knowingly opt in to share their personal data with businesses. Individuals in California must opt out of sharing.

How to help clients with GDPR and CCPA compliance

Although key differences exist, legal teams can follow the same playbook when it comes to understanding these two laws and helping clients comply with them. Here are some suggested steps for any law firms and legal departments whose work touches on compliance.

  1. Establish a data privacy compliance team. If your team is shorthanded or needs training, partner with a legal consulting firm or specialized legal staffing agency.
  2. The team should then determine whether the GDPR, CCPA and/or other legislation apply to your client’s organization.
  3. If they do, conduct discovery and prepare a data map of the consumer information the client’s business shares, collects and sells.
  4. Review and update the client’s data privacy policies, notices, and procedures, including policies about a consumer’s rights under these laws.
  5. Perform an annual or biannual audit on the collection and processing of personal data to assess areas of exposure and whether proper controls are in place.
  6. Draft clear opt-in (GDPR) or opt-out (CCPA) language for the business’s website.
  7. Develop a way to track and respond to consumer requests for information and deletion.
  8. Create a mechanism for submitting requests for information disclosures.
  9. Establish protocols for handling both electronic and paper-based information.
  10. Train employees on how to respond to consumers’ data-related requests.

Looking ahead

No business entity wants to deal with state-by-state privacy legislation. In the United States, imagine 50 sets of consumer rights and business obligations! But unless Congress can come up with a federal law in the near future, which seems unlikely, more states will pass their own version — and legal compliance professionals whose clients do business in the EU and California will have to keep up with those, as well as the ensuing amendments and regulations.

Need more information?

Listen to the latest Robert Half Legal Report to learn more about how companies are adjusting their security and privacy practices to manage the growing volume of data regulations.