The GDPR and California privacy law as benchmarks for federal privacy legislation

Over the past eighteen months, the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have helped shape both the interest and scope of privacy legislation on Capitol Hill. Some of these reasons are legal or practical: a federal privacy law could help the US meet GDPR adequacy requirements for international data transfers, and either supplement or preempt state privacy laws such as the CCPA. Other reasons are moral- or principle-based: the GDPR and CCPA have both helped heighten public awareness of online data collection and processing, and federal privacy legislation could help establish US leadership on privacy.

In addition, the GDPR and CCPA each set benchmarks against which Congress can compare and consider privacy provisions. For example, many federal bills echo the GDPR and CCPA by including rights for individuals to access, modify, delete, and export data. Some also go above these requirements; Senate Commerce Chairman Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA) recently released bill proposals that place stricter limitations on algorithmic decision-making, biometric data, and data minimization, beyond what the CCPA currently provides. How Europe and California regulate data privacy has enormous implications for the US; it is no small matter that EU countries are collectively the largest US trading partner and that CA makes up approximately 14 percent of US GDP. Accordingly, both the GDPR and CCPA offer guidelines and lessons as Congress considers how to promote the consumer benefits of data use (e.g., low-costs, convenience, innovation, and customization) while also create parameters for businesses to minimize privacy risks.