California’s “Nouveau” Approach to Privacy

Aug 27, 2024 by Leah Smyle, Privacy Compliance Coordinator and Divya Sridhar, Ph.D., Vice President, Global Privacy Division and Privacy Initiatives Operations, BBB National Programs

To date, state regulators have primarily focused on how their consumer privacy laws compare to those of other states in the U.S., without always analyzing how they compare to global privacy regulations, namely the EU General Data Protection Regulation (GDPR). As privacy becomes a key pillar for business growth domestically and internationally, navigating between the two can present challenges. 

However, California is aiming to ease that burden by working directly with foreign regulators in a new joint partnership between the California Privacy Protection Agency (CPPA) and its French equivalent, the Commission nationale de l'informatique et des libertés (CNIL). Debuting the agreement in June 2024, the two have created an interdependent cooperation to harmonize approaches to new technologies and data privacy. 

During its July board meeting, the CPPA highlighted its interest in looking at privacy as a global issue that impacts businesses from a variety of angles, not just from a domestic/U.S. focused approach. It opined on California’s engagement in multilateral and bilateral global privacy agreements, including the first-in-class international Memorandum of Understanding (MOU) of cooperation agreement with the French data protection authority, CNIL.    

As noted in the press release, this partnership will be an opportunity to “build strong institutional and human links between the CPPA and the CNIL through common projects, allowing us to strengthen their understanding of new technologies and to help face together the challenges presented by the protection of personal data of Californian and French citizens.”

This declaration of cooperation will allow both authorities to carry out joint research related to new technologies and data protection issues, share their best practices and experiences (including during their investigations), and organize joint training workshops. 

This is not California’s first foray into international and cross-border collaborations. Rather, as noted in its press release, the CPPA “also previously joined the Asia Pacific Privacy Authorities (APPA) and the Global Privacy Enforcement Network (GPEN). In 2022, the Global Privacy Assembly voted to admit the CPPA as a full voting member, only the second US organization to be granted this status. Just last year, the Dubai International Financial Centre (DIFC) issued an adequacy determination establishing the California Consumer Privacy Act of 2018’s equivalence with the DIFC’s Data Protection Law.” 

In the same year, California passed its Age-Appropriate Design Code (AADC) Act, which was modeled after the UK’s version. California worked with key stakeholders from the UK to create a version that would align with its privacy landscape. Working with international regulators is not new to California, and it is often seen as the port of entry for incorporating practices from other countries into the fabric of its privacy laws.  

In the July board meeting, Ashkan Soltani, Executive Director for the CPPA, reiterated the importance of cooperation with international data protection authorities and organizations and highlighted Dubai’s recognition of California as an adequate territory for data transfers. 

Previously, California has taken steps to work toward data privacy efforts and engagement that transcend domestic borders. For example, the CPPA was admitted as a voting member to the global privacy assembly in October 2021 (for reference, the global privacy assembly has over 130 data protection and privacy authorities from all around the world). The CPPA has also been heavily engaged with the OECD (Organisation for Economic Cooperation and Development) and participated in working sessions in governance, privacy, and AI. With California’s Bay Area remaining the biggest U.S. tech hub, the role of tech companies and the technology industry in facilitating good data hygiene practices will be at the forefront. 

 

Other States Going Global

There is incentive for other states and countries to follow this trend and create pathways for multidirectional information sharing.  

Many states are using the California Consumer Privacy Act (CCPA) as a template. Maryland, Minnesota, and Vermont, on the other hand, deviated from the dominant U.S. state model and enacted some compliance requirements that did not exist under any other U.S. state privacy law. 

Some states, such as Tennessee, are looking to globally recognized standards like the Cross Border Privacy Rules (CBPR) for an appropriate certification mechanism to uphold accountability for privacy programs. The Tennessee Information Protection Act, signed into law in May 2023, includes specific requirements for controllers and processors around the creation, maintenance, and compliance with a written privacy program that judiciously complies with the National Institute of Standards and Technology (NIST) privacy framework. 

Whether the controller is CBPR certified, or the processor is Privacy Recognition for Processors (PRP) certified, is one of the major factors for consideration in determining the appropriateness of a controller or processor’s privacy program. Although the U.S. has been an active participating economy of the (formerly APEC, now Global) Cross Border Privacy Rules Framework since 2012, this is the first time the CBPR and PRP systems have been explicitly mentioned in a comprehensive state privacy law. 

As California and Tennessee have taken distinct global approaches, it raises the question: will other states work toward a more global standard in their laws, regulations, and public policies?  

The Global CBPR program, which is widely accepted by privacy regulators around the world, is indeed a certification mechanism that provides an efficient and cost-effective opportunity to achieve compliance with globally recognized standards. Not only does this certification mechanism allow for the fortification of your privacy program internally, but the self-certifying seal received after approval allows you to publicly show your commitment to proper privacy hygiene. 

For more information on how to bolster your privacy program, begin your application here.

Suggested Articles

Blog

Filling the Gap: Developing an Industry Self-Regulation Higher Ed Curriculum

Industry self-regulation is a crucial yet under-utilized and often overlooked tool for solving complex modern business challenges. The Center for Industry Self-Regulation (CISR) aims to change that and fill a significant gap in current higher education.
Read more
Blog

Washing Away Deceptive Business Practices

Environmentalist Jay Westerveld first popularized the term “greenwashing” in 1986. As the term has morphed over time, it has spawned derivatives ranging from “AI washing” to “carewashing” to “healthwashing.” These terms serve to expose deceptive practices and encourage responsible behavior.
Read more
Blog

California’s “Nouveau” Approach to Privacy

As privacy becomes a key pillar for business growth domestically and internationally, California is aiming to ease the burden of U.S. state vs global regulations, working directly with foreign regulators to harmonize approaches to new technologies and data privacy.
Read more
Blog

What Is a Lemon? Understanding Defective Vehicles

A lemon is a vehicle with defects that impair its safety, use, or value. Although manufacturers have made significant efforts over the years to make cars more reliable, no car is entirely problem-free. Knowing your rights and options is important if you ever find yourself with a lemon.
Read more