Bloomberg Law
July 7, 2021, 9:01 AM

ANALYSIS: GDPR Compliance Provides Answer Key for Calif., Va.

Amanda H. Allen
Amanda H. Allen
Team Lead–Regulatory & Compliance

Compliance lawyers don’t generally have the time or the inclination to reinvent the wheel. So it’s no real surprise that respondents to the 2021 Bloomberg Law GDPR Compliance Survey indicated overwhelmingly that work done to satisfy one comprehensive privacy regime would carry over to the development of another compliance program.

Three years after the effective date for Europe’s General Data Protection Regulation, the current global privacy landscape spans Brazil to New Zealand, as well as California to Virginia. In the U.S., the lack of a federal, comprehensive consumer privacy-oriented law has left states to design their own approaches. (And then there are the administrative regulations.)

Rather than implementing bespoke compliance programs from scratch at each new development, 97% of survey respondents seem to be making the more efficient—and likely far more effective—decision to leverage existing GDPR compliance processes.

Legal and compliance professionals spent a year and a half dealing with the California Consumer Privacy Act, the CCPA’s amendments and regulations, and the voter-approved California Privacy Rights Act. Although they could overlay some language from the GDPR to figure out the scope of certain defined terms and areas of applicability, California clearly did not—and did not want to—import the GDPR framework in one piece.

Virginia, on the other hand, seems to have taken at least a very strong cue from the veteran consumer privacy regime, providing more parallels to the GDPR in its Consumer Data Protection Act.

So, if nearly all respondents say they used a GDPR program to guide their California privacy compliance, why did 45% fewer of the survey respondents indicate their organization has used or will use an existing GDPR program to comply with VCDPA?

It could be timing, as the survey was garnering responses only about two months after the law’s enactment. Or it could be that privacy experts and lawyers are significantly more sanguine about the GDPR-influenced VCDPA.

Bloomberg Law subscribers can find related content on our Privacy & Data Security Practice Center, which includes access to our In Focus: GDPR page, CCPA vs. CPRA Text Comparison Tables and the privacy profiles of each U.S. state.

Bloomberg Law subscribers can find additional related content on our Surveys, Reports & Data Analysis page.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content or click here to view the web version of this article.