California Seeks Collaboration From the Global Privacy Frontier

The California Privacy Protection Agency recently announced that it signed a declaration of cooperation on privacy protections or collaboration with the UK Information Commissioner’s Office, its latest collaboration with a foreign government.

This global partnership demonstrates that states may turn to foreign countries to help fill the void created by the absence of a federal regulatory scheme for privacy.

The CPPA stated that the collaboration will allow the agencies to:

• Facilitate joint research and education relating to new technologies and data protection issues
• Share best practices, knowledge, and investigative methods
• Convene meetings with staff members
• Share relevant experiences and develop appropriate mechanisms for mutual collaboration

The collaboration represents the CPPA’s third partnership with a foreign government, following its previously announced collaborations with South Korea, which was signed earlier this year, and France, which the agency agreed to last summer.

Typically, for such a collaboration, one would expect agencies to partner with a hierarchically equivalent organization in another nation – in other words, a US federal agency would have partnered with these foreign governments. That isn’t what happened here.

There is no comprehensive federal consumer data protection law in the US for a privacy-specific agency to oversee and enforce. It is worth nothing that this collaboration follows the CCPA’s recent decision to join several other state regulators in creating a bipartisan task force called the Consortium of Privacy Regulators.

Comparing CPPA and ICO

California is a key player and industry leader in enacting and enforcing privacy legislation in the US. And it’s no secret that EU’s General Data Protection Regulation provides a more comprehensive and robust approach to privacy and data protection. The UK ICO, as the UK’s primary regulator for data protection, has supervisory authority for GDPR compliance in the UK.

Does this collaboration represent California CPPA’s interest in becoming an even more vigilant privacy watchdog? To understand what this may accomplish, it’s helpful to compare and understand some of the organizations’ goals and enforcement priorities.

California’s CCPA has the following stated enforcement priorities:

• Review of privacy notices and privacy policies (i.e., ensuring that privacy notices and policies meet the CPPA’s standards and provide consumers with the necessary information and tools to manage their privacy rights)
• Implementation of consumer requests (e.g., advocating for the use of authorized agents and standardizing the consumer request process)The right to delete (i.e., empowering California consumers to request that businesses deleted their personal information)
• Selling or sharing personal information without proper notice of an opt-out mechanism
• Dark patterns and deceptive design (i.e., ensure that user interfaces do not subvert or impair consumers’ autonomy, decision-making, or choice)
• Violations that affect vulnerable communities and groups (i.e., communities facing economic social, and environmental burdens)
  

Meanwhile, the UK ICO’s mission pursues the following stated principles:

• Protecting children’s online privacy (e.g., requiring default privacy settings for children, ensuring children are not being profiled for targeted advertising)
• Online tracking and advertising (e.g., ensuring that only necessary data is collected and used online, assessing harms of online tracking and advertising)
• AI and automated decision-making (e.g., provide clear guidance to organizations on the use of AI, ensuring accountability)
• Data protection principles (e.g., purpose limitation, data minimization, accuracy, storage limitation, accountability)

It’s safe to say that while the organizations’ priorities aren’t a mirror image of one another, they do generally align and demonstrate a rights-focused approach to privacy.

Staying vigilant

Although it’s challenging to predict what this collaboration may mean, there are some steps the privacy industry can take to stay vigilant and prepared:

• Alignment: International companies already well-versed in GDPR compliance should consider what would be required to adjust California compliance to align with GDPR requirements and principles (where possible). If they’re unsure about how to do this, they should consult specialized privacy counsel.
• Children’s Privacy: All companies operating in California should dust off their policies and procedures designed to protect children’s online privacy. If they don’t have such policies or haven’t considered the issue, they should retain specialized privacy counsel to help them develop a program. Children’s issues are front and center for the UK ICO, and it’s reasonable to expect that California will follow suit since states, through their attorneys general, are actively seeking enforcement to protect children online.
• AI Regulations and Enforcement: Both organizations have published proposed frameworks to govern AI and automated decision-making technology. Given how important this issue has been for both, it’s reasonable to expect that it will remain a focus and that regulation and eventual enforcement of ADMT AI may be on the horizon. Specialized privacy counsel can help companies plan for this.

It’s unclear what will happen next and whether this collaboration will bear tangible fruit. It may lead other states to follow suit and partner with the UK ICO or other foreign regulatory bodies. It also may lead to nothing and operate as a mere diplomatic initiative.

But it does signal that, in the absence of a federal privacy statute and regulating body, states are willing to receive guidance beyond the US’ borders, and that the rest of the world is rapidly becoming the true privacy frontier.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

David Navetta is partner at Troutman Pepper Locke and advises clients on all aspects of technology and data law.

Michael Yaghi is partner at Troutman Pepper Locke and handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries.

Lauren Geiser is an associate at Troutman Pepper Locke and focuses her practice on complex business disputes and privacy litigation.

Write for Us: Author Guidelines