Full Text

The GDPR is designed to protect the personal data1 of an estimated 508 million people in the European Union (EU), the thirdlargest geo-political population in the world after China and India.2 The new regulation automatically applies to all 27 member states as of May 25, 2018, and includes eight new individual rights. In addition, the GDPR imposes new requirements on organizations that process personal data and are established in the EU and, in some cases, organizations that are established exclusively outside the EU.3 The broad application of the new regulation within the EU and the extraterritorial scope, which is articulated in Article 3, along with the possibility of hefty fines, which are detailed in Articles 83 and 84, are driving widespread adoption of the GDPR.

In the United States, there is a different approach to individual rights and data privacy protections. The culture in the U.S. is substantially different than in the EU regarding individual rights and data privacy protections. Critics of the U.S. model assert that the U.S. "has only a patchwork of sector-specific laws that fail to adequately protect data" and there is no individual right to data privacy and/ or data protection enshrined in the U.S. Constitution.4 However, the California Consumer Privacy Act (CCPA), which became law on June 28, 2018, and goes into effect January 1, 2020, is broadly applicable to American companies. According to the International Association of Privacy Professionals, more than half a million U.S. companies are likely impacted by the law. In addition, the law may apply to those operating outside the U.S. too. "The fact that a business does not have a physical location in California does not exempt it from its legal obligation to comply with California law, unless every aspect of the business's commercial conduct with respect to the consumers personal information takes place "'wholly outside of California."'5 The number of businesses that potentially fall within the CCPAs scope, combined with the number of people the law is intended to protect-an estimated 39.5 million California residents-means the law is of global significance. The GDPR and CCPA are becoming the de facto global standards for data privacy and protection because of the sheer volume of citizens protected (~508 million in the EU and ~35.9 million California...