Anatomy of a Privacy Law

Daniel Solove
Founder of TeachPrivacy

Anatomy of a Privacy Law - Prof Daniel Solove 01

I was recently giving a presentation about new privacy laws, and I created the infographic above to catalog the various elements that privacy laws often have.  Going through this list can help to assess how complete a privacy law is.  For example, the California Consumer Privacy Act (CCPA) is often compared to the General Data Protection Regulation (GDPR), and I’ve heard it sometimes referred to as a GDPR in the United States.  But the CCPA is far different from the GDPR, as the GDPR is significantly more comprehensive and has many more dimensions than the CCPA.  For example, the GDPR has a broader scope (covers more types of entities) and has many provisions about responsibilities and governance that the CCPA lacks.   Indeed, the GDPR has most of the elements in this list. In the US, HIPAA comes the closest to the GDPR in terms of how many items it has from the last, but HIPAA is just limited to certain forms of health data.

Click here for a larger PDF version of the infographic.

The vast majority of privacy laws have provisions relating to their scope and applicability, a definition of the personal information that they regulate, individual rights and organizational responsibilities, enforcement provisions, and a particular position with regard to preemption.

There are some interesting trends I’ve seen in privacy regulation over the years.  Modern privacy regulation is often extraterritorial (applies to organizations beyond the borders of the regulating jurisdiction), has an EU-style definition of personal data (recognizing identifiable data), includes rights of erasure and portability, includes provisions about vendor management, has governance provisions, and can be enforced not just against data controllers but also against data processors (third parties that receive personal data from controllers to perform functions for them.

There are a few key differences between US and EU-style privacy laws. EU-style privacy laws require a legal basis to process personal data whereas US law typically doesn’t have any such limitations.  EU-style privacy laws also have restrictions on cross-border transfer.  Additionally, EU-style laws don’t accept opt-out as valid consent.  There are more differences, but these are some of the most prominent ones.

My catalog of privacy law elements will hopefully be useful in comparing various privacy statutes and regulations.  I welcome feedback.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers. This post was originally posted on LinkedIn.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 14-16, 2019 in Washington, DC), an annual event designed for seasoned professionals. 

NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.

Our New CCPA Training Course

CCPA Training TeachPrivacy 02

Our CCPA Whiteboard

The CCPA summarized in just 1 page! 
Click here to download the full-page version.

CCPA Whiteboard - TeachPrivacy CCPA Training 01 bannerCCPA Whiteboard - TeachPrivacy CCPA Training 03 small