Greetings from Brussels!

This week is decidedly one when all our attention is squarely focused on the United States of America. To say that the presidential race is one of the most hotly contested in the history of the country would be an understatement; we are talking fever pitch proportions here. Historically, and arguably still the case, U.S. presidential outcomes continue to have a profound influence on international relations, and in Europe, this probably rings truer than elsewhere. Regardless of the outcome — whether Trump prevails or Biden emerges victorious — the world has already changed during the last four years as the U.S. has increasingly detached itself from Europe through the existential questioning of the NATO pact and numerous trade standoffs, as well as pulling out of international agreements from climate to non-nuclear proliferation. Privacy pros will be watching closely to see this election come to its conclusion and what it might hold in store for the work of privacy thereafter.  

With all the presidential media noise, it may have passed you by, but this week, California voted for big changes in its privacy law with the passing of Proposition 24. As reported in The Privacy Advisor, the approval of Prop. 24, a California ballot initiative voted on by state residents, means the California Consumer Privacy Act will be substantially amended to become California Privacy Rights Act. The CPRA expands the state’s existing privacy law and scales back the amount of personal data that companies can collect and share on California residents and, perhaps most importantly, establishes the first dedicated data protection authority in the U.S. This is a fundamental shift in U.S. privacy law — granted it concerns California residents — taken that many of the tech industry's biggest companies largely operate within California's jurisdiction. The cultural and organizational changes that accompany it will likely have ramifications across the U.S. and beyond. 

Moreover, I recommend listening to the latest Privacy Advisor Podcast in which IAPP Editorial Director Jedidiah Bracy dives into the nitty-gritty of Prop. 24 ahead of the vote with Alastair Mactaggart, the main architect behind both the CPRA and its forebear, the CCPA. The discussion gives a good sense of context and purpose around the proposition while addressing the surprising swathe of criticism leveled against the initiative by several privacy advocacy organizations.

Interestingly, Mactaggart mentions that he consulted with European regulators on the content of Proposition 24 last year, who in turn were supportive in its alignment with the principles of the GDPR. Could California help pave the way to a future federal U.S. privacy law? Mactaggart also bullishly suggests California could be viewed as a model of adequacy by the EU regulatory community. Notably, from the U.S. national perspective, the CPRA could also lend or have an influence on other U.S. state privacy laws, such as the proposed Washington Privacy Act that would count the likes of Microsoft and Amazon under its jurisdiction.

The CPRA will only enter into force come January 2023. Critically, and to ensure company compliance, one of the CPRA's provisions — as mentioned above — is the creation of a state agency dedicated to enforcing the law, expanding the authority that has to date been limited to the attorney general’s office. This is a statement of intent. Two years is not a lot of time. Many companies learned this lesson the hard way with the GDPR. Getting ahead of nascent legislation is a critical business decision, as it is a compliance one. There is every reason to believe that this may be the start of something bigger in the U.S., but for now, let’s just get past the presidential election.