Scott Jordan
Department of Computer Science University of California, Irvine
  GDPR, CCPA, and the FCC Broadband Privacy Order

We are concerned in this research project with the development of a future United States law on consumer privacy. We draw upon three recent privacy laws and regulations:

(I am pleased to have had the opportunity to contribute to the FCC's Order and to the CCPA.)

We believe that development of future laws or regulations should be grounded in an appreciation for the different paths that GDPR, the FCC Broadband Privacy Order, and CCPA have taken, and a recognition of the strengths and weaknesses of each of these laws and regulations.


A Comparison of Notice and Consent Requirements under GDPR, CCPA, and the FCC Broadband Privacy Order

We compare the notice and consent requirements of the three recent privacy regulations that are most likely to serve as the starting points for the creation of a comprehensive consumer privacy bill in the United States: the European General Data Protection Regulation, the California Consumer Privacy Act / California Privacy Rights Act, and the Federal Communications Commission's Broadband Privacy Order. 

We compare the scope of personal information under each regulation, including the test for identifiability and exclusions for de-identified information, and identify problems with their treatment of de-identified information and of pseudonymous information. 

We compare notice requirements, including the level of required detail and the resulting ability of consumers to understand the use and flow of their personal information, and identify deficiencies with consumers' ability to track the flow of their personal information. 

Finally, we compare consumer choices under each regulation, including when a consumer must agree to the use of their personal information in order to utilize a service or application, and find that none of the regulations take full advantage of the range of options, and thereby fail to disincentive tracking.

Strengths and Weaknesses of Notice and Consent Requirements under the GDPR, the CCPA/CPRA, and the FCC Broadband Privacy Order, Cardozo Arts & Entertainment Law Journal, vol. 40., no. 1, pp. 113-174.         


Portions of this work were supported by the Herman P. & Sophia Taubman Foundation and by NSF. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or IEEE. This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. One print or electronic copy may be made for personal use only. Permission must be obtained from the copyright holder for systematic or multiple reproduction, distribution to multiple locations via electronic or other means, duplication of any material in these papers for a fee or for commercial purposes, modification of the content of these papers, reprinting or republishing of this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, and to reuse any copyrighted component of this work in other works.

Scott Jordan   UCICSNetworked Systems