November 8, 2021

CLTC Request for Proposals:

Comparing Effects of and Responses to GDPR and CCPA/CPRA

Categories: CLTC Research, News

The Center for Long-Term Cybersecurity at UC Berkeley is hosting its second interdisciplinary symposium on July 29, 2022 to examine and compare how various stakeholders (including firms and consumers) have responded to the E.U.’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA). This RFP seeks proposals to conduct scholarly inquiry into these topics to enrich the societal understanding of these privacy laws and particularly their impact and effectiveness based on empirical findings. Selected proposals will be invited to present and discuss their research-in-progress at the symposium. 

Background

This request for proposals seeks grounded arguments that examine the effects of, and responses to, the GDPR and CCPA/CPRA. At a high level, the general principles of the GDPR and CCPA share some similarities in giving individuals expanded rights to accessing, deleting, and porting data, and having rights to know about data collectors’ practices. However the laws have significant differences. For example: the GDPR is rooted in a human rights framework, while the CCPA is rooted in a consumer protection framework; the GDPR has more restrictive lawful purposes of processing and explicitly promotes data minimization while the CCPA does not; the CCPA relies on some market-based solutions to improve privacy; the GDPR allows for larger financial penalties to be levied against violators and has independent Data Protection Authorities (DPA). Moreover, the CPRA which was passed in 2020, while going into effect in 2023, will introduce new and revised requirements that supersede the CCPA with a 12-month look-back period. The CPRA may narrow some of the gaps between GDPR and CCPA with its strengthened data minimization rules and newly established California Privacy Protection Agency (CPPA).   

We now have a few years of experience with the two laws (GDPR since 2018, and CCPA since 2020), and some provisions of CPRA will take effect in early 2022. To build on mostly legal and business analyses which have sought to understand the motivations and likely consequences and implications of these laws, we seek to focus attention on the empirical evidence of how firms, customers, citizens, and other relevant players impacted by these laws have acted and reacted — in practice. 

We are particularly interested in research proposals that help shed light on the alignment or misalignment between the vision of the laws and their on-the-ground impacts. Research projects presented at our inaugural symposium in 2021 identified both similarities and differences in impacted stakeholders’ responses to GDPR and CCPA and limited effects of the laws on meaningfully improving privacy despite efforts around compliance, enforcement, and exercise of the rights. We plan to expand upon these insights in the 2022 symposium. 

We are also looking for analyses that consider the diversity within each stakeholder group when studying the behaviors and practices of firms, consumers, and/or authorities: How do industry responses vary by firm size? How are the effects of these laws shaped by socio-economic class, race, ethnicity, gender, etc.? Such analyses might focus on one or more of the following areas:

  • Changes in organizational structure and business models. How is responsibility for privacy distributed within and/or between organizations in response to GDPR and CCPA/CPRA? Where are there gaps within organizational responses and operational understandings of privacy? Are there new business models or emerging actors (e.g., authorized agents) in response to these laws? 
  • Changes in technical design and development processes. How have GDPR and CCPA/CPRA concretely changed the work that technical practitioners (e.g., engineers, designers, researchers) do in relation to privacy? Among various data rights such as the rights to access, deletion, portability, nondiscrimination, and opt-in/opt-out, are there rights more operational or neglected than others, and if so, why?
  • Changes in political engagement and contestation. How are a broad range of stakeholders (e.g., political parties, civil society, trade associations, academic institutions) engaging with GDPR and CCPA/CPRA, or using these measures to advance their goals? What are the impacts of GDPR and CCPA/CPRA beyond their regional boundaries for issues such as cross-border data practices?
  • Changes in social norms and behavior. How have citizens and consumers exercised their rights under GDPR and CCPA/CPRA, and what factors challenge or empower their ability to do so? Are specific populations and communities meaningfully benefiting or disproportionately marginalized from these laws? 
  • Changes in rulemaking and enforcement. What are the factors that contribute to successful or limited enforcement of GDPR and CCPA/CPRA? How effectively are Data Protection Authorities (DPAs) or State Attorney Generals (AGs) enforcing the laws? What are the impacts of the California Privacy Protection Agency (CPPA)’s rulemaking activities?

We equally welcome proposals that suggest other areas not listed above as noteworthy or more appropriate venues for empirical investigation. We also welcome proposals that present evidence showing that our assumptions that differences in how actors respond to the privacy laws are not the best or most productive bases for comparing GDPR and CCPA/CPRA. We are also interested in analyses that identify what areas the effects of and responses to the GDPR and CCPA/CPRA are converging and/or diverging.

This call is intentionally open to interdisciplinary perspectives. We welcome submissions from researchers at all stages of their careers, including graduate students, post-docs, faculty members, and practitioners from research labs in industry and civil society.

The symposium will take place on July 29, 2022, currently planned to be an in-person event. Selected proposals will be invited to present and discuss their research-in-progress at the symposium, and will receive feedback from other participants/discussants. 

Selection Criteria

Proposals will be evaluated on the basis of scientific promise, potential impact on theory and practice, and potential for wide dissemination and use of knowledge, including specific plans for scholarly publications. 

Proposals will be evaluated by an academic panel and selection is at the discretion of CLTC. Upon participation in the symposium, selected proposals will be awarded an honorarium of $7500 and, if needed, travel reimbursement in accordance with UC Berkeley travel policy.

Application Requirements

  • Proposal abstract and outline (maximum two pages total). Because this is an interdisciplinary call for a broad range of papers, it is important that proposals situate their argument in the most relevant literature.
  • Researcher’s CV
  • Please submit the required materials to this Google Form by December 19, 2021.

Important Dates

  • Proposal submission deadline: December 19, 2021
  • Notification of results: January 28, 2022
  • Draft papers due: July 10, 2022
  • Symposium: July 29, 2022

Please send an email to cltc@berkeley.edu if you have any questions.

 

 

This project is made possible by a grant from the William and Flora Hewlett Foundation with additional funding from the Charles Koch Foundation in support of independent academic research.