Printer Friendly, PDF & Email

The CCPA and when privacy law overlooks internal compliance functions

Stuart L. Pardau ( is a tenured professor at the David Nazarian College of Business and Economics at California State University, Northridge, USA. He also practices law and consults with clients in the areas of privacy and data security, intellectual property licensing, and compliance issues.

Experience informs us that it is not uncommon for different areas of law to conflict and sometimes produce unintended results. The intersection of privacy law and corporate compliance produces some disturbing examples in this regard.

As Exhibit A, take the Federal Trade Commission’s 1999 ruling that the Fair Credit Reporting Act (FCRA) required employers to obtain an alleged sexual harasser’s consent before having the employer’s outside law firm investigate the allegations, or Article 10 of the General Data Protection Regulation (GDPR), which limits the “[p]rocessing of personal data relating to criminal convictions” without carving out exceptions for internal investigations, anticorruption due diligence, export control vetting, or background checks on potential employees.[1]

Similarly, the GDPR’s right to be forgotten, right to object to processing, and right to restrict processing can hamstring internal investigations and due diligence related to hiring. In these and other cases, well-meaning privacy advocates and well-intentioned drafters of statutes fail to unambiguously allow processing of personal data for legitimate compliance and ethics purposes.

This document is only available to members. Please log in or become a member.