By Isabella Goldsmith*
Change has come for data privacy and security laws in California with the California Privacy Rights Act (“CPRA”), which went into effect on January 1, 2023. The European Union (“EU”) has implemented and enforced similar data privacy laws since 2018, making it the leading example for regulations on personal data acquisition. Laws like the CPRA do not instantly result in a seamless transition among the company using the data, the consumers giving the data, and the state body as the regulator of the data privacy laws. Companies operating in states that are now following the EU’s lead and creating stricter data protection laws should be cognizant of the friction that was seen between European tech companies and the implementation of the European General Data Protection Regulation (“GDPR”). Exercising the GDPR substantially changed how businesses used tech stacks within regulatory guidelines. Companies operating in California, one of the technological capitals of the world, should begin implementing similar changes to avoid violating privacy laws while using these tech stacks.
A tech stack is “the combination of technologies a company uses to build and run an application or project.” Tech stacks are commonly used in applications or programs that require several different technological functions to operate, such as operating systems, data storage, servers and load balancing, and monitoring and performance tools. One basic example is a service used for data storage and querying. Data storage services allow the app to store user data as well as data about how the program or application is used.
The European Union has thus far been the global leader and innovator in data privacy regulations. With an emphasis on consumer protection, the GDPR is the “toughest privacy and security law in the world.” The GDPR focuses on the regulation of personal data, data privacy, and security, and enforcing these regulations on any organization that targets or collects data from anyone within the EU. After the GDPR was implemented in 2018, IT infrastructure was met with complications in continuing the use of tech stacks because highly integrated systems of technology often relied on the easy acquisition and movement of consumer data.
After the EU’s implementation of the GDPR, tech companies that used tech stacks to operate their applications or programs found it difficult to comply with the privacy regulations when the component parts of the stack were interdependent and used for efficiency of data collection. Because these services can come from different tech companies, it is essential that both the overarching program or application and then every component of the tech stack comply with the applicable privacy regulations.
A large-scale empirical study performed on 400 E-commerce firms found that flexibility in stack compilation resulted in greater success after a change in regulation. Flexibility, which the study described as using new combinations of technologies for stacking purposes, was found to improve the likelihood of compliance under new regulations. Specifically for data storage, it may be easier to use a novel or smaller company to store data so that it is easier to manage the overview of its distribution and to assure compliance.
The CPRA expanded regulations to include most businesses that share data, including service providers, contractors, and third parties that are located in California. The data privacy rights protect California residents’ personal data. Therefore, any business that operates or targets consumers in the state will need to ensure its stacks comply with these stringent data privacy rules. CPRA-affected businesses should begin working to incorporate the previously cited flexibility elements. Consumers’ control over their data is a primary focus of the regulatory changes made in the CPRA, and, therefore, any part of the “back end,” or data storing processes, of the stack will likely be under great scrutiny. To follow the flexibility model set out by the study, California businesses could aim to implement more “creative” and flexible tech stacks, which may allow for lesser change within the entire stack because the sum of the stack will not be accustomed to a certain regulatory scheme and have to change all at once. For example, if the same three stacked components are regularly used together by most applications, a large regulatory change would likely result in disruption to the entire stack because of how interconnected it is. By choosing a less interconnected system, fewer components of the stack may be impacted at once.
The newness of the CPRA will undoubtedly resurface the issue of how tech companies continue to stack technological services to create applications. To protect themselves from heavy fines and disruption of business practices, California companies should look at the GDPR’s impact on EU businesses for guidance on how to comply without losing valuable time and resources.
* J.D. Candidate, Class of 2024, Sandra Day O’Connor College of Law at Arizona State University.
 Michael Twomey, Doing Business in California? The California Privacy Rights Act Is Coming . . ., KANE RUSSELL COLEMAN LOGAN (Oct. 11, 2022), https://www.krcl.com/insights/doing-business-in-california-the-california-privacy-rights-act-is-coming#:~:text=In%20general%2C%20the%20CPRA%20allows,effect%20on%20January%201%2C%202023.
 Ben Wolford, What is GDPR, the EU’s New Data Protection Law?, GDPR.EU, https://gdpr.eu/what-is-gdpr/?cn-reloaded=1 (last visited Feb. 28, 2023).
 Natalie Burford, Andrew Shipilov, & Nathan Furr, How GDPR Changed European Companies’ Tech Stacks, HARVARD BUS. REV. (Feb. 8, 2023), https://hbr.org/2023/02/how-gdpr-changed-european-companies-tech-stacks.
 What Is a Tech Stack?, HEAP, https://www.heap.io/topics/what-is-a-tech-stack (last visited Feb. 28, 2023).
 What Is a Tech Stack? Technology Stack in a Nutshell, DAC.DIGITAL (Mar. 21, 2022), https://dac.digital/what-is-a-tech-stack-technology-stack-in-a-nutshell/.
 HEAP, supra note 4.
 Adam Uzialko, How GDPR Is Impacting Business and What to Expect in 2023, BUS. NEWS DAILY (Feb. 21, 2023), https://www.businessnewsdaily.com/15510-gdpr-in-review-data-privacy.html.
 Wolford, supra note 2.
 Burford, Shipilov, & Furr, supra note 3.
 Natalie Burford, Andrew V. Shipilov, & Nathan R. Furr, How Ecosystem Structure Affects Firm Performance in Response to a Negative Shock to Interdependencies,43 STRATEGIC MANAGEMENT J., 30, 30–57 (2021).
 Burford, Shipilov, & Furr, supra note 3.
 Hannah Beppel, Everything You Need to Know About the California Privacy Rights Act, ADP SPARK, https://www.adp.com/spark/articles/2022/10/everything-you-need-to-know-about- the-california-privacy-rights-act.aspx#:~:text=The%20CPRA%20applies%20to%20your,nonprofit%20organizations%20or%20government%20organizations (last visited Mar 2, 2023).
 Twomey, supra note 1.
 Frequently Asked Questions, CA. CCPA, https://cppa.ca.gov/faq.html (last visited Feb. 28, 2023).