In a recent guest article for The Times, co-leader of Pillsbury’s global Data Privacy practice Rafi Azim-Khan writes that global authorities are combatting privacy threats from big data, tracking and surveillance with a “growing tsunami of regulation,” including the EU’s General Data Protection Regulation and new laws in New York and California, that is designed to empower consumers against technology’s overreaches.

Azim-Khan specifically covers the California Consumer Privacy Act (CCPA), which went into effect on January 1 and applies to UK companies (and many others) doing business in California, regardless of whether they have a physical presence in the state. The law’s reach is in keeping with the “regulatory trend” of extra-territoriality, he writes.

Azim-Khan also cautions UK companies not to assume that complying with the game-changing GDPR means compliance with the CCPA.

“This is a dangerous fallacy,” he warns. “Although cut from a similar cloth, there is a significant divergence: The CCPA catches fewer businesses but extends broader rights.”

Among the differences between the GDPR and the CCPA are the latter’s broader definition of what comprises personal data and its requirement of a privacy policy that outlines how a business sells data (also based on a more broad definition of what constitutes a sale) and offers consumers the right to “opt out.”

“The CCPA confers a host of new responsibilities, from imposing additional on-demand disclosure rights to requiring the updating of privacy policies annually,” Azim-Khan concludes. Compliance with the GDPR is a start, but in a globalized marketplace, businesses need to be able to ride the entire regulatory wave.”