Abstract
Technology firms are not only creating and adopting innovations at an unprecedented pace, but also operating within an increasingly complex regulatory environment shaped by those innovations. Major technology companies collect, process, and analyze vast quantities of personal information, making them prime targets for cyberattacks and public scrutiny. As data collection accelerates, incidents compromising personal information have become more frequent and severe. In 2023 alone, more than 2,000 data breaches were reported in the United States, affecting over 350 million records and generating billions of dollars in estimated economic losses (Hulsey, 2024). In response, governments have enacted comprehensive privacy and data protection regulations aimed at increasing accountability and strengthening data stewardship practices. Two representative regulatory frameworks are the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), later expanded through the California Privacy Rights Act (CPRA). While these regulations share common objectives related to privacy and consumer protection, they differ substantially in philosophy, scope, enforcement mechanisms, and governance expectations. GDPR emphasizes data subject rights, accountability, and privacy-by-design principles within a broad human-rights framework. In contrast, CCPA/CPRA place greater emphasis on consumer control, transparency, and corporate disclosure obligations within a market-oriented regulatory model. This TREO talk explores how these regulatory regimes are influencing the governance, risk, and compliance (GRC) strategies of large technology firms. The presentation examines whether firms demonstrate stronger alignment with GDPR-oriented governance models, CCPA/CPRA-oriented approaches, hybrid strategies, or, in some cases, minimal substantive alignment beyond formal compliance requirements. We discuss organizational actions and policies that may signal these orientations, including privacy-by-design initiatives, data minimization practices, third-party risk management, consumer rights procedures, breach notification protocols, AI governance policies, and internal accountability structures. By comparing the differing influence of European and U.S. privacy regulations on corporate GRC strategies, this talk contributes to ongoing discussions regarding the globalization of digital governance, the evolution of cybersecurity management, and the growing convergence between legal compliance and strategic organizational governance. The session will provide researchers and practitioners an opportunity to discuss a framework for evaluating how firms operationalize privacy regulation beyond mere legal adherence and how competing regulatory philosophies shape contemporary cybersecurity governance.
Recommended Citation
Díaz López, Andrés, "GDPR and CCPA/CPRA Influence on Technology Firms’ Governance, Risk, and Compliance Strategies" (2026). AMCIS 2026 TREOs. 103.
https://aisel.aisnet.org/treos_amcis2026/103