In terms of data privacy protection, the General Data Protection Regulation (GDPR) is the gold standard. Passed in 2018, this EU regulation offers its citizens new rights surrounding their personal data usage, as well as providing clear guidelines for companies to follow in terms of how they process (i.e., collect, store, use) personal data. With global enforcement, the GDPR extends these provisions to cover all EU citizen data, meaning that even if a business resides in another country, if they are processing the personal data of an EU citizen then the GDPR applies to that data.
In comparison, the US has not yet adopted a similar national legislation, and the need for comprehensive rights and requirements surrounding our citizens’ personal data continues to rise with our increasing use of technology. Recognizing this gap, individual states have been establishing their own data protection legislation, which align with portions of the GDPR. Since 2018, nine states (California, Virginia, Colorado, Utah, Connecticut, Indiana, Iowa, Montana, and Tennessee) have enacted comprehensive consumer privacy laws, and we are on an upward trajectory (iapp, 2023). The number of states either considering or moving to pass bills of their own continues to increase. Comparing 2021 to 2022, there was a significant 106% increase in consumer privacy bills that were considered (specifically, 29 were considered in 2021, and 60 in 2022), and last year, two new states, Utah and Connecticut, passed consumer privacy laws. Now in 2023, several additional states have followed suit, enacting data privacy legislation.
Although we appear to be moving in the right direction, there exists growing concern regarding the patching or fragmented approach of various state privacy regulations, and potential confusion for companies seeking to comply with the laws that apply to their data handling. On top of requiring businesses to abide by the state requirements and associated rights of individuals, there are substantial ramifications for noncompliance, including fines and other legal action. A good example is the settlement made by the retail store Sephora. This was the first public enforcement action under California’s data privacy regulation, the California Consumer Privacy Act. In summary, Sephora had been sharing data obtained from users of their website, such as shopping cart information and the location of users, to third-parties for the purpose of targeted advertising and analytics. Sephora neglected to notify consumers regarding this personal data transaction, and failed to process opt-out requests. In the end, Sephora settled with a payment of $1.2 million. (Merken, 2022)
Fortunately, the state regulations that have come into effect tend to include similar stipulations. However, the need for a unified federal regulation continues. Likely the most promising effort on this front is the American Data Privacy Protection Act (ADPPA). The ADPPA seeks to adopt similar rights of the GDPR, such as data subjects gaining the right to know what personal information is being collected, the right to opt-out of collection, and the right to delete their personal data. While there remains a long road ahead to pass into law, the ADPPA represents a big step toward establishing national data privacy protections for the US.
In conclusion, it remains critical for organizations to maintain awareness and understanding of the regulations that currently apply to their business operations, as well as those that are approaching. Hiring a knowledgeable professional in this space to conduct gap assessment(s) is a recognized and proven method for ensuring a business is in full compliance.
Below is a table representing the states which have data privacy bills enacted into law, states which have active bills in the process of approval, and states which have bills but they are currently inactive in legislative processing:
States with data privacy regulations signed into law | States with active data privacy regulations in legislative processing | States with inactive data privacy regulations |
California | Delaware | Hawaii |
Colorado | Maine | Illinois |
Connecticut | Massachusetts | Indiana |
Indiana | New Hampshire | Kentucky |
Iowa | New Jersey | Louisiana |
Montana | North Carolina | Maryland |
Tennessee | Oregon | Minnesota |
Utah | Pennsylvania | Mississippi |
Virginia | Rhode Island | New York |
| Texas | Oklahoma |
| | Vermont |
| | Washington |
| | West Virginia |
Resources
The International Association of Privacy Professionals, (IAPP). Retrieved from: https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
Merken, S. 2022, Sephora to pay $1.2 mln in privacy settlement with Calif. AG over data sales. Retrieved from: https://www.reuters.com/legal/litigation/sephora-pay-12-mln-privacy-settlement-with-calif-ag-over-data-sales-2022-08-24/
Commentaires