Recently, our partner - Felik.Agency - the article "How a Ukrainian Business Can Introduce a Product to the US Market: The Experience of a Digital Marketing Expert", emphasized the fact that laws, norms, and rules regarding digital marketing in different US states differ from each other.
Continuing the topic, we decided to look at what is happening in the States with privacy laws, when the Federal law will be passed, and what laws govern the field of data protection in the various states of America.
We can immediately say that today the US has made significant progress in privacy laws. Six states have passed comprehensive data protection laws (at least two more are likely to follow), and five of them will take effect during 2023.
One of the most significant changes to US privacy law is the California Privacy Rights Act (CPRA), which takes effect on July 1, 2023. The CPRA makes several important amendments to the California Consumer Privacy Act (CCPA), which was effective July 1, 2020.
Among other changes, the CPRA introduces the concept of "sensitive personal information," which includes information about government consumer identification numbers, credentials, racial origin, religious beliefs, union membership, genetics, biometrics, health status, and more. It also provides several new rights for consumers, such as the right to correct inaccurate personal information and the right to restrict the use and disclosure of private information.
The CCPA's "opt-out right" now expressly allows consumers to opt out of "cross-contextual advertising," which involves combining personal information from different websites or apps to target ads to people.
Most importantly, the CPRA mandates that California have its own privacy regulator, the California Privacy Protection Agency (CPPA).
Following California, five US states have enacted applicable privacy laws:
Virginia Consumer Protection Act (VCPDA) (Effective January 1, 2023)
Connecticut Data Privacy Act (CTDPA) (July 1, 2023)
Colorado Privacy Act (CPA) (July 1, 2023)
Utah Consumer Privacy Act (UCPA) (December 31, 2023)
Iowa Consumer Information Protection Act (ICDPA) (January 1, 2025)
These laws change the concept of privacy for businesses operating in the US.
They introduce data protection concepts more familiar to organizations that comply with the EU's General Data Protection Regulation (GDPR).
New state privacy laws are likely to take effect in the coming years, and similar bills in Tennessee and Indiana await governors' signatures. Other bills, such as the yet-to-be-signed Washington Health and Data Act, could also have significant privacy impacts.
The new state laws generally apply to all sectors, but some apply only to businesses that process the personal data of at least 100,000 consumers, as well as to smaller companies that derive a portion of their revenue from the sale of personal data. Utah law also excludes any business that generates less than $25 million in annual revenue. But unlike GDPR, they contain exceptions for processing data subject to industry laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).
Each of the new US state privacy laws provides new consumer rights, including:
Each law also imposes new rights to the processing of “private data,” with Virginia, Colorado, and Connecticut laws providing GDPR-style consent; and Iowa and Utah require controllers to offer consumers an option to opt out of the collection.
Consumer rights under these US laws differ in some cases from the "data subject rights" of the GDPR. Consumers dissatisfied with the comptroller's response should use an internal appeals process before complaining to the state Attorney General. Controllers must respond to consumer requests within 45 days (compared to one month in the EU), but as with GDPR, businesses must not charge a fee unless the request is "manifestly unreasonable, excessive or repetitive".
Using GDPR wording, each of these new laws requires controllers to enforce agreements with their processors. Similar to California's "contracts with service providers," controllers under the laws of these other states must contractually require audits, and not share data received from the controller (with some exceptions) with subcontractors.
New Virginia and Connecticut privacy laws require controllers to conduct a "data protection assessment" in certain circumstances, including before engaging in targeted advertising, selling personal data, processing private data, and performing other risky activities. Privacy bills currently pending in Tennessee and Indiana contain a similar requirement. These provisions were clearly inspired by the GDPR's data protection impact assessment and require companies to balance the benefits that may be derived from the processing against the risks to consumers and the public, taking into account any appropriate safeguards.
Equally important for companies operating in the US are the recent actions of the Federal Trade Commission (FTC) following existing laws.
In February, the FTC imposed a $1.5 million civil penalty on discount drug provider GoodRx and permanently barred the company from sharing medical information for advertising purposes under the Health Whistleblower Rule.
In March, the Federal Trade Commission also agreed to pay remote therapy provider BetterHelp $7.8 million under the Federal Trade Commission Act, a consumer protection law that BetterHelp allegedly violated by promising not to share personal information and then doing so with pixels and other trackers.
The FTC's broad interpretation of "personal information" and "health information" in these cases — and its view that unauthorized data sharing with advertisers can be a "data breach" — points to a trend toward tighter privacy enforcement in the US.
A comprehensive US federal privacy law could bring some clarity to this patchwork of state and industry privacy laws.
A federal bill, the American Data Privacy Protection Act (ADPPA), was introduced in the House of Congress last June. The ADPPA will apply to businesses and nonprofits in all sectors, regardless of size.
Among other provisions, the ADPPA will:
It is possible that the ADPPA will impose much stricter requirements on businesses than the current portion of state privacy laws. The bill was not passed in last year's legislative session. Opposition centered around the law's ability to overturn state privacy laws and the "private right of action," which would allow individuals to sue companies that fail to comply.
Today, it's safe to say that unless the federal law is passed (and maybe even if it is), businesses will continue to struggle with the various local and industry-specific privacy laws enacted in many US states. In any case, the long era of lax privacy regulation in the US appears to be coming to an end.
LinkedIn
YouTube
Instagram
Facebook
Telegram
Medium
Violetta Loseva
,
Serhii Floreskul
,
