The globe has never been as interconnected as it is right now. With the significant development of technology over recent years, the way we processA series of actions or steps taken in order to achieve a particular end. and share data between countries is seemingly easier than ever before. Data sharing and international data transfers are on the rise, so it is essential that your organisation is aware of and understands various international data protection laws and adopts appropriate measures to protect your data subjects’ personal dataInformation which relates to an identified or identifiable natural person..
The United States, unlike other countries, has a congregation of different laws to adhere to dependent on the State in which you’re in; which can be confusing for organisations who either operate in, or process data on behalf of residents who reside in the U.S.
In this blog, we will be looking at some of the data protection laws that are in effect across the U.S., the scope for new legislation and discuss the potential federal laws that could, one day, help with the legislative gaps.
If you would like to read more about future global data protection laws, you can read a previous blog here.
In recent years, the progression of State data privacy laws has been much more progressive as opposed to the progression of a federal data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data.. States that have, so far, imposed their own data protection laws, include:
In this particular blog, we are going to be focussing on the data protection laws in California and Colorado.
California
The CCPA came into effect in 2020 and offered a range of consumer privacy rights to Californian consumers and set obligations around the sale and the collection of personal information for businesses. The introduction of the California Privacy Rights Act extended the rights granted under the CCPA and took effect in January 2023. The CCPA gave consumers six rights, and the CPRA provides an additional two, including:
Notably, companies who collect data on residents (but may not reside in the State) will have to comply with the CCPA/CPRA. This is one of the most comprehensive data protection laws in the country, going as far as regulating the use of cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences. and protecting employees’ and business-to-business data. It reflects the GDPR in the sense that it mirrors the rights and the definition of sensitive data. In some respects, the CCPA goes further than GDPR as it offers the rights of limitation.
Colorado
The Colorado Privacy Act (CPA) has recently been passed and signed by the Senate and is expected to come into force on 1st of July 2023. This makes Colorado the third State to pass its own privacy legislation (with California and Virginia being the other two). The Act will apply to controllers and will give residents the chance to opt-out of the sale of their data, certain types of targeting advertisements, and certain types of profiling. It also gives residents the right to access, correct and delete personal data, as well as the right to data portability. It also sets the definition of sale as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.”
The key difference between the proposed CPA and the GDPR is that the CPA relies on an ‘opt-out’ based privacy system. Whereas the GDPR relies on a consent-based system where a data subjectAn individual who can be identified or is identifiable from data. must explicitly ‘opt-in’ before having their personal data processed, assuming consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. is the lawful basis being relied upon. However, when sensitive data is concerned the CPA require strict opt-in consent.
Future law
Along with the above, the following States are going through the stages of creating and passing their own data protection legislation. These include, but aren’t limited to:
If you are thinking ‘much of the problem around transfers and having universal standards and protections could be solved with a federal law’ you would be correct. In fact, this is something the EU’s Committee in Civil Liberties, Justice and Home Affairs (LIBE) pointed out in its Motion on ‘the adequacy of the protections afforded by the EU-US Data Privacy FrameworkThe EU-US Data Privacy Framework (EU-US DPF) is a set of principles and safeguards for transferring personal data from the EU to certified US organisations. The programme took effect on 10 July 2023, replacing the invalidated Privacy Shield, and the EU Commission has since deemed transfers made from the EU to certified US organisations Adequate. ’ the Committee stressed their concerns around the protection of EU residents’ personal data since there is no current federal data protection law that offers similar protections to the GDPR.
The U.S. does have some specific federal data protection legislation; the Healthcare Insurance Portability AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. Act (HIPAA) which sets standards for protecting patients’ sensitive personal data and health records whilst also outlining the standards for the Privacy of Individually Identifiable Health Information. However, this act is specific to healthcare and not all personal data.
Which leads us into the American Data Privacy and Protection Act, a bipartisan bill aimed at improving data protection across the country by providing a set of rules at a federal level. The act will cover sensitive personal information, set the standards for data controllers, service providers and big tech companies (data holders), give the Federal Trade Commission (FTC) regulatory powers, and will create individual consumer rights for their sensitive information. However, this is still in the ‘bill’ phase and needs to be approved by both the House and the Senate, which could be a problem given the US’s current political divide and then needs to be signed by the President.
The need to have a federal law that covers all aspects of personal data was echoed by President Joe Biden in his 2023 State of the Union address. Both the address, and accompanying factsheet, discusses the importance of bipartisan regulation of personal data, especially children’s data and for social media platforms to be transparent about the data they collect on US residents. Whether this will materialise is yet to be seen.
You don’t have to be a DPO to be intrigued about what is happening in the U.S. when it comes to privacy. Since we trade, share and allow access to significant volumes of personal data with the US, it is handy to understand what data protection looks like State-by-State and on a federal level. When you are transferring data from the UK or the EU you will need to do a TransferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. Impact Assessment or a Transfer Risk Assessment (depending on if reside in the EU or UK) before you can transfer data to a third countryA country that is not part of the European Economic Area (EEA). (if you are in the UK, we have a blog on this), so knowing what protections are given to personal data is essential for these assessments.
If you are a UK or EU organisation and need help with managing the personal data you collect and transfer to the US, please get in touch using the form below.
Editor’s note, this blog is correct at the point of publication. We will try and keep this up-to-date as new legislations come in. However, this may not always be possible, as this blog is to serve a snapshot of this moment in time.
Fill in your details below and we’ll get back to you as soon as possible