The Growth of State-Specific Data Protection Laws in the U.S.
Several years ago, the EU collectively introduced GDPR (General Data Privacy Requirements), which went into effect on May 25, 2018, and covers all 27 member countries of the EU.
Although not perfect, it advanced individual rights regarding data privacy. In some cases, individual countries have added additional requirements above GDPR, but it remains the gold standard. GDPR is generally considered the most robust privacy protection law in the world.
California Consumer Privacy Act
There is no serious traction for a national data protection law in the United States, but some forward-leaning states have taken action and put state-specific laws into place. It’s essential to understand who those laws impact (and who they don’t). For example, the CCPA (California Consumer Privacy Act) applies to for-profit businesses that do business in California and meet any of the following requirements:
- Have annual gross revenue over $25,000,000;
- Buy, receive, or sell the PII of 50,000 or more California residents, households, or devices;
- Get 50% or more of their annual revenue from selling California residents’ PII.
Much like GDPR is constantly evolving, so is the CCPA. Think of it this way: data privacy requirements are a journey, not a destination. There are currently bills in the California legislature that, if passed, will amend the CCPA/CPRA, potentially impacting how organizations approach the law.
Virginia Consumer Data Protection Act
Similarly, the Virginia Consumer Data Protection Act (VCDPA) went into effect on January 1, 2023. The bill is only eight pages long, concise, and a better model than the overly complex CCPA for other states in the future.
However, the law needs more clarity. It starts with applicability that covers companies that do business in the Commonwealth but also includes companies whose products target residents of Virginia, only without a definition of “targeted.”
It includes other similar aspects, such as the consumer’s right to request their data be deleted (note I did not say redacted). Unlike other laws, it protects data that can be linked to a person but not to a device (covered in CCPA).
Data protection laws in the U.S. will only continue to spread across states. The map above from the International Association of Privacy Professionals (IAPP) gives a good overview of where each state is in the process of passing its data protection laws.
As this is a blog post and not a white paper, our objective is to get you to realize both the complexity and evolving nature of data protection laws on a global basis and to try to point you to the right resources to help get your arms around the issues and do your best to stay one step in front of the bad guys.