When the United States sneezes, the world catches a cold. This statement is particularly true in the world of digital technology. America is, after all, home to many of the world’s leading and most successful online companies. However, one area where our European cousins lead the charge is digital privacy.
GDPR changed the way the world views privacy
If you cast your mind back to 2018, you’ll remember how the European Union shook up the entire world with the General Data Protection Regulation (GDPR).
At the time, GDPR was unique because it was an all-encompassing regulation designed to protect the privacy of European citizens regardless of with who or where they shared their data. This regulation meant that if U.S. organizations wanted to continue operating in Europe or with European citizens irrespective of their location, they had to comply with GDPR.
Unlike previous privacy regulations, GDPR had teeth and the weight of the European Commission behind it to levy huge fines for breaches.
Millions of dollars and countless staff hours were spent globally ensuring compliance. In many ways, this investment helped clean up the last remains of the “Wild West” business practices adopted in a maturing but still largely unregulated digital business sector. Yet, despite this, countless U.S. firms have fallen foul of GDPR.
Still don’t think GDPR applies to you? Check out this list of the biggest fines levied for non-compliance — it reads like a “Who’s Who?” of great American businesses, with Amazon, Meta (Facebook), and Alphabet (Google) dominating the top ten of most significant fines.
The changing face of U.S. privacy laws
It could be argued that prior to GDPR, the U.S. was essentially kicking the can (CAN-SPAM) down the road in terms of privacy.
In many ways, GDPR forced U.S. businesses to clean up their acts without the need for U.S. regulations. But this doesn’t mean that the U.S. isn’t taking privacy seriously. There are currently multiple privacy laws in place and many others being rolled out across the U.S. However, due to the way individual states create legislation, these laws are less connected or all-encompassing than GDPR. For businesses operating across the state line, this can be confusing.
The California Consumer Privacy Act (CCPA) and subsequent California Privacy Rights Act (CPRA), which becomes enforceable on July 1, 2023, have been described as the closest thing to GDPR.
The CPRA builds on the foundation set by the GDPR, which laid the groundwork for several rules not included in the CCPA. These rules include:
- Data minimization: Ensuring data collection is necessary to fulfill a specific purpose.
- Purpose limitation: Ensuring collected data cannot be used for new and incompatible purposes.
- Storage limitation: Ensuring data cannot be stored for longer than necessary.
The GDPR has also influenced how the CPRA handles sensitive personal information (SPI), such as race or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, genetics, and health-related data.
Despite the similarities, there are some key differences between GDPR and CPRA.
GDPR applies to any organization that collects and processes data from EU citizens, regardless of company size, location, or purpose. GDPR also doesn’t differentiate between personal and business data.
Meanwhile, the California Privacy Rights Act (CPRA) only applies to businesses that collect and process the personal information of California residents and meet one or more of the following criteria:
- Have an annual gross revenue of over $25 million;
- Buy, sell, or share the personal information of 100,000 or more consumers or households annually; or
- Derive 50% or more of their annual revenue from selling consumers’ personal information.
Compared to GDPR, there’s a lot of room for businesses to fly under the radar of CCPA/CCPR. This perhaps reflects a more relaxed attitude to organizations in the U.S. accessing and storing personal information when compared to Europe. However, following several high-profile data breaches that have inconvenienced thousands of U.S. citizens, these attitudes are becoming less lax, and more U.S. States are jumping on the privacy bandwagon.
The Virginia Consumer Data Protection Act (VCPDA)
The Virginia Consumer Data Protection Act (VCDPA) is a privacy law similar to the CCPA/CPRA and GDPR and became enforceable on January 1, 2023.
The VCDPA applies to businesses that conduct business in Virginia or target Virginia residents and meet specific threshold requirements. These requirements include processing the personal data of at least 100,000 Virginia consumers annually or deriving over 50% of gross revenue from the sale of personal data and processing the personal data of at least 25,000 Virginia consumers annually.
Under the VCDPA, Virginia consumers have the right to know what personal data is being collected about them, the right to access their data, the right to correct inaccuracies in that data, the right to delete their data in certain circumstances, and the right to opt out of the sale of their data.
The Colorado Privacy Act (CPA)
The CPA is set to become effective on July 1, 2023.
Similar to the CCPA/CPRA and GDPR, the CPA applies to businesses that conduct business in Colorado or target Colorado residents and meet certain threshold requirements. These requirements include processing the personal data of at least 100,000 Colorado consumers annually or deriving over 50% of gross revenue from the sale of personal data and processing the personal data of at least 25,000 Colorado consumers annually.
Once again, under CPA, Colorado consumers have the right to know what personal data is being collected about them, the right to access their personal data, the right to correct inaccuracies in their personal data, the right to delete their personal data in certain circumstances, and the right to opt out of the sale of their personal data.
A growing movement for greater privacy across the U.S.
While the CCPA/CCPR, VCDPA, and CPA are all local regulations, there is a growing movement leading to an increasing number of states introducing privacy regulations which will go some way to connecting the dots and creating a “national” commitment to safeguarding privacy.
Connecticut, Iowa, and Utah all have regulations due to be enforced in the next two years. According to The International Association of Privacy Professionals (IAPP) tracker, many other states are in the process of introducing regulations.
However, there are some legacy U.S. privacy laws that cross state lines and protect individuals on a federal level.
HIPAA – Federal Law
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996, predating GDPR and even widespread internet use.
HIPAA was designed to provide privacy and security standards to protect patient’s personal health information. The law sets national standards for the privacy and security of protected health information (PHI) and applies to health plans, healthcare providers, and healthcare clearinghouses that conduct certain electronic transactions.
Under HIPAA, covered entities must implement safeguards to protect PHI’s confidentiality, integrity, and availability. These safeguards include administrative, physical, and technical measures to ensure the privacy and security of PHI.
HIPAA also gives individuals certain rights concerning their PHI, including the right to access their PHI, the right to request corrections to their PHI, and the right to file complaints if they believe their privacy rights have been violated.
How are businesses reacting?
On the whole, businesses are reacting positively to the growing wave of privacy regulations. Knowing this trend is not going away, many companies are adapting their services to build privacy into their business models. We’ve already seen Apple’s Mail Privacy Protection updates, and Google is re-inventing how it tracks user engagement in GA4, the latest iteration of Google Analytics.
However, this can be a confusing time for small and medium-sized businesses that don’t have the resources to track and keep pace with the demands of privacy regulations. This is especially true when data is collected and processed across multiple technology platforms. For those businesses, it makes sense to safeguard the privacy of their clients and the future of their organization by speaking to an expert who can help them stay compliant.
To learn more about how the marketing experts at emfluence can help your business stay on the right side of current and upcoming privacy regulations, contact us today at email@example.com.