The status of data protection in the United States

Since the introduction of the European General Data Protection Regulation (GDPR), which went into effect in May 2018, there has been an increased interest in consumer data protection and privacy around the world. California was the first US state to take action, and enacted the California Consumer Privacy Act (‘CCPA’), a landmark legislation that was signed into law on 28 June 2018 and took effect on 1 January 2020. California subsequently the CCPA through the enactment of the California Privacy Rights Act (‘CPRA’) to amend the CCPA and further strengthen California’s data privacy protections. The CPRA took effect on 1 January 2023.

By way of reminder, the United States currently relies on sector-specific and state-specific regulations to address specific areas of concern (eg health-related information, children’s information, etc), instead of having in place a single, comprehensive federal legislation to cover all aspects of data protection. In other words, since there is no overarching privacy framework at the federal level, it is up to each US state to enact its own privacy legislation if they want to grant their residents certain privacy rights or if they want to impose certain requirements on organisations handling personal information. As a result, a number of US states have introduced a federal legislation: in addition to California, other states having enacted a similar legislation include Virginia (effective since 1 January 2023), Connecticut and Colorado (both of which will enter into effect in July 2023), Utah (which will enter into effect on 31 December 2023) and Iowa (which will enter into effect on 1 January 2025).

While substantial similarities exist between both the GDPR and these new US privacy laws, there are also important differences between them. All the new US state laws refer to the term ‘personal information’ or ‘personal data’ that is defined broadly. Having said that, many US state laws explicitly excludes individuals ‘acting in a commercial or employment context.’ While California had such an exemption in place with the CCPA, that exemption ended in January 2023 when the CPRA entered into effect. This means that, for example, employee-related data is protected by the CPRA, whereas the other US state privacy laws mentioned above would not apply to such data.

Many US state privacy laws borrow terms and definitions from the GDPR, such as ‘controller’ and ‘processor’ and as mentioned above, ‘personal data’. California however uses its own terminology: ‘business’ (instead of ‘controller’), ‘service provider’ (instead of ‘processor’) and ‘personal information’. The concept of ‘sale’ of personal data is a term found in many US state laws, but the definition differs across states: in some states, a ‘sale’ occurs when personal data is exchanged for monetary consideration only, whereas other states such as California and Colorado consider that an exchange for ‘valuable consideration’ also constitutes a sale. Such discrepancy in the definition of the same term means that organisations need to be cautious on how they handle their disclosures across various states. In particular, where an organisation is ‘selling’ personal information, they will need to provide individuals with disclosures in relation to such ‘sale’ and provide the ability to opt-out.

Violation of such disclosure and opt-out requirements can lead to severe consequences: on 24 August, California Attorney General Rob Bonta announced a $1.2m fine against the French global cosmetics chain Sephora. According to the attorney general, the company had failed to (i) disclose that it was selling the personal information of California consumers, (ii) provide a ‘Do Not Sell My Personal Information’ link on its website, and (iii) honour global privacy control opt-out signals for users to opt out of the sale of their personal information. In addition to the $1.2m penalty, the company was also required to implement a two-year monitoring and reporting programme intended to demonstrate its ongoing compliance with the CCPA. While this decision is the only publicly available enforcement action available under the CCPA, it is expected that there will be more enforcement actions in the near future since the CPRA created a new state government agency dedicated to privacy: the California Privacy Protection Agency (CPPA). The California attorney general however retains the power to enforce the CPRA through civil penalties and can still take action based on non-privacy specific laws (eg California’s unfair and deceptive practices statute).

Due to the challenges to comply with so many laws within the US, it is not surprising that many organisations have been pushing for the introduction of a US federal data privacy framework. After years of unsuccessful attempts, the American Data Privacy and Protection Act (‘ADPPA’) – a proposed US federal online privacy bill that would regulate how organisations keep and use consumer data – is the furthest a federal data privacy bill has managed to go so far. While the bill ultimately failed to pass, the multitude of US state privacy laws appears to be a current point of concern from Congress, as evidenced by a congressional hearing dedicated to privacy which took place in March 2023. The hearing was hosted by the House committee on energy and commerce’s new subcommittee on innovation, data and commerce.

While the ADPPA failed to gather sufficient support, it provides some insight as to what a federal law should cover. The ADPPA would have preempted most state privacy laws, such as the California Consumer Privacy Act/California Privacy Rights Actor the Colorado Privacy Act, which is why the ADPPA is facing criticism and opposition from privacy advocates who argue that US states should be able to increase the privacy protections for their residents. This issue (also known as ‘preemption’) is a big sticking point, since states such as California do not want the ADPPA to supersede their own laws. For example, on 23 February 2023, the California Attorney General Rob Bonta, Governor Gavin Newson, and the CPPA sent a joint letter to Congress opposing the prospect that a federal privacy laws would preempt state regulations. According to the joint letter, a federal privacy law should simply ‘set the floor and not the ceiling in any privacy law, and to allow states to provide additional protections in response to changing technology and data privacy protection practices.’

In short, the privacy framework in the United States is still evolving, with more US states introducing comprehensive data privacy laws. For example, as of April 2023, the state of Washington may be the next state to enact a sweeping law that would govern how businesses collect, share and sell consumer health-related data. Nevertheless, it is important to bear in mind that while these new state laws are intended to be comprehensive in scope and contain many similarities, they do vary with respect to their reach, based on organisations exceeding certain thresholds (eg based on revenue or the number of residents or households within a given state). Additional rulemaking is also expected from some states – for example, in California. It is increasingly clear that data privacy laws are evolving, whether in the US or internationally), therefore it is crucial for all organisations to remain informed about the data privacy developments (and security controls!) to protect the personal information that they handle.