Legal Business Blogs

Sponsor briefing: The evolving data protection framework in the United States

Paul Lanois of Fieldfisher on how California led the way in creating new legislation inspired by GDPR

Since the introduction of the European General Data Protection Regulation (GDPR), which went into effect in May 2018, there has been an increased interest in consumer data protection and privacy around the world (as seen for example with the introduction of new laws such as Brazil’s General Law for the Protection of Personal Data).

California was the first US state to act, and the California Consumer Privacy Act (CCPA), a landmark legislation inspired by the GDPR that grants California residents increased transparency and control over how businesses collect and use their personal information and that took effect on 1 January 2020. By way of reminder, the US currently relies on sector-specific and state-specific regulations to address specific areas of concern, instead of having in place a comprehensive federal legislation to cover the various aspects of data protection.

While substantial similarities exist between both the GDPR and the CCPA (after all, the drafters of the CCPA took inspiration from the GDPR while drafting the CCPA), there are also important differences between them. Among many other differences, the CCPA only protects residents of California and the CCPA places certain requirements on the ‘sale’ of personal information (ie, the exchange for value of consumer information), such as the need to include a clear and conspicuous ‘Do Not Sell My Personal Information’ link on the website. Violation of the CCPA’s requirements can lead to severe consequences: on 24 August, California Attorney General Rob Bonta announced a $1.2m fine against the French global cosmetics chain Sephora. According to the Attorney General, the company had failed to (i) disclose that it was selling the personal information of California consumers, (ii) provide a ‘Do Not Sell My Personal Information’ link on its website, and (iii) honour global privacy control opt-out signals for users to opt out of the sale of their personal information. In addition to the $1.2m penalty, the company was also required to implement a two-year monitoring and reporting programme intended to demonstrate its ongoing compliance with the CCPA.

The CCPA, a landmark legislation that grants California residents increased transparency and control over how businesses collect and use their personal information, took effect on 1 January 2020.

Since the introduction of the CCPA, a number of US states have followed California’s example: the states of Virginia, Utah, Colorado and Connecticut have also enacted a comprehensive data privacy legislation that will enter into effect in 2023. Not to be outdone, California has also updated its current legislation (the CCPA) through the enactment of the California Privacy Rights Act (CPRA) to strengthen California’s data privacy protections. The introduction of these new data privacy laws means that organisations in the US are subject to new data privacy obligations (as well as organisations handling personal information relating to residents of these states), while consumers welcome their elevated data protection rights, aimed at better protecting consumer data privacy.

Both the CPRA and the Virginia Consumer Data Protection Act (CDPA) will come into force on 1 January 2023. The Colorado Senate Bill 21-190 for the Colorado Privacy Act (CPA) and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) will take effect on 1 July 2023, whereas the Utah Consumer Privacy Act (UCPA) will enter into force on 31 December 2023. This means that by the end of 2023, organisations will have to comply with no less than five data privacy state laws within the US alone (to the extent that such organisations have a national reach). Clearly, 2023 will be a busy year from a US privacy law standpoint, and the data privacy framework may get even more complex in the future, with other US states also looking to introduce their own state data privacy law.

The ADPPA still has a long way to go before becoming enacted into law and even if enacted, it may end up looking very different at the end of the legislative process compared to current drafts.

Due to the challenges to comply with so many laws within the US, it is not surprising that many organisations have been pushing for the introduction of a US federal data privacy framework. After years of unsuccessful attempts, the American Data Privacy and Protection Act (ADPPA) – a proposed US federal online privacy bill that would regulate how organisations keep and use consumer data – is the furthest a federal data privacy bill has managed to go so far and could be the country’s first comprehensive federal consumer privacy framework.

The ADPPA, as currently drafted, would preempt most state privacy laws, such as the California Consumer Privacy Act or the Colorado Privacy Act, which is why the ADPPA is facing criticism and opposition from privacy advocates who argue that US states should be able to increase the privacy protections for their residents. This issue (also known as ‘preemption’) is a big sticking point, since states such as California do not want the ADPPA to supersede their own laws. In any case, the ADPPA still has a long way to go before becoming enacted into law and even if enacted, it may end up looking very different at the end of the legislative process compared to current drafts.

In short, the privacy framework in the US is rapidly evolving, with more US states introducing comprehensive data privacy laws, and we may eventually have a federal legislation governing data protection for consumers’ data nationwide. In the meantime, it is crucial for all organisations to remain informed about the latest security controls and data privacy developments to protect the personal information that they handle.

Author

Paul Lanois
Director, data

Fieldfisher Silicon Valley
2650 Birch Street
Suite 100
Palo Alto
CA 94306
United States of America

Email: paul.lanois@fieldfisher.com
Tel: +1 (650) 313 2361

Return to TMT Yearbook contents