Overview of the laws adopted in the United States with regard to the protection of privacy and personal data

The adoption of the GDPR in April 2016 inspired many legislators around the world. The United States has not escaped this influence, even if major differences remain with European regulations. The most notable difference is undoubtedly the absence of a global law applicable to all categories of personal data and to all business sectors. Recent initiatives by some states demonstrate the desire to strengthen data protection in the country.

By Alexis Chauveau-Maulini, Senior Consultant

The passage of the California Consumer Privacy Act (CCPA) in 2018 started a legislative wave that is now spreading from coast to coast of the United States. To date, four other states have passed legislation, namely:

  • Virginia, with Virginia’s Consumer Data Protection Act (VCDPA), which came into effect and is enforceable since January 1, 2023 in the State of Virginia;
  • Colorado, with the Colorado Privacy Act (CPA), which will come into force and be enforceable on July 1, 2023;
  • Connecticut, with the Connecticut Data Privacy Act (CTDPA), which will come into force and be enforceable on July 1, 2023;
  • Utah, with the Utah Consumer Privacy Act (UCPA), which will come into force and be enforceable on December 31, 2023.

It should be noted that California law has been the subject of a significant amendment with the California Privacy Rights Acts (CPRA), which came into force on January 1, 2023 and will be enforceable on July 1, 2023.

Three tendencies can be distinguished: first of all, the Californian law which is considered to be the most protective of people, then the laws of Virginia, Colorado and Connecticut which have an intermediate approach, finally the law of Utah which is less restrictive for companies.

Scope and coverage

All five laws are aimed at consumers (consumers and households), which means that people acting in a professional setting are excluded from protection. However, since January 1, 2023, California law considers that people acting in a professional context must be treated as consumers and benefit from the same rights.

The scope of the laws of Virginia, Colorado, Connecticut and Utah is articulated on an alternative double criterion – place of establishment of the organization which processes the data and the place of residence of the consumers whose data are processed –, combined with certain thresholds.

For California, the determining criterion for the application of the law is based on the residence of the consumers whose data is processed, combined with the aforementioned thresholds.

It should be noted that there are exemptions (entity-level exemption, data-level exemption) which may make it possible to escape the application of the laws.

Right of persons

The different rights granted to individuals are as follows:

  • the right of access, sometimes associated with the right of interrogation;
  • the right to rectification;
  • the right to erasure;
  • the right to data portability;
  • the right to non-discrimination;
  • the right to oppose certain processing (targeted marketing, profiling and sale of data);
  • the right to consent to the processing of sensitive data; the right of appeal.

Depending on the law in question, individuals benefit from all or part of these rights; knowing that the exact content of the rights or the manner of exercising them may differ. All five laws require the provision of a sufficiently clear and accessible notice of information describing how individuals can exercise their rights.

Specifically regarding the right to object to the sale of personal data, California law requires the organization processing the data to provide a “Do Not Sell or Share My Personal Information” (DNSMPI) link on its website. Connecticut law also provides for the provision of such a link, but does not specify its exact wording.

Finally, for the five laws, the request to exercise a right must be processed within 45 days of receipt of the request, this period can be renewed once.

Supervision of contractual relations

The laws of Virginia, Colorado, Utah and Connecticut have taken over from the GDPR the notions of controller and processor, which now compete with the notions of business and service provider used by Californian law.

The five laws require the parties involved in data processing to conclude a contract and impose certain specific obligations on them (description of the processing implemented, security obligations, etc.).

Obligation to carry out Data Protection Assessments

The laws of Virginia, Colorado and Connecticut require the completion of Data Protection Assessments before the implementation of processing operations presenting a high risk for individuals (sensitive data, targeted marketing and/or profiling, sale of personal data).

In addition to the Data Protection Assessments, California law requires an annual cybersecurity audit for processing that poses a high risk to the privacy or security of individuals.

Compliance monitoring and penalties

California has created a dedicated authority, the California Privacy Protection Agency, while the other four states rely on the Attorney General to enforce and sanction new privacy laws. private life.

To date, there is no right of individual appeal for data subjects (except for the CCPA, which provides for this possibility in certain limited cases).

The fines incurred in case of violation of the law are cumulative according to the number of violations and their final amount can be expensive.

The five laws give organizations the possibility of remedying the offenses with which they are accused (right to cure) for a period of time (30 days for Virginia and Utah, 60 days for Colorado and Connecticut) before seeing themselves actually impose a penalty. This right has now expired for the CCAC.

Legislative initiatives taken by some states are a promising starting point for data protection in the United States. It will be necessary to observe in practice the way in which these various laws will be applied, as well as the progress of the federal bill for the protection of privacy, the American Data and Privacy Protection Act (ADPPA), but obviously the organizations must prepare for increased constraints in this area.