When the General Data Protection Regulation (GDPR) entered into force, US privacy law was still in its infancy. Though enforced by the European Union (EU), the GDPR had wide-ranging implications for organizations well beyond Europe. And though it has become the regulatory standard in data privacy since it became applicable in all 28 EU Member States in 2018, the GDPR ushered in a new wave of data compliance laws and regulations.
Data privacy and protection laws exist in many jurisdictions across the globe, as illustrated by the IAPP 2022 mapping chart, and there has been a recent uptick in data localization requirements. The US is no exception. Before, the end of 2023, five brand new US state privacy laws will enter into force:
- The California Privacy Rights Act, effective January 1, 2023
- The Virginia Consumer Data Protection Act, effective January 1, 2023
- The Colorado Privacy Act, effective July 1, July
- The Connecticut Data Privacy Act, effective July 1, 2023
- The Utah Consumer Privacy Act, effective December 31, 2023
The fact that five US state laws have been adopted less than five years after the entry into force of the GDPR is an achievement for data privacy. What’s more, in recent months the US has made progress towards the adoption of a federal horizontal privacy law with the proposed American Data Privacy Protection Act (ADPPA).
That said, the legislative journey is not over and obstacles remain down the road. In this blog, we’ll take a closer look at these new data privacy regulations and what data teams need to know to stay ahead of the protection curve.
How do state data privacy regulations differ from the GDPR?
While the GDPR has inspired many subsequent regulations, none of the new US state laws is a GDPR transplant. The GDPR finds its roots in human rights, not consumer law, and relies upon a prohibition: processing personal data is prohibited unless the controller (i.e., the organization initiating the processing) has a legal basis to do so. In other words, there must be a valid justification for processing the data.
The GDPR is thus naturally more comprehensive than the US state laws because it covers:
- Personal data processed in the context of B2C and B2B relationships
- Publicly available information
- The processing activities of both public and private entities
Under the GDPR, the controller must also demonstrate compliance with the framework. In the case of infringement leading to damage, to be exempted from liability the controller must prove that it is not in any way responsible for the event giving rise to the damage.
How are state data privacy regulations similar to the GDPR?
Despite the aforementioned differences, there are similarities across frameworks – and it’s clear that the GDPR has influenced US state legislators in a few key ways:
1. Data Subject Rights
The list of rights is similar across frameworks and more often than not includes a right of access, a right to rectification, to restriction, to deletion, portability, and opt-out (a limited variant of the right to object).
2. Data Protection Principles
GDPR-like data protection principles based upon data management best practices have been included in most of the states’ frameworks. Purpose limitation, the requirement to limit the processing activity to a predetermined and legitimate purpose, has clearly entered the scene. By way of example, Virginia law provides that “[a] controller shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” For platform owners, this means purpose-based access control should become mainstream!
3. Risk Assessments
Risk assessment is mentioned in most of the frameworks as well, particularly in cases of heightened risk of harm to consumers.
4. Processes for Data Sharing
Contractual obligations to control the downstream use of the data are considered key context controls when a covered entity discloses data to a third party, even when the data is de-identified. For instance, the Virginia law uses the GDPR’s distinction between controller and processor to impose obligations upon both groups and ensure a contract exists between them. This means data use agreements should be the norm when data teams share data with third parties or grant third parties access to the data.
Compared with the GDPR, though, enforcement mechanisms appear relatively weak – or at least underdeveloped – within these state frameworks. It’s true that California law introduces a private right to action that allows individuals to bring lawsuits against organizations that have violated legal data use requirements, but that right remains relatively limited compared to the list of private remedies available under the GDPR.
The Utah Consumer Privacy Act is among the weakest of the laws. There is no private right of action. In fact, consumer rights appear weaker than under other frameworks, and there is no obligation to conduct data protection assessments, nor are there any meaningful restrictions on the secondary processing of personal data.
What's in the American Data Privacy Protection Act?
As mentioned, the proposed American Data Privacy Protection Act (ADPPA) would serve as a horizontal data protection law that could supersede individual states’ laws. While it’s exciting to see that Congress is examining how to regulate and protect citizens’ data, the draft bill is generating mixed feelings. One major concern is the preemption provision, which would make the ADPPA a ceiling rather than a floor. The privacy community and 10 state attorneys general are thus arguing against it. Another battleground is the scope of the private right to action, which currently has a two-year delay and a limited remit.
That said, the ADPPA offers more protection than most of the state laws. It’s noteworthy that the first substantive section is dedicated to data minimization, which includes a list of permissible processing purposes. Data minimization is a core facet of a GDPR-compliant data strategy, and is once again a call for purpose-based access control.
Privacy-by-design also gets its own section in the ADPPA, meaning covered entities must establish, implement, and maintain reasonable policies, practices, and procedures to mitigate privacy risks. In other words, risk assessment and management would become real priorities.
The Act also includes the following data security mandates:
- “Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained by the covered entity that collects, processes or transfers covered data, or service provider that collects, processes, or transfers covered data on behalf of the covered entity”
- “Taking preventive and corrective action designed to mitigate any reasonably foreseeable risks or vulnerabilities to covered data identified by the covered entity or service provider”
- “Evaluating and making reasonable adjustments to the[se] actions”
- “Disposing of covered data in accordance with a retention schedule…”. “Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable…”
In addition to obligations about how data must be managed, the ADPPA would impact how many data teams are structured. Covered entities with more than 15 employees would be required to have a data privacy officer and a security officer, who would be responsible for implementing a data privacy and security program to safeguard the covered data. For large data holders, executive officers would be required to annually certify that they have internal controls to comply with the act, as well as internal reporting structures to ensure that they are responsible for the decisions impacting compliance.
Finally, although the ADPPA does not include any restrictions on international data transfers or data localization requirements, there is an obligation for covered entities to state within their privacy policies whether or not any covered data is moving to or accessible to the People’s Republic of China, Russia, Iran, or North Korea. Therefore, data movements to high-risk jurisdictions would need to be carefully monitored.
What is the impact of these data privacy regulations?
The privacy landscape is getting more complex by the day. Although the ADPPA in the US is clearly an attempt to harmonize state-by-state requirements, organizations will still have to reconcile the nuances among each law. Of note, the UK is trying to create its own model by adapting the GDPR, as a post-Brexit reform.
Practical tips for building a privacy compliance program aimed at addressing a patchwork of privacy laws usually suggest trying to shoot for simplicity and go for the highest common denominator as often as reasonably possible, as well as setting up a robust data audit trail.
Accommodating some of the most restrictive privacy requirements should be an attractive endeavor for data teams, in addition to the possibility to fine-tune their approach over time. For example, they may choose to first leverage data discovery and monitoring capabilities to get familiar with their data ecosystem, promptly detect high-risk activities, and then deploy fully-fledged preventive controls, like self-executing data policies, to reduce compliance costs by reducing the frequency of corrective interventions.
Data access platforms like Immuta separate policy from platform, allowing you to author policies in plain language to adhere with any pertinent data privacy regulations, and automatically enforce and monitor them across all cloud data platforms. Dynamic attribute- and purpose-based access control allows data teams to reduce policy burden by 75x, which in turn simplifies the responsibility of complying with an expanding number of data privacy regulations, like the GDPR and ADPPA.
See how easy it is to build compliant policies in Immuta by scheduling a demo with our team.