The Basics: What Most Data Privacy Laws Include

The EU’s GDPR took effect in 2018, transforming Europe’s data privacy framework and inspiring other jurisdictions to pass similar laws. California’s CCPA passed the same year, bringing new privacy standards to the U.S. Today, 12 states have enacted “comprehensive” privacy laws, and many others have tightened regulation over specific sectors.

“Comprehensive privacy law”

A comprehensive privacy law applies across all business sectors. They often carve out certain tightly regulated or smaller businesses, but they impact millions of companies of almost every type.

Comprehensive privacy laws provide new rights for consumers, which businesses must honor. They hold companies responsible for the data they collect, even after it’s been shared with a third party. And they restrict how businesses use and store personal data.

Consumers now have rights over their personal data

Whether it’s  complying to a stronger law such as Virginia’s VCDPA, or one of the less strict laws such as Utah’s UCPA, requires comprehensive oversight of how your company collects and uses personal data. Oversight is an essential starting point, and you can’t do any of this without knowing how and why you process data.

Privacy laws require you to provide access to personal data on request, delete the data under certain conditions, and ensure your vendors meet strong privacy standards.

Consent for persona data use & Cookies

A key philosophical difference between the GDPR and U.S. state-level regulations is around consent. In the U.S. there’s a culture of opting-out of data being used, as opposed to people opting-in to companies using their data in the EU. In other words, the assumption is that companies can access people’s data until they’re told “No,” whereas in the EU companies can’t collect people’s data until given explicit permission. This is why you regularly come across cookie banners when surfing the web—GDPR requires that websites get consent upfront to track you, whereas in the U.S. you’ve opted-in by visiting the site.

Most US privacy laws focus on “the right to opt out”—you can likely continue doing most of the stuff you’re already doing with data, but you might need to offer people a choice about it.For example, rather than requesting consent via a cookie banner, you might need to provide a way to let people opt out of certain cookies. And you might need to configure your website to recognize a “universal opt-out signal” from people’s browsers.The exception is “sensitive data”, which includes information about people’s race, health, religion, and precise location (plus other characteristics). Many new US privacy laws require that you request “opt-in” consent before collecting, using, or sharing sensitive data.

Do we really have to worry about these new privacy laws?

Don’t worry about privacy—embrace it.

The tide has turned. More and more US states, along with other jurisdictions worldwide, are toughening privacy regulations. Now is the time to get on board.

Yes, state Attorneys General have new powers. California even has a new regulator, the California Privacy Protection Agency (CCPA). And we’re seeing more and more class-action privacy lawsuits. Businesses that fail to act could face legal issues under these new laws.But there are better reasons to embrace privacy, like increased efficiency, improved customer trust, and the ability to grow your business

Commonalities Between State-Level Data Privacy Laws

Although the other state-level laws don’t go quite as far as the CCPA—and not nearly as far as the GDPR—these state-level privacy laws tend to have a similar baseline of provisions. Knowing how each law impacts your business practices is crucial, but you can use these areas of overlap to build the foundation of a broadly compliant data privacy program.

“Although many state laws don’t go quite as far as the CCPA—and not nearly as far as the GDPR—these state-level privacy laws tend to have a similar baseline of provisions.”