If a lawyer from the 1990s were to time travel to 2024, one of the starkest differences they’d encounter – beyond the ubiquity of the smartphone and rise of the internet – would be a legal concept related to both, and one that we’re all now familiar with: digital privacy.
As the world has grown increasingly networked, and the spread of digital telecommunications has provided instant access to applications that can service everything from shopping needs to renewing our passport, fears have grown about what exactly is being done with this vast volume of data. Not least among businesses themselves, who fear the enormous reputational damage done by data leaks for which they are liable. In 2023 an IBM report calculated the cost of an average breach was around US $4m, and this has only risen since then. That’s why, when it comes to information management, data privacy is now the core area of focus.
Central governments and supranational organizations have developed or are in the process of developing robust data-protection legislation in response to this. The data controller is responsible for ensuring compliance with GDPR. General Data Protection Regulation (GDPR), introduced throughout Europe in 2018, was the first of these comprehensive pieces of legislation. China followed with the Personal Information Protection Law (PIPL) in 2021, India passed the Digital Personal Data Protection Act (DPDP) in 2023 and other countries and regions are following suite, in Southeast Asia, Latin America and beyond. GDPR formed the template for much of this area of legislation, but as we’ve discussed before, there are key differences too.
But he conspicuous absentee in this list, of course, is the United States.
What data-protection legislation already exists in the U.S.?
Despite a lack of comparable Federal legislation, the last ten years have seen the development at a of state laws that anyone doing business in the U.S. should be aware of.
These state-level initiatives have attempted to address consumer concerns first and foremost. There are two specific pieces of state-level legislation worth highlighting. Firstly, the California Consumer Privacy Act (CCPA) which came into effect in 2020, and the more recent Virginia Consumer Data Protection Act (VCDPA) in 2023.
What’s the California Consumer Privacy Act, and what amendments have been made?
The CCPA, much like GDPR, was designed to protect personal data privacy, but there are significant differences in both scope and application between them.
Specifically, the CCPA’s scope is narrower than GDPR’s. It targets for-profit businesses with annual revenues exceeding US $25m or 50,000 annual customers. It grants California customers the right to know exactly what data is being collected and to opt-out of its sale. The GDPR by contrast is far broader, applying to any organization processing data within the EU. The GDPR also stipulates that explicit consent must be obtained from the customer. In essence, it’s both stricter and broader in its application.
In 2023, the CCPA was amended by the California Privacy Rights Act (CPRA) to further enhance GDPR compliance. This strengthened the CCPA by expanding the definition of Sensitive Personal Information (SPI) to include citizenship and immigration status (among other things) as well as requiring explicit consent from children.
The pattern in California is clear, there’s a tendency towards harmonizing state-level legislation with the GDPR and other comparable national legislations. Although it has to be pointed out in this regard that, as a state, California has always been fairly unique in this regard: home to some of the world’s largest tech firms, it was one of the first legislatures to pass a law requiring websites to have a privacy policy. All the way back in 2003!
The impact of these amendments is already being felt, as California-based businesses are providing mandatory opt-out options for consumer. Similarly, the enforcement arm of the CCPA, the California Privacy Protection Agency (CPPA) is now “beefed up” and ready to begin enforcing breaches of the act.
The Virginia Consumer Data Protection Act (VCDPA) – and other states:
The VCDPA, introduced in 2023, offers very similar provisions to California’s law. The differences with GDPR lie, as with the in scope, enforcement, and specific provisions. The VCDPA for example is enforced solely by the Virginia Attorney General, there is no comparable enforcement body similar to the CPPA and provides a broader range of exemptions than the CCPA (non-profits and small businesses) or the GDPR (where exemptions are extremely limited).
As of 2024, 8 out of the 50 U.S. states (California, Colorado, Virginia, Utah, Connecticut, Montana, Oregon, and Texas) now offer some sort of data-protection legislation roughly comparable to GDPR. Some 50+ data-protection bills of various kinds are also being discussed in state-level legislatures (including the former) across the country, and these often impact data subjects directly.
In summary, states themselves are catching up, albeit with other major economies having something of a head start, but there’s clearly appetite on a more local level for stricter privacy requirements largely coming from consumers themselves.
If your business has a presence in the U.S. however, it’s important to understand this state-level law and its implications for your organization. These pieces of legislation may not be coming from the Federal Government, but they still have teeth. The CPPA itself has offered helpful advice, most simply for organizations generally to “stop collecting so much data” where it’s not necessary.
Why does the U.S. lack a national law? Business challenges and more
As mentioned, despite all these advancements at state level, the U.S. lacks a comprehensive national data protection law. The question is, why?
One of the most obvious reasons is the economic impact on businesses. As you would probably expect, compliance costs increase with the severity and sophistication o
f the data-protection legislation. The National Bureau of Economic Research (NBER) in the U.S. published a paper in February of 2024 titled: “Data, Privacy Laws and Firm Production: Evidence from the GDPR”, which analyzed the cost of the legislation on businesses. Estimates ran from US $1.7m for SMEs to US $70m for large organizations.
One of the other findings from this study is that European firms, or firms with a division based in Europe are simply processing less data than before as part of a broader effort to cut down on data storage and processing costs and reduce their exposure to risks of data breaches. So, there are lessons around how best you can reduce your own organization’s cloud footprint here too.
More to the point, this underscores something U.S. firms have long argued about when lobbying State and Federal Government: that this increased cost to them would mean less hiring, and higher prices for consumers. Another study from the NBER, titled: “GDPR and the Lost Generation of Innovative Apps” claims that one third of all apps on the Google Play store disappeared after the introduction of GDPR in May 2018. The paper goes on to highlight the increased costs of data management and processing as prohibitively expensive for new developers. While there have been some disagreements about the conclusions drawn from this study, there’s no doubt that firms are rethinking data management strategies and ensuring GDPR compliance. Investing more heavily in Information Management strategies and software as a result of enhanced data-protection rules.
U.S. firms have, in fact, argued quite convincingly that a similar Federal law would damage them and their consumers. The specifics of this diverse and often political argument are too broad to discuss here but suffice to say it has been successful in at least delaying a Federal law. The absence of comparable tech giants to Google, Amazon and Facebook in Europe should also be noted here. Europe had no domestic tech giants of comparable size capable of lobbying to the extent the former do in the U.S. For a more thorough rundown of how lobbying in the U.S. has influenced state-level laws, Cookie Law Info has an excellent article here entitled “Big Tech vs. GDPR”.
Another point is that existing U.S. law, due to the relationship between State and Federal Government, is already so complex that any harmonization would be incredibly difficult without a comprehensive data protection impact assessment. DLA Piper, a leading law firm, accurately points out that while the above section on the CCPA may seem simple, California actually has some 25 state privacy and data security laws of which CCPA is merely the most prominent.
Another issue hindering the development of a federal law is that the U.S. has a historical preference both at state and
federal level for sector-specific data regulations and laws. For example, the Health Insurance Portability and Accountability Act (HIPAA) exists for Healthcare records, and the Children’s Online Privacy Protection Act (COPPA) exists for children’s records, and so on. This tendency to break things up by sector has, as mentioned, a strong tradition in U.S. law.
This is not to say there have not been attempts to create a Federal Law. The American Data Protection and Privacy Act (ADPPA) was proposed in 2022 and seemed to have bipartisan support in the U.S. Congress, but never really became a priority for the executive. It has since been resuscitated on April of 2024 by both a Republican and one Democratic Senator co-sponsoring it, but it faces significant hurdles and an uncertain future.
What is the ADPPA exactly, and how likely is it to become a “US GDPR EQUIVALENT”?
With growing data privacy concerns and the increasing patchwork of state laws, the question arises: could the U.S. adopt something the ADPPA or something like it soon?
Firstly, it’s important to note that even in its present draft form, the ADPPA is different to GDPR in some significant ways.
- The ADPPA does not propose extraterritorial jurisdiction for us companies. Unlike the GDPR, it would only cover the processing of U.S. residents by entities within the U.S.
- The ADPPA requires that data processing be “necessary and proportionate” to the product or service in question. It does not stipulate “necessary interest” as a legal ground, like the GDPR does for the processing of personal data.
- What both frameworks categorize as “sensitive data” is a little different. While the GDPR includes race, ethnicity, political opinions and health as requiring “explicit consent”, the ADPPA includes some additional categories like government-issued identifiers (think social security numbers) and financial account numbers.
- Proposed enforcement of the ADPPA would fall under the remit of the Federal Trade Commission (FTC) and state Attorneys General. The GDPR is carried out by national supervisory authorities. Crucially it allows companies to address violations before penalties are imposed.
- The ADPPA has a more limited “private right of action”, whereas the GDPR allows individuals to file complaints with supervisory authorities and seek a judicial remedy directly.
In summary, the ADPPA could be considered slightly more “watered down” than GDPR in terms of its enforcement provisions and the risk it poses to organizations. The ADPPA could be viewed as more of a “harmonization” of existing state law already discussed above. Osborne Clarke, the law firm, published a full legal rundown of the differences back in 2022 that is well worth reading.
In terms of its likelihood of becoming law, it is almost certain it will at some point, and that the timing hinges on several factors. Primarily the balancing of consumer protections with entrenched business interests. The fact it initially gathered bipartisan support would seem to suggest the appetite is there, but the prolonged negotiations of legislation of this kind in the U.S. would seem to suggest it is at least several years away.
The ADPPA, or something like it, probably will become law in the U.S. in the next four or five years, however the tipping point may be a point at which the maze of state-level law becomes more difficult for organizations to manage than a harmonized national law. This could be positive for both sides at that point as it provides organizations with a unified compliance framework while enhancing consumer trust. It’s worth bearing in mind that the “finished product” will likely involve even more stakeholder consultation (most prominently large tech firms) which may lead to more watered-down provisions regarding consent and enforcement.
Ultimately, what does all this mean for your business and the way it handles information?
It’s obvious that understanding the U.S. data protection landscape is crucial for any business operating there or seeking to operate there, regardless of where your HQ may be. Its impact will be married, together with state-level laws, will be large.
The ADPPA, or something like it – though not as stringent as GDPR – is still a substantial shift in the regulatory environment and means your organization’s compliance strategy needs to be as robust as possible, even now. If you’re involved in any sort of data-processing in the U.S. the reasons for adaptation are obvious: the patchwork of state-level laws in of themselves can be byzantine, but building a policy around Information Governance that keeps the principles drafted in the ADPPA in mind is a good start.
Assuming you are a non-American business operating in the U.S, ensure you are proactive in meeting these requirements ahead of time, as, in our experience as an Information Management company, these due-diligence tactics are important for all time. Not just ex post facto. Ask yourself these questions:
- Do I have a proper data-map, audit, and inventory of where I’m getting data from, and how consent for it is obtained?
- Are my data/records being securely stored and, crucially, disposed of when it is no longer required?
- Do I have a privacy policy that reflects the regulatory landscape the ADPPA, or something akin to it, seeks to create?
Crown Records Management has been helping organizations store, audit, and manage data/records for four decades. If you’d like to get in touch for a consultation, reach out.
