GDPR in the USA? New State Legislation Is Making This Closer to Reality

The European Union’s General Data Protection Regulation (“GDPR”) is well known as the toughest privacy and security law in the world, as it has a wide reach and imposes heavy fines against those who violate its privacy and security standards (which are quite broad). The impact of the GDPR has already been felt in the United States since it went into effect in 2018, and now U.S. lawmakers in numerous states are moving to enact similar legislations. The California Consumer Protection Act (“CCPA”) was the first instance of the GDPR’s impact in the United States, as California put in place a statute and regulations that mirrored theGDPR in several respects. Now Virginia has set in motion what could be a year-long string of states enacting similar legislation. In particular, Washington and New York have proposed legislation following the framework of the CCPA. This article will compare the CCPA to the newly enacted and proposed privacy laws in the United States.

Newly Enacted and Proposed Privacy Acts:

Newly Enacted Virginia Act

On March 2, 2021, Virginia passed its Consumer Data Protection Act (“CDPA”), the second comprehensive consumer data privacy law in the United States. The CDPA will go into effect on January 1, 2023. The CDPA applies to persons or entities that conduct business in Virginia or produce products or services offered to Virginia residents and that “control or process” personal data. The Act applies to businesses that (1) control or process personal information of at least 100,000 consumers, or (2) control or process the data of at least 25,000 Virginia residents that also derive 50% or more of their gross revenue from the sale of personal data.

The CDPA closely follows the framework of the CCPA; however, there are a few key differences:

Proposed Washington Act

The Washington Privacy Act, Senate Bill 6281 (“WPA”), is proposed legislation which mirrors the CCPA. Like the GDPR and CCPA, the WPA increases consumers’ rights with regard to their personal data and ensures businesses are transparent about collection and processing of consumer data. Additionally, the WPA enables consumers to opt out of the sale of their personal data. The WPA would apply to businesses whose products or service are targeted at Washington consumers if the business: (1) controls or processes data of more than 100,000 consumers, or (2) derives at least 50% in revenue from the sale of personal data and processes or controls personal data of more than 25,000 consumers.

The WPA and CCPA have important similarities such as: (1) a 30-day cure period; (2) business must delete a consumer’s personal data at their request; and (3) responsibility on the business to be proactive in telling the consumer what specific types of personal information the business collects and how such data is used. However, there are important differences between them:

Proposed New York Act

Of all the proposed privacy legislation, the New York Privacy Act (S5642) (“NYPA”) is likely the most anticipated because its language is much bolder than the CCPA. The NYPA applies broadly to “legal entities that conduct business in New York or produce products or services that are intentionally targeted to residents of New York.” With such broad language, the NYPA seems tailored to reach as many businesses as possible while omitting revenue threshold language as seen in the CCPA.

Though the NYPA could change before it is enacted, its current language departs from the CCPA in two ways:

Main Takeaway

The GDPR’s influence in the United States is here, and it appears here to stay as more states follow suit. With two major privacy laws on each coast and variations scattered in between, it is unclear whether Congress will ultimately pass a federal law to create some uniformity. Until then, as new legislation is rolled out companies and businesses should stay up to date to protect themselves from potential regulatory action and lawsuits.


© 2024 Vedder Price
National Law Review, Volumess XI, Number 77