The United States does not yet have a federal data privacy law, though multiple federal bills have been introduced. This means that European companies looking to do business in the US will need to be familiar with all relevant state-level laws where they are doing business.
For example, if a company has customers, prospects, or website visitors from California, the California Consumer Protection Act (CCPA) applies to them. As of 2023, so will the California Privacy Rights Act (CPRA). In this guide we will also reference Virginia’s Consumer Data Protection Act and Colorado’s Privacy Act (CPA). The latter three will all come into effect in 2023.
Like the GDPR, the US laws apply to where consumers reside, not where the company is headquartered. It doesn’t matter if a company doesn’t have an office in California if it has customers, website visitors, etc. there and their personal information (within the law’s specifications) is being processed by the company.
Companies need to be familiar with the laws of each state law relevant to their business. There may be 50 states, but to date there are only three that have passed privacy laws: California, Virginia, and Colorado. It is recommended to keep an eye on the progress of laws in other states, consult legal counsel experienced in privacy law, and adjust operations accordingly.
How a future federal law will affect state laws already in place is unknown. It would certainly add a layer of complexity to data privacy compliance in the US. However, the good news is, any company that is already GDPR-compliant is likely in good shape in terms of being compliant with any US privacy law. There are some key differences between US and EU law, but the GDPR has already been influential in drafting US legislation.
Which companies need to be compliant with US privacy laws?
An obvious first question for European companies is, “Do US privacy laws apply to us?” Followed by, “Which ones?” We are broadly defining “doing business” here as having any of these in the state:
- website or app visitors/users
- employees or contractors
- third-party partners
Note that the specifics of each state law vary. To know, for example, about provisions for selling minors’ data, if employees are considered consumers, or if individuals have private right of action, a company will need specific familiarity with each relevant law, and legal advice.
In California, to be subject to the CCPA, a business must meet the following criteria, which will change somewhat when the updated CPRA comes into effect in 2023. The criteria of the Colorado Privacy Act are the same except for the annual gross revenues provision.
- Annual gross revenues of the preceding calendar year exceeding $25 million USD (CPRA: now specifies the revenue is from the “preceding calendar year”), or
- Receive, buy, or sell personal information of 100,000 or more consumers or households (CPRA: no longer includes “devices”, also doubled from 50,000), or
- Earn more than 50 percent of their annual revenue from the sharing or sale of consumers’ personal information (CPRA: now specifies selling or sharing)
There are some differences under Virginia’s CDPA, but generally under US privacy law the criteria for inclusion relate to revenue, the number of consumers whose information is sold, or both.
Existing EU-US privacy agreements
The EU-US Privacy Shield Framework included an adequacy decision from the European Commission, enabling data transfer between the EU and US. This was somewhat based on GDPR compliance. However, it only governed the flow of personal data for transatlantic data exchange, so in many cases also state law compliance was a good idea. (At the time only California had an active privacy law with the CCPA.)
However, the 2020 Schrems II decision invalidated that Framework, so Privacy Shield compliance is no longer relevant. Companies will require state-level compliance, but if they are EU-based, they will also have to be GDPR-compliant, which, as noted, provides much of what is needed for privacy compliance in US states.
US privacy law models and data definitions
In regions outside of the United States (e.g. European Union, Brazil, South Africa), privacy laws passed to date use an opt-in model. That means that users’ consent must be obtained before their data is collected or used. As the GDPR defines it, “Consent must be freely given, specific, informed, and unambiguous.”
Several privacy bills introduced in the US in 2021 have included strict opt-in requirements for users’ consent to both the collection and sale of personal information. So if those bills pass, in those states data controllers – companies or other organizations processing consumer data – would need to obtain consumers’ consent not just before sale of data, but also before it’s collected.
To date, however, the United States has generally favoured an opt-out model. This means that, with some restrictions and requirements, controllers can collect information without first obtaining consumers’ consent. But consent is required to be allowed to sell data, or, in some cases, share it. This applies to adults, and there are often specific provisions regarding collection or sale of minors’ personal information.
Consumers in the US are to date most familiar with what’s known as a strict opt-out model. With this version, data controllers have to provide consumers with reasonable mechanisms via which they can opt out of usage (usually sale) of their data. For example, the CCPA requires websites to include a link on their websites with a clear version of the language: “Do Not Sell My Personal Information”.
This model places the burden of action for privacy protection and exercising of their rights on adult consumers. If the consumer does nothing, a company can collect and sell their data. No state laws passed to date have included provision to enable consumers to opt out of the collection of their personal information, just the sale of it.
This consent model is newer in the US, but is quickly gaining popularity for its flexibility and is the model used in a number of state bills that have been introduced. This is also the model adopted in the Virginia Consumer Data Privacy Act (CDPA). It combines aspects of both the opt-in and opt-out models, mainly depending on the type and sensitivity of the information in question.
Under this model, consumers would have a right to opt out of collection and sale of their information, but if they haven’t exercised that right, a controller would be able to collect and sell it. This would apply to something like an email address, for example. But the controller would not be allowed to collect or sell sensitive personal information, like racial or health information, unless they obtained explicit consumer consent first.
Under the various states’ privacy laws, consumers have fairly consistent rights. However, as they are not identical, companies do need to be clear on consumers’ rights in each relevant state. Under the CCPA, consumers have the following rights:
- To know what personal information a business has collected about them
- To request and receive the personal information that a business has collected about them
- To request that their personal information collected by a business be deleted
- To know if their personal information is/has been sold or disclosed, and to whom
- To refuse the sale, disclosure, or use of their personal information by the business that collected it
- To not be discriminated against for exercising their privacy rights
When the CPRA is enacted in 2023, consumers will have these additional rights:
- To request and have inaccurate data collected about them be corrected
- To limit use of data categorized as sensitive personal information
- To request information about automated decision-making and the likely outcomes of using such processes
- To opt out of the use of automated decision-making technology with regards to personal information
Consumers rights under Virginia’s CDPA are mostly a combination of those under both California laws. It is also likely that in the future laws will evolve, or new laws will include more detail on issues of technology and automation where use of consumers’ data is concerned.
Interestingly, only under California’s laws do consumers have private right of action, or the ability to sue companies for alleged privacy rights violations. This provision has been a point of contention for bills in other states, and significantly contributed to the bill in Florida not passing. In Virginia, for example, complaints must be submitted to the Attorney General, who will have responsibility for investigating allegations of violations and enforcing the law.
Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information
Each privacy law defines what constitutes user data or personal information, and typically splits it up into categories based on how easy it would be to use it to identify an individual. Information classified as “sensitive” is subject to stricter controls for access, security and use, since it can present a greater risk to individuals if it is misused.
If you can identify a person with a point of data, either on its own or in combination with a limited amount of other data, it’s personally identifiable information (PII). “Personally identifiable information” is the commonly used term in the United States, though under the GDPR it’s called “personal data”. Sensitive PII is also sometimes referred to as “linked data” because it is directly or almost directly linked to, and can reveal, an individual’s identity.
While many organizations and government agencies use the term PII, the meaning can vary, and it’s not a standardized legal term or definition. Companies need to confirm PII and sensitive PII definitions under the state laws to which they are subject.
For a deep dive on definitions of personally identifiable information and data sensitivity, check out our article: Personally Identifiable Information (PII) vs. Personal Data – What’s the difference?
Definition of “sale”
In some US laws, like California’s CCPA, the opt-out model is used, so companies do not have to obtain consumers’ consent before collecting personal information. They only have to obtain explicit consent before selling the information. The Definitions section of the CCPA includes:
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
However, the definition of “sale” under the CCPA is actually broader than the average consumer might think, and includes a variety of consumer-led disclosure examples, interactions with third parties, and other scenarios. The CPA’s definition of “sale” is nearly identical to the CCPA’s. Companies are advised to carefully research what actions constitute sale of personal information under any state laws to which they are subject.
Ensuring consent is compliant with US law for various groups
Employees and contractors
For companies looking to do business in the US, it is also important to be clear on specific definitions of “consumer”. For example, under the CCPA, employees of companies doing business in California are also defined as consumers. Companies must notify employees, contractors, and job applicants when their personal information is collected. The data collected can only be used for specific reasons provided in notices to employees. Under the CDPA in Virginia, and the Colorado Privacy Act, however, employees, for the purposes of their data, are explicitly excluded from definitions of “consumer”.
As mentioned, the provisions of various states’ privacy laws apply explicitly to legal adults. There have already been a number of lawsuits under the CCPA regarding unauthorized collection and sale of the personal data of minors – including biometric data – so companies are advised to be extra careful if there is a possibility of minors’ data being accessed or sold. Additionally, different provisions for different age ranges apply under different laws.
For example, under the CCPA, businesses cannot knowingly sell the personal information of people under 16 years of age without explicit consent. If the individual is between 13 and 16 years old, they can provide their own consent. But if under the age of 13, consent would have to be obtained from a parent or guardian. Note that this does not apply to collection of minors’ personal information, just the potential sale.
Under Colorado’s Privacy Act, controllers can’t process “sensitive data” without first obtaining consent from the parent or lawful guardian of any “known child”, wherein child is defined as someone under 13 years of age.
It’s clear that companies have to obtain consumers’ consent for the sale (and sometimes collection) of personal information. However, if a consumer refuses consent, is that forever? Is there a term limit on consent or refusal of consent?
Under the CCPA, if an individual opts out of the sale of their information (like clicking a “Do Not Sell My Personal Information” link) the company cannot solicit their consent again for “at least 12 months”. How often consumers can submit requests to companies for copies of their data is also limited under the laws.
Even though only three states have passed privacy laws to date, more will follow. And while the GDPR was influential on California’s laws, and California’s laws were influential on Virginia and Colorado’s laws, each state’s implementation of privacy law differs in moderate ways. Companies need a full understanding of what states’ laws are relevant to them, their operations, and consumers with whom they do business.