US privacy law compliance for EU companies

The United States does not yet have a federal data privacy law, though multiple federal bills have been introduced. This means that European companies looking to do business in the US will need to be familiar with all relevant state-level laws where they are doing business to ensure they are compliant with US privacy laws.

For example, if a company has customers, prospects, or website visitors from California, the California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA) apply to them. In this guide we will also reference Virginia’s Consumer Data Protection Act and Colorado’s Privacy Act (CPA). However, 2023 has seen an unprecedented number of additional states pass privacy laws, which will come into force over the next couple of years. More states are likely to follow.

Like the General Data Protection Regulation (GDPR), the US laws apply to where consumers reside, not where the company is headquartered. It doesn’t matter if a company doesn’t have an office in California if it has customers, website visitors, etc. that reside there and their personal information is being processed by the company.

Companies need to be familiar with the laws of each state law relevant to their business. More states continue to draft and pass privacy laws, so this may become an increasing challenge for companies doing business across the country. It is recommended to consult legal counsel experienced in privacy law and adjust operations accordingly. A good consent management solution also requires minimal updates once implemented, as new laws are passed.

How a future federal law will affect state laws already in place is unknown. It would certainly add a layer of complexity to data privacy compliance in the US. However, the good news is, any company that is already GDPR-compliant is likely in good shape in terms of being compliant with any US privacy law. There are some key differences between US and EU law, but the GDPR has already been influential in drafting US legislation.

An obvious first question for European companies is, “Do US privacy laws apply to us?” Followed by, “Which ones?” We are broadly defining “doing business” here as having any of these in the state, and collecting/processing their personal data:

• customers
• users
• website or app visitors/users
• employees or contractors
• third-party partners

The specifics of each state law vary. Companies will need qualified legal advice on a state by state basis to ensure they comply with legal requirements regarding children’s data, for example, or whether users can opt out of profiling and targeted advertising, or just sale.

In California, to be subject to the CCPA, a business must meet the following criteria. In a number of state-level privacy laws passed since the CCPA and CPRA, the gross annual revenue provision is no longer included.

• annual gross revenues of the preceding calendar year exceeding $25 million USD (CPRA: now specifies the revenue is from the “preceding calendar year”), or
• receive, buy, or sell personal information of 100,000 or more consumers or households (CPRA: no longer includes “devices”, also doubled from 50,000), or
• earn more than 50 percent of their annual revenue from the sharing or sale of consumers’ personal information (CPRA: now specifies selling or sharing)

There are some differences under Virginia’s CDPA, but generally under US privacy law the criteria for inclusion relate to revenue, the number of consumers whose information is sold, or both. Texas and Florida have some unique provisions targeting specific kinds of companies, for example, but those have not been widely adopted in other states. The country where the company collecting data is located doesn’t matter, and EU companies must comply with US privacy laws if they meet the relevant criteria.

As of July 10, 2023, the EU-U.S. Data Privacy Framework enables adequacy for data transfers between the EU and US (if US companies are certified). This replaces the former EU-US Privacy Shield Framework struck down in 2020 by the Schrems II decision.

In regions outside of the United States, e.g. European Union, Brazil, South Africa, privacy laws passed to date use an opt-in or prior consent model. That means that users’ consent must be obtained before their data is collected or used. Users must also be informed about the data collection and use. As the GDPR defines it, “Consent must be freely given, specific, informed, and unambiguous.”

Several privacy bills introduced in the US in 2021 included strict opt-in requirements for users’ consent to both the collection and sale of personal information. However, no privacy legislation actually passed in the US to date has included opt-in consent. All users must be notified about data collection and use, but getting their consent before data collection is not required.

To date, all United States that have passed data privacy laws have favored an opt-out model. This means that, with some restrictions and requirements, controllers can collect information without first obtaining consumers’ consent. Users do have to be notified about data collection, use, and their rights, and user consent is sometimes required to be allowed to sell or share data, or or use it for personalized advertising or profiling.

This applies to adults, and there are often specific provisions regarding collection or sale of minors’ personal information. More commonly in US law, however, prior consent may only be required for access to sensitive data or the personal data of children, which requires consent by a parent or guardian for children under a certain age.

Consumers in the US are to date most familiar with what’s known as a strict opt-out model. With this version, data controllers have to provide consumers with reasonable mechanisms via which they can opt out of usage (usually sale) of their data. For example, the CCPA requires websites to include a link on their websites with a clear version of the language: “Do Not Sell Or Share My Personal Information”. Some laws, but not all, require users to be able to change or withdraw previously given consent at any time as well.

This model places the burden of action for privacy protection and exercising of their rights on adult consumers. If the consumer does nothing, a company can collect and sell their data. No state laws passed to date have included provision to enable consumers to opt out of the collection of their personal information, just the sale of it. Additionally, no states have passed laws requiring prior consent for data collection.

This consent model is newer in the US, but is quickly gaining popularity for its flexibility and is the model used in a number of state bills that have been introduced. This is also the model adopted in the Virginia Consumer Data Privacy Act (VCDPA). It combines aspects of both the opt-in and opt-out models, mainly depending on the type and sensitivity of the information in question.

Under this model, consumers would have a right to opt out of collection and sale of their information, but if they haven’t exercised that right, a controller would be able to collect and sell it. This would apply to something like an email address, for example. But the controller would not be allowed to collect or sell sensitive personal information, like racial or health information, unless they obtained explicit consumer consent first.

Under the various states’ privacy laws, consumers have fairly consistent rights. However, as they are not identical, companies do need to be clear on consumers’ rights in each relevant state. Under the CCPA, consumers have the following rights:

• to know what personal information a business has collected about them
• to request and receive the personal information that a business has collected about them
• to request that their personal information collected by a business be deleted
• to know if their personal information is/has been sold or disclosed, and to whom
• to refuse the sale, disclosure, or use of their personal information by the business that collected it
• to not be discriminated against for exercising their privacy rights

When the CPRA is enacted in 2023, consumers will have these additional rights:

• to request and have inaccurate data collected about them be corrected
• to limit use of data categorized as sensitive personal information
• to request information about automated decision-making and the likely outcomes of using such processes
• to opt out of the use of automated decision-making technology with regards to personal information

Consumers rights under Virginia’s CDPA are mostly a combination of those under both California laws. It is also likely that in the future laws will evolve, or new laws will include more detail on issues of technology and automation where use of consumers’ data is concerned.

Interestingly, only under California’s laws do consumers have private right of action, or the ability to sue companies for alleged privacy rights violations. This provision has been a point of contention for bills in other states, and significantly contributed to the first bill in Florida not passing. Private right of action was not included in Florida’s Digital Bill of Rights (FDBR) that passed in 2023. In most states, complaints must be submitted to the Attorney General, who will have responsibility for investigating allegations of violations and enforcing the law.

Each privacy law defines what constitutes user data or personal information, and typically splits it up into categories based on how easy it would be to use it to identify an individual. Information classified as “sensitive” is subject to stricter controls for access, security and use, since it can present a greater risk to individuals if it is misused.

If you can identify a person with a point of data, either on its own or in combination with a limited amount of other data, it’s personally identifiable information (PII). “Personally identifiable information” is the commonly used term in the United States, though under the GDPR it’s called “personal data”. Sensitive PII is also sometimes referred to as “linked data” because it is directly or almost directly linked to, and can reveal, an individual’s identity.

While many organizations and government agencies use the term PII, the meaning can vary, and it’s not a standardized legal term or definition. Companies need to confirm PII and sensitive PII definitions under the state laws to which they are subject.

For a deep dive on definitions of personally identifiable information and data sensitivity, check out our article: Personally Identifiable Information (PII) vs. Personal Data – What’s the difference?

In some US laws, like California’s CCPA, the opt-out model is used, so companies do not have to obtain consumers’ consent before collecting personal information. They only have to obtain explicit consent before selling the information. This has become fairly standard as other states have passed their own privacy laws. The Definitions section of the CCPA includes:

“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

However, the definition of “sale” under the CCPA is actually broader than the average consumer might think, and includes a variety of consumer-led disclosure examples, interactions with third parties, and other scenarios. The CPA’s definition of “sale” is nearly identical to the CCPA’s. Companies are advised to carefully research what actions constitute sale of personal information under any state laws to which they are subject. There are some differences in the definition of sale across state-level privacy laws.

For companies looking to do business in the US, it is also important to be clear on specific definitions of “consumer”. For example, under the CCPA, employees of companies doing business in California are also defined as consumers. Companies must notify employees, contractors, and job applicants when their personal information is collected. The data collected can only be used for specific reasons provided in notices to employees. Under the CDPA in Virginia, and the Colorado Privacy Act, however, employees, for the purposes of their data, are explicitly excluded from definitions of “consumer”. This designation varies among other states’ privacy laws as well.

As mentioned, the provisions of various states’ privacy laws apply explicitly to legal adults. There have already been a number of lawsuits under the CCPA regarding unauthorized collection and sale of the personal data of minors — including biometric data — so companies are advised to be extra careful if there is a possibility of minors’ data being accessed or sold. Additionally, different provisions for different age ranges apply under different laws. Under other state-level privacy laws passed to date, “child” can refer to people from 13 to 18 years of age, and some laws have additional provisions for children between 13 and 16.

Under the CCPA, businesses cannot knowingly sell the personal information of people under 16 years of age without explicit consent. If the individual is between 13 and 16 years old, they can provide their own consent. But if under the age of 13, consent would have to be obtained from a parent or guardian. Note that this does not apply to collection of minors’ personal information, just the potential sale.

Under Colorado’s Privacy Act, controllers can’t process “sensitive data” without first obtaining consent from the parent or lawful guardian of any “known child”, wherein child is defined as someone under 13 years of age.

It’s clear that companies have to obtain consumers’ consent for the sale (and sometimes collection) of personal information. However, if a consumer refuses consent, is that forever? Is there a term limit on consent or refusal of consent?

Under the CCPA, if an individual opts out of the sale of their information (like clicking a “Do Not Sell Or Share My Personal Information” link) the company cannot solicit their consent again for “at least 12 months”. How often consumers can submit requests to companies for copies of their data is also limited under the laws. The length of time for which consent is valid varies under different laws around the world, and can vary from 6 months to 2 years.

More state-level privacy laws were passed in the first part of 2023 than those combined in previous years, and more are sure to follow. The state-level laws also show rapid evolution of thought and adaptation for technology and other considerations.

While the GDPR was influential on California’s laws, and California’s laws were influential on Virginia and Colorado’s laws, each state’s implementation of privacy law differs in moderate ways. Companies need a full understanding of what states’ laws are relevant to them, their operations, and consumers with whom they do business. If and when the US passes a federal law, there will be a great deal more to learn and comply with.

If your company processes US residents’ data, you need to be aware of and comply with one or more different data privacy laws in the states where you operate or have customers. There are multiple provisions to keep track of, including whether the law applies to you, what constitutes personal data, privacy notice requirements, and consent conditions. Noncompliance can lead to costly fines, legal action, and damage to your brand reputation and customer trust.

We’ve created a series of handy checklists to guide you in ensuring you’re protecting customers’ personal data and are compliant with the different US privacy laws.

Checklists for US privacy law compliance for EU companies:

• VCDPA Compliance Checklist for Virginia
• CPA Compliance Checklist for Colorado
• CTDPA Compliance Checklist for Connecticut
• UCPA Compliance Checklist for Utah
• NPICICA and SB-260 Amendment Compliance Checklist for Nevada
• LGPD

For more compliance checklists, visit:

• Checklists

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.