By Camilla Nightingale and Andrew McClelland – The Data Protect
The USA is a complex landscape for anyone trading into or doing business in that region. With each state commanding its own laws, tariffs, and customs, it is important to keep fully abreast of the details from state to state.
In the past, the USA has been known for taking a different approach to Data Privacy compared to that of the UK and Europe. However, since the introduction of the GDPR in 2018 in the UK and Europe, the US general ‘harm prevention’ approach has begun to shift to a more ‘right’s based’ approach, which is more in line with the UK and European approach to Data Privacy.
So what has changed and what is upcoming?
California has very much taken the lead with change in Data Privacy in the USA. As early as June 2018, just after the GDPR was in regulation over here, California signed the CCPA into law and in January 2020, it became effective. Since then, the Act has been amended and expanded including passing Proposition 24 which came into effect in January this year and will be fully enforced by July 1, 2023.
The CCPA intends to give the residents of California some rights in relation to their Data Privacy. In particular, these rights include:
- Knowing what personal data of theirs is collected by an organisation
- Knowing whether the data is sold or disclosed and to whom
- The opportunity to say NO to the sale of their personal data
- Request an organisation to delete any relevant personal data
- Not to be discriminated against for exercising their privacy rights
Additionally, Proposition 24 focuses on:
- Not sharing Personal Data upon the consumer’s request
- Provide consumers with an opt-out from having sensitive personal data shared in advertising or marketing
- Obtaining permission for Personal Data collection from users under the age of 16
- Obtaining permission from parents or guardians for Personal Data collection from users under the age of 13
- Correcting a user’s Personal Data upon their request
- Prohibiting the retention of Personal Data for longer than is necessary
- Strengthening accountability measures by requiring companies to undertake risk assessments and cybersecurity audits with regular submission to the regulator
The CCPA applies to all organisations in California that have annual gross revenues in excess of $25M; buys, receives, or sells personal data of 100k or more consumers or households; or, earn more than half of their revenue selling consumers’ personal data.
What became clear in 2022, is that Data Privacy is a growing priority across the US states. Year on year there was a 106% increase in Data Privacy bills considered across the US, which further consolidates the increase in the importance of this for businesses and consumers.
There are now five states that have fully enacted comprehensive consumer privacy laws. These are California, Virginia, Colorado, Utah, and Connecticut. There are also five states considering comprehensive consumer privacy bills for the first time; these are Georgia, Vermont, Maine, Indiana, and Michigan.
If your business or organisation has access to or is processing US Data Users’ Personal Data, you will need to have a greater awareness of the developments in Data Privacy management on a state-by-state basis. In the last few months, California, Virginia, and Utah have all now made their Privacy Acts effective. In July 2023, Connecticut and Colorado propositions will also be made effective. With a further 17 states all with proposals ‘in commitee’ we fully expect further progression later this year. The challenges and complexities will always lie within the details, and whilst many of the US states are changing their position on Data Privacy regulation, this will not be consistent in approach. Already we are aware of some states focusing their requirements on different areas or aspects of Data Privacy. For example, some of the terms, definitions, or qualifying criteria, as well as the application and level of enforcement fines, are already demonstrating variations from state to state.
So how does this affect retailers and business owners in the UK? If you are trading with the US, or looking to further expand your business relationships into that market, it would be wise to demonstrate that you are aware of these Data Privacy developments. All UK businesses that are compliant with GDPR will already have processes and mechanisms in place to manage much of the changes that will be taking place in the US. There may be requirements to manage the data sets, or at least be able to segment the data sets by jurisdiction (and for the US, this would require by state), and to demonstrate compliance if required to do so by your business partner or Data Privacy regulator.
Additionally, there is further opportunity to demonstrate proficiency in these ‘changes’ in your business’ PR and marketing positions, as well as in support requests within your Sales funnel. With our GDPR ‘Rights led’ culture towards Data Privacy firmly established here in the UK and across Europe, we have already adapted our business policies, processes, and cultures, and this may be beneficial in pitching for contracts, especially if the remit is global.
If you have employees based in the US, you will certainly need to be fully abreast of these details, whether this is fully understanding the employee location monitoring clause in California or email and telephone monitoring in Connecticut and New York. As individuals are granted extended rights in the workplace, monitoring and addressing changes as they become effective will need to be reflected in appropriate processes, documentation, and agreements.
In short, 2023 will be an interesting year of development for Data Privacy in the US, and UK businesses have an opportunity to get ahead of the curve and represent a position of strength and experience when approaching business relationships.
For further information about Data Privacy and how your business can manage the US regulations, contact The Data Project at [email protected].