When the General Data Protection Regulation went into effect on May 25, 2018, parts of the internet became unavailable to users in the European Union.
Sites that didn’t comply with the comprehensive privacy law risked steep fines of up to 20 million euros (around $22.9 million) or 4 percent of their total global turnover, depending on which was higher. Some website operators that hadn’t prepared just blocked access to the EU while they scrambled to become compliant. The Los Angeles Times and the Chicago Tribune were among those.
Compliance with the new privacy law meant a new way of doing things on the internet. It meant changing how sites sought consent from EU residents to collect their data and allowing them to opt out without penalty. It also meant providing ways for them to correct or remove data already collected about them.
Unlike the EU, the United States does not have comprehensive data privacy laws at the federal level (yet). Instead, it takes a patchwork approach to online data privacy. Some states — like California, Colorado and Virginia — have enacted robust data privacy laws. Most states, however, currently rely on the minimal federal-level laws or state-level data breach laws to keep their residents’ data safe.
But interest in online data privacy is growing. And that could mean a GDPR-like impact in the way online companies do business. Here’s what you need to know about where data privacy laws are across the country and where they are headed.
The State of Data Privacy Laws in the United States
- The United States does not currently have a comprehensive online data privacy law like the GDPR.
- All U.S. jurisdictions have data breach laws. These require companies to alert customers when their data has potentially been compromised.
- California has the most comprehensive data privacy law currently in effect. Colorado and Virginia have passed comprehensive online data privacy laws that will take effect in 2023.
- Proposed online data privacy laws have exploded lately at both the state and federal levels.
- To adapt to these new laws, companies will need data strategies that prioritize user consent and privacy.
When It Comes to Privacy, Federal Law Is Very Sectoral
Even without something like the GDPR at the federal level, the United States still has some nationwide laws dealing with information privacy, though they tend to be very sectoral.
For example, the Health Insurance Portability and Accountability Act, or HIPAA, addresses how consumers’ health data can be used, shared and by what groups. Laws like the Fair Credit Reporting Act do that in the financial sector. Other examples include the Gramm-Leach-Bliley Act in the financial sector and the Family Educational Rights and Privacy Act that safeguards students’ data.
While these laws do apply to the online space, they aren’t specific to online data privacy concerns like the GDPR. Online data privacy can mean the same kinds of personal identifiable information that exist in offline spaces. But it usually means details like IP address, search behavior, site visits and online purchasing activities. Namely, the online behavioral information about consumers that can be tracked through cookies.
The closest thing to a comprehensive online data privacy law at the federal level is the Children’s Online Privacy Protection Act. COPPA sets standards for how companies can interact with children under 13 and their data online.
The Basics of COPPA
- Companies cannot deceptively collect identifying data of children under 13 and must seek consent from legal guardians.
- Sites cannot require children to turn over information about themselves for access. They (or their guardians) can opt out.
- Companies must safeguard children’s data and respond to deletion requests by legal guardians.
- Companies can only release (including sell) information to groups that can maintain it in keeping with the standards of the law.
- COPPA is enforced by the Federal Trade Commission and breaking it can cost a company up to $43,792 per violation in civil penalties.
Aside from the narrowly focused federal laws, all states — and U.S. territories and protectorates like Guam, Puerto Rico and the Virgin Islands, as well as the District of Columbia — have data breach laws. These laws basically require companies to notify users if their data may have been exposed or compromised.
California, Virginia and Colorado Have the Most Comprehensive Data Privacy Laws
Only California, Virginia and Colorado have laws that approach the detail and impact of the EU’s GDPR. All three will take effect in 2023.
California Lead the Charge With the CCPA and CPRA
California has been at the forefront of comprehensive data privacy laws in the United States with the California Consumer Protection Act, which went into effect in 2020. Then later that same year, it passed the California Privacy Rights Act.
The CCPA gives California residents more control over their online data and restricts what companies can do with it. Under the law, Californians have the right to know what information companies collect about them. They have the right to request companies change or delete the information already collected about them. And the CCPA ensures consumers the ability to opt out of the sale of their information.
The law applies to certain for-profit companies — nonprofits and government sites are exempt. Covered companies are those that either gross over $25 million, make half or more of their annual revenue from selling Californian’s information, or buy, receive or sell the personal information of 50,000 or more Californians.
Companies cannot condition website access on Californians exercising their rights under CCPA. Companies must also include specific information about their privacy policies. This includes the type of information collected and what the company plans to do with it.
Californians can file a complaint with the attorney general’s office, which enforces the CCPA, but cannot take action against a company directly except in very specific circumstances. Only when a consumer’s data is exposed through company negligence, for instance, can they seek damages (of no more than $750 per incident).
Shortly after the CCPA took effect, California passed the CPRA. It replaced and amended several elements of the CCPA. In general, the CPRA expanded the privacy protections of the CCPA and increased the regulations on businesses.
For example, the CPRA requires companies to allow Californians to opt out of third-party sharing of their information for advertising purposes. It also requires companies forward consumer requests to groups like data brokers it sold or shared that information with.
The CPRA also expanded covered data to include “sensitive personal information.” This includes social security numbers, bank account numbers, exact geolocations, detailed demographic information, sexual orientation, political and religious affiliation, biometrics and the actual content of personal communications like texts and emails.
Most notably, the CPRA created a new enforcement group, the California Privacy Protection Agency. The five-person board can update existing online privacy regulations and adopt new ones. CPRA also increased the standard fines for CCPA violations. CCPA had a maximum civil penalty of $750 per violation. CPRA raised that to $2,500 per violation against adults and up to $7,500 per violation against Californians a company knew were under 16 years old.
Virginia and Colorado Followed California’s Lead to Protect Data
Data controllers can be any group that conducts business in Virginia or delivers goods or services “targeted to residents of the Commonwealth.” They must also either control or process the personal information of more than 100,000 consumers per year, or derive revenue or other benefits from the sale of the personal data of at least 25,000 consumers. State and local governments or Virginian institutions of higher education are exempt from the law.
The law requires data controllers to be transparent with Virginians about what data they collect, and why and how they will use it (including sharing with or selling to third parties). Virginians have the right to opt out of having their data collected and to request companies change or delete existing data.
The VCDPA covers “information that is linked or reasonably linkable to an identified or identifiable individual.” This does not include anonymized data or publicly-available information. Groups seeking to collect sensitive data — racial or ethic origin, religious beliefs, mental or physical conditions, biometric data, sexual orientation, citizenship or exact geolocations — from Virginians must get their direct permission first. In the case of children under 13, groups seeking to collect sensitive data must get permission from a legal guardian.
Like California, the VCDPA vests the state’s attorney general with enforcement powers. It does not, however, set up a new enforcement agency. Civil penalties of up to $7,500 per violation can apply. Fine money will go into a Consumer Privacy Fund, which will be used to pay for enforcement efforts.
About three weeks after Virginia’s law passed, Colorado’s Consumer Protection Act was introduced (and passed in July 2021) with almost exact language.
Key differences between the VCDPA and the CPA deal with definitions and how fines are handled. The CPA does not include exact geolocation in its definition of sensitive data like the VCDPA does. And violations of the CPA are treated as deceptive trade practices. This can come with fines of up to $500,000 per violation and up to $3 million per series of violations in civil penalties, depending on the nature of the violation.
More Comprehensive Online Data Privacy Laws Are Coming
Clearly, there are a lot of approaches to online data privacy right now, with more coming in the next year. According to Julie Rubash, chief privacy counsel at Sourcepoint, a privacy software company for digital marketers, staying compliant with the variety is manageable — for now.
There’s been an “exponential increase” in the online privacy legislation recently, Rubash said.
According to the National Conference on State Legislatures, 25 states introduced comprehensive data privacy legislation in 2021. Not all those proposed bills survived their states’ committee chambers, however. Eighteen are still under consideration in their legislatures in early 2022, according to the International Association of Privacy Professionals.
There is also a proposed federal-level data privacy law that could have a major impact on businesses: the TLDR Act. While “TL;DR” usually refers to internet slang for “too long; didn’t read,” when it comes to the TLDR Act, it means “terms-of-service labeling, design and readability.” Instead of a lot of legal boilerplate in a website’s terms of service, the TLDR Act would require increased clarity and common-language explanations in website privacy policies.
Companies would have to include a short, easy-to-read summary at the top of the terms of service, according to Rubash. These summaries would include total word count and approximate reading time, what sort of sensitive information the site collects, what correction or deletion rights a user has and how to use them, historical versions of the terms of service and a list of data breaches the site has had in the past three years. Anyone operating a website for commercial purposes, except small businesses, will be required to have these summaries.
A Major Shift Could Also Be Coming for Advertising
Increased transparency about how sites collect and use consumers’ data isn’t the only effort on the federal docket. U.S. Rep. Anna Eshoo, from California, introduced the Banning Surveillance Advertising Act in the House on Jan. 18. The following day, New Jersey’s Sen. Cory Booker introduced a companion bill in the Senate. The bills would prohibit advertisers from using most forms of consumer’s personal data to target online ads.
The bills focus on “surveillance advertising,” namely, ads that follow individuals across devices and use very personal information. The bills would prohibit targeted ads based on protected class information and from data sourced from data brokers. Contextual advertising — like advertising based on what content someone has engaged with online — would still be allowed under the proposed law.
Rubash acknowledged that some people feel that “ad tech is evil or is abusing data,” but she doesn’t think the sentiment is the majority view. Still, she described the sentiment behind the bills as “a reminder to the advertising industry as a whole to ensure that, across the entire industry, we are insisting on responsible, transparent data use.” This includes not allowing negligent or bad actors in advertising to tarnish the industry’s reputation, she said.
A Path Forward for Data-Collecting Companies
Comprehensive data privacy laws have forced companies to take a much closer look at their data policies — and that’s good, according to Rubash. But the onslaught of new data privacy laws means companies that rely on consumer data will need to prepare for a more privacy-focused future.
Depending on how the proposed laws turn out, the United States could quickly become even more of a patchwork of data privacy approaches than it already is. That could be very cumbersome for businesses, Rubash said. Even though comprehensive online data privacy laws are few and far between, she said companies need to take a comprehensive approach to compliance.
“Rather than trying to find the loopholes and make workarounds, it’s important to take a holistic look at all of your data processes and really start to approach it from an ethical and responsible standpoint. And insist that all of your partners do the same,” she said.
“Brands, agencies and publishers need to create advertising strategies that respect user preferences and stop using personalized information for one-to-one targeting ... Those that have adopted a wait-and-see approach need to catch up, as more privacy restrictions are inevitable.”
Aphrodite Brinsmead, senior product manager at Permutive, a company that provides privacy-safe infrastructure for publishers and advertisers, also said that companies looking for workarounds will only add to the issues the advertising industry faces with consumer trust. Instead, companies need to find ad tech solutions that “align with a privacy-safe future.” Ultimately, it means having a solid data strategy.
“A good data strategy means redefining data practices across every department, taking into consideration user consent, privacy and security systems,” she said. For advertisers, for instance, that means using “only consented and owned (first-party) data signals for targeting and reducing the use of personal identifiers and third-party trackers.”
A bad strategy, on the other hand, is running business as usual, Brinsmead said. Not adapting to the coming changes means campaigns won’t reach their desired audiences and ad dollars will be wasted at best and companies could receive fines for violations at worst. Not to mention the potential to continue to erode consumer trust and invite more regulation.
“Brands, agencies and publishers need to create advertising strategies that respect user preferences and stop using personalized information for one-to-one targeting,” Brinsmead said. “Those that have adopted a wait-and-see approach need to catch up, as more privacy restrictions are inevitable.”