A Bill for an American Privacy Rights Act has been unveiled. If enacted, this would be a national data privacy standard. The Bill as currently drafted includes requirements for data minimization, marketing rights (opt-out), individuals rights such as right of access, right of accuracy and right to erasure. The Bill also includes data security provisions and “executive responsibility” and a national data broker register. Difficult to say at this point what impact, if any, this would have on businesses operating from UK in the US.
Currently, US data privacy laws are implemented on a state-by-state basis. Most are based on the CCPA in California but tend to apply to organisations that may operate in the state even if they are not based there; there are usually thresholds for applicability involving a consideration of what the data is used for, how many data subjects it relates to as well as a financial turnover of the organization.
Here’s a summary of the current state of US State data privacy laws:
- California Consumer Privacy Act (CCPA) – in force since Jan20
- Colorado Privacy Act – in force from Jul23
- Connecticut Personal Data Privacy and Online Monitoring Act – in force from Jul23
- Delaware Personal Data Privacy Act – comes into force Jan25
- Florida Digital Bill of Rights – comes into force Jan24
- Indiana Consumer Data Protection Act – comes into force Jan26
- Iowa Consumer Data Protection Act – comes into force Jan25
- Kentucky Consumer Data Protection Act – comes into force Jan26
- Maryland Online Data Privacy Act – comes into force Oct25
- Minnesota Consumer Data Privacy Act – comes into force Jul25
- Montana Consumer Data Privacy Act – comes into force Oct24
- Nebraska Data Privacy Act – comes into force Jan25
- New Hampshire (SB 255 – Expectation of Privacy) – comes into force Jan25
- New Jersey – comes into force Jan25
- Oregon Act on consumer personal data protection – comes into force Jul24
- Tennessee Information Protection Act (TIPA) – comes into force Jul24
- Texas Data Privacy and Security Act – comes into force Jul24
- Utah Consumer Privacy Act – comes into force Dec23
- Virginia Consumer Data Protection Act – in force since Jan23
If you provide services and meet the thresholds in any of the states highlighted in bold above, you should check whether the law applies to your business and if so, consider the compliance implications (e.g. you may need to update your privacy policy for state specific privacy controls).
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR