·  Legal News, Analysis, & Commentary


GDPR vs. U.S. State Privacy Laws

— September 19, 2023

With so many different laws and regulations to keep track of, it can be difficult for businesses to maintain compliance and prevent innocent mix-ups or mistakes. 

These days, privacy is beginning to feel more like a privilege than a right. Once a consumer creates a profile on a new dating app, enters an email address in exchange for that coupon code to a free pint of Jeni’s Splendid Ice Cream, or keeps tabs on how far they’ve walked this month with an Apple Watch, can anyone say with confidence that they know what happens with that data? 

Is it floating around the ether of the internet? Is it holed up in some dusty corporate database? Is it being shared with shadowy third-party data brokers? 

Or is it being carefully managed under the good stewardship of a business, one that scrupulously follows privacy best practices while using that information to inform business decisions and improve products and services? 

The questions about what happens with personal data have been plaguing businesses and consumers alike for decades. One of the goals of privacy professionals is to bring privacy issues into clearer focus for businesses—and an important place to start is understanding the scope of privacy legislation. And if you’re going to have this conversation, you have to take a close look at the General Data Protection Regulation (GDPR) and U.S. state privacy laws. 

Why should companies be thinking about GDPR and state privacy laws? 

If your company is the victim of a security breach, it’s not just your company’s information being jeopardized. Also at risk are the names, contact information, credit card numbers, and other personal identifiable data of your clients and customers. And even if you were not at fault for the incident, you may still be held liable—and you may even end up owing damages to any individuals whose information had been compromised. 

Privacy policies aren’t just about legal compliance, though. Paying attention to privacy is especially important for building consumer trust well before a potential cyber attack. In fact, research shows that 76% of companies that invested in privacy saw an increase in customer trust and loyalty. 

What is the GDPR?

The General Data Protection Regulation, or GDPR, implemented in May 2018, is a European Union law that requires organizations to protect personal data and uphold the privacy rights of anyone in the EU. It’s regarded as the toughest privacy and security law in the world.

The GDPR doesn’t just apply to organizations based in the EU, though. Anyone who collects, stores, transmits, or otherwise processes the personal data of anyone in the EU must comply with the GDPR, meaning that it can affect organizations all over the world. 

And by personal data, we’re talking about any information about an individual: name, contact information, IP address, eye color, relationship status, political party, religious affiliation—you get the gist. 

Even if the information in question may seem inconsequential, the policies relating to it certainly aren’t. Those who violate the GDPR’s privacy and security standards can be fined up to tens of millions of euros. 

A brief history of the GDPR

Privacy protection has been a matter of importance since before the age of the internet. As stated in the 1950 European Convention on Human Rights: “Everyone has the right to respect for his private and family life, his home, and his correspondence.” 

Based on this solid foundation, the EU has continued to protect the right to privacy. In 1995, in light of technological advances and expanded use of the internet, it passed the European Data Protection Directive, which established minimum data privacy and security standards that each member state then implemented as part of its own legal framework. 

As technology continued to evolve with online banking, social media, and online shopping, the data protection authority declared a need for “a comprehensive approach on personal data protection.” This came shortly after a 2011 lawsuit in which Google was sued for scanning emails. 

In 2016, the GDPR was passed by the European Parliament. And on May 25, 2018, it was fully in effect, requiring compliance from organizations of all sizes around the world. 

What’s covered in the GDPR? 

Essentially, the GDPR sets guidelines for organizations that handle any personal information pertaining to EU residents. At its core, it’s about giving individuals control over their data, whether it involves finances, email addresses, demographic information, or other items. 

The GDPR establishes several rights for individuals, including:

  • The right to be informed
  • The right to access
  • The right to rectification
  • The right to erasure/to be forgotten
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights related to automated decision making and profiling 

In plain English, this means that EU residents have the right to understand how their data is being used—and can even ask companies to delete certain information. 

U.S. privacy law

Meanwhile, on the other side of the pond, data privacy is a bit of a different story. Unlike the cohesive omnibus law provided by GDPR, the US is more of a privacy wild west. 

“We have these companies that are amassing just gigantic amounts of data about each and every one of us, all day, every day,” said Kate Ruane, senior legislative counsel for the First Amendment and consumer privacy at the American Civil Liberties Union. “Your data is being taken and it is being used in ways that are harmful.” 

And as data continues to grow and multiply, so do privacy laws—and yes, we said it, laws. 

The U.S. equivalent of the GDPR would be federal laws and security standards—but we don’t have a single privacy law that covers all types of consumer data. Instead, what we have is a variety of individual state privacy laws and sectoral privacy laws. 

State privacy laws

In addition to the multitude of federal sectoral privacy laws, there are five states that have their own privacy policies: California, Colorado, Connecticut, Utah, and Virginia. Each law takes a position on individual rights regarding their personal information, but they also consider how organizations should handle data (acquire, store, and protect) and notify consumers of their policies and rights. 

Let’s look at each one in turn.

California Consumer Privacy Act/California Privacy Rights Act

The California Consumer Privacy Act (CCPA) of 2018 and its amendment, the 2020 California Privacy Rights Act, secure privacy rights for consumers including:

  • The right to know how their collected personal information is used and shared
  • The right to delete their collected personal information
  • The right to opt-out of the sale of their personal information
  • The right to non-discrimination when exercising CCPA rights

These rights apply to any consumer (which is defined to include consumers, B2B, and employees) who is a California resident and any for-profit organizations doing business in California and:

  • Earns more than $25 million in revenue per year OR 
  • Collects or processes 100,000 consumer records per year OR 
  • Derives 50% of its annual revenue from selling personal information

Under CCPA/CPRA, businesses are required to take the following steps to ensure their privacy obligations are met: 

  • Establish a compliant privacy policy and update it annually 
  • Maintain a data inventory to track data processing 
  • Notify consumer before at point of data collection 
  • Establish a Do Not Sell My Personal Information page on your website 
  • Inform consumers how their data is being used and how to make individual rights requirements

CPRA expands upon the business obligations set forth in CCPA, requiring businesses to: 

  • Establish reasonable data security protocols
  • Adhere to contractual obligations for vendors 
  • Maintain limited defense against private action 
  • Follow data minimization practices

Colorado Privacy Act

The Colorado Privacy Act (CPA), which will go into effect on July 1, 2023, allows Colorado residents to opt-out of targeted advertising and the sale of their personal information, along with certain types of profiling. They will also have the right to access, correct, and delete their personal data. 

This policy applies to any organization that does business in Colorado, including delivering products or services to Colorado residents, and that:

  • Controls or processes the personal data of 100,000 or more Colorado consumers annually
  • Processes or controls personal data of 25,000 or more Colorado residents AND receive revenue from or a discount on the price of goods and services from the sale of personal data 

Notably, under CPA, there is no threshold for annual revenue or percent of revenue from selling personal data.  

To ensure compliance, businesses that fall under the jurisdiction of the CPA must ensure they complete the following measures:

  • Establish a clear and accessible privacy policy
  • Minimize data collected and avoid secondary use of collected data
  • Obtain clear, freely given consumer consent for data collection and use
    • Consent must also be clear and affirmative for collecting categories of sensitive personal information
  • Establish and maintain reasonable data security protocol
  • Ensure contracts with vendors are compliant with CPA
  • Conduct regular risk assessments

Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA), also called the Personal Data Privacy and Online Monitoring Act, will go into effect on July 1, 2023. It establishes the following rights for Connecticut residents:

  • The right to know whether a controller is processing their personal information
  • The right to access, correct, delete, and/or obtain a copy of their personal information
  • The right to opt-out of the processing of their personal information

This policy applies to individuals or entities that: 

  1. Conduct business in Connecticut and
  2. Control or process personal data during the preceding year of at least either: 
    1. 100,000 consumers, excluding personal data controlled or processed solely for completing a payment transaction, or 
    2. 25,000 consumers who derived more than 25% of their gross revenue from selling personal data.

Under the law, businesses that meet the above thresholds must:  

  • Limit collection to adequate, relevant, and reasonably necessary information 
  • Clearly explain in a privacy notice what information is being collected and why 
  • Disclose both internally and externally access to any information collected 
  • Limit use of collected information to disclosed purposes 
  • Clearly detail how consumers can enforce their rights 

CTDPA also obligates businesses to:  

  • Provide reasonable “administrative, technical, and physical” data security measures  
  • Establish compliant contracts with all vendors 
  • Complete data protection assessments for all activities that risk data exposure

Utah Consumer Privacy Act

Sign saying We Respect Your Privacy; image by Marija Zaric, via
Sign saying We Respect Your Privacy; image by Marija Zaric, via

The Utah Consumer Privacy Act (UCPA), signed into law on March 24, 2022, allows Utah residents similar rights as other states when it comes to their personal data:

  • The right to access, delete, and/or obtain a copy of their personal information processed by a controller
  • The right to opt-out of the sale of their personal data, or the usage of personal data for targeted advertising 

This policy applies to any for-profit organizations that do business in Utah or deliver products or services to Utah residents and as an annual revenue of $25M OR meets one or more of the following thresholds: 

  • Controls or processes the personal data of 100K or more consumers annually 
  • Derives over 50% of gross revenue from the sale of personal data and controls or processes the data of more than 25K consumers 

The $25M annual revenue threshold limits the impact of UCPA on small businesses that may be subject to laws in other states. Additionally, large companies with greater than $25M in revenue could be exempt if they don’t collect data above the stated thresholds.  

The UCPA requires that companies establish an easy-to-understand privacy policy that details what data is collected, why, who it’s shared with, and how consumers can exercise their rights. Businesses also must provide reasonable data security measures, and provide a clear opt-out mechanism for consumers.

Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA), passed on March 2, 2021, grants certain rights to Virginia residents regarding their personal data, including:

  • The right to know, access, and confirm personal information
  • The right to correct and delete personal information
  • The right to opt-out of the processing and sale of personal information for targeted advertising and profiling purposes
  • The right to non-discrimination when exercising said rights 

This policy applies to any organizations that do business in Virginia or deliver goods or services to Virginia residents. Businesses also need to: 

  • Process sensitive data of at least 100,000 Virginia residents annual OR
  • Process the sensitive data of at least 25,000 consumers AND derive at least 50% of gross revenue from said sale

Unlike the CCPA, there isn’t a business revenue threshold. 

Sectoral privacy laws

Privacy laws for different sectors of the economy (like finance, education, and health) apply to specific types of data, in specific circumstances. Get ready for some acronyms!

  • CAN-SPAM: Also known as the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, which guards against unwanted marketing emails
  • TCPA: Telephone Consumer Protection Act of 1991, which guards against unwanted telephone marketing calls and some telemarketing practices
  • HIPAA: No, the “P” in HIPAA does not stand for “privacy,” as many people mistakenly assume. In fact, the Health Insurance Portability and Accountability Act is less about data privacy and more about communication between individuals and covered entities—health care providers, pharmacies, and insurance companies, for example. It has become the de facto standard for health care privacy.
  • FCRA: Fair Credit Reporting Act applies to information found in your credit report—who can see it, what information can be collected by credit bureaus, and how it can be collected.
  • FERPA: Family Educational Rights and Privacy Act keeps educational institutions from disclosing identifiable information without consent, ultimately giving parents and students more control over their educational records.
  • GLBA: Gramm-Leach-Bliley Act doesn’t exactly keep financial institutions from collecting and sharing data—but it does require them to disclose that information to consumers, and to ensure the security and confidentiality of consumer records and data. 
  • ECPA: Electronic Communications Privacy Act restricts government agencies from wiretapping phone calls and other electronic signals. Because this law was passed in 1986, well before the internet age, many consider it outdated, as it doesn’t apply to data stored online. 
  • COPPA: Children’s Online Privacy Protection Rule restricts data collection for children under 13 years of age. 
  • FTC Act: Federal Trade Commission Act was created to monitor and prevent deceptive or unfair business practices by anyone involved in commerce, including banks. 

How to comply with GDPR and U.S. privacy laws

With so many different laws and regulations to keep track of, it can be difficult for businesses to maintain compliance and prevent innocent mix-ups or mistakes. 

Running a business is hard enough. Companies have lots of people they need to keep happy. Now consider all the different approaches to data processing that a company needs to follow to run an efficient organization and simultaneously comply with various privacy laws. On top of that, there are occasions when a single individual and their data may fall under multiple policies. 

Sound like an ongoing logistical nightmare? It certainly could be. But fortunately, there are ways for businesses to run smoothly and protect the privacy of their consumers by implementing technical and operational measures to protect personal information. 

A few places to start:

  • Run a data inventory. Sometimes referred to as a “data map” or “data mapping,” a data inventory is a comprehensive record of all the data your company holds, including who has access to it and how it is being used. 
  • Update your privacy notice. Spell out exactly what, when, and how your customers’ data is being used—and make sure it’s easily accessible and readable. 
  • Assess your vendors for privacy compliance. Whether it’s for email marketing, credit card processing, IT, or otherwise, you need to pay attention to what any third-party vendors are doing with your customers’ information—because as their contracting company, you will be held fully liable for any customer data that is compromised. 
  • Set up a privacy preference center, which allows website visitors to choose whether to opt in or out of your cookie policy. 
  • Train your staff on privacy best practices. Offer ongoing professional development opportunities so that the people handling your customers’ data stay up-to-date on ever-evolving privacy laws. 
  • Work with a privacy consultant. Consider working with an experienced privacy consultant so that you don’t have to wonder whether you’re maintaining compliance with privacy laws—or how to do it. 

Join the conversation!