Until 2023, American privacy laws have differed substantially from the European approach to privacy. Traditionally, the American mindset to privacy has been unquestioned acceptance that a person’s online behavior is being tracked for the greater interest of the nation or is a price to pay for buying into our interconnected sharing economy. Alternatively, the European Union’s approach to privacy places an individual’s right to privacy as paramount. Before addressing recent U.S. changes, it is important to understand the European privacy model.
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a regulation to harmonize all European Union countries’ privacy laws. The GDPR oversees organizations that use individuals’ personal data. Under the GDPR, individuals effectively own their personal data and have a legal right to control how it is used.
How does it differ from U.S. laws?
The GDPR differs from most U.S. state privacy laws because U.S. states do not require controllers of information to establish a lawful basis for processing personal data. The European model regulates all forms of data, while the U.S. model chooses to implement only sector-specific data protection laws to safeguard data. The GDPR values privacy as the default, whereas American laws require a person to explicitly opt out of data collection schemes to reap the benefits of privacy.
How are U.S. states Shifting the American Privacy Mindset?
Five U.S. states, including California, Virginia, Utah, Connecticut and Colorado have ratified comprehensive privacy laws that resemble the European mindset towards protecting individual’s personal data. The first comprehensive state privacy law went into effect in California in 2020. The California Consumer Privacy Act (CCPA), gives individuals the right to know about the personal information businesses collect about them and how it is used, the right to delete collected personal information, the right to opt-out of the sale or sharing of their personal information, and the right to limit the use of sensitive personal information. Virginia’s new regulations and data policy went into effect on January 1, 2023. Colorado’s and Connecticut’s new privacy laws go into effect on July 1, 2023 and include similar rights and protections as preceding states. Utah’s new regulatory scheme, which protects against data collection and selling right’s of personal data, will go into effect at the end of the year.
Since the enactment of these new-era privacy laws, additional states are beginning to follow suit. In 2023, Delaware, Nevada, Maine, Michigan, Minnesota, and Vermont have enacted tailored privacy legislation. Ten other states have introduced comprehensive privacy bills in 2023. As technology continues to evolve and raise questions about how these new developments are using and exploiting personal data, we should expect more states to continue the trend of shifting its stance on privacy protection.
How are new privacy laws affecting businesses?
Comprehensive legislation generally affects businesses that collect and use personal data. As new privacy laws seek to better protect and regulate an individual’s personal data, these new policies will likely impact a wide range of businesses and how they use or collect personal information. Although state regulations and enforcement mechanisms are still in the drafting phase for many states, we can expect broad rules, including issues relating to automated decision-making, consumer consent, and risk assessments. Covered businesses should continuously monitor these developments and be prepared to update their business practices and compliance strategies. While many state regulation and enforcement regimes overlap, they are not identical. Covered businesses under new privacy laws should use broad-reaching compliance strategies to ensure compliance with multiple state regimes if they are subject to regulation in multiple states.
How will recent privacy trends affect Florida businesses?
On May 4, 2023, the Florida legislature passed SB 262, a consumer data privacy bill. Titled “Florida Digital Bill of Rights,” the legislation contains restrictions to the collection of personal data of children between the ages of 13-18, search engine disclosures, and consumer rights, including opt out provisions of the collection and processing of personal data for the purposes of “targeted advertising.” In addition, organizations that control deidentified data, data that cannot be attributed to an individual, must take reasonable measures to ensure that the data cannot be associated with an individual and implement business practices to prevent the release of data.
