Comparing Comprehensive US Privacy Laws: A guide to compliance
This report was updated in August 2023 to reflect the latest developments.
It seems like yesterday that California was welcoming Virginia onto the map of US states with comprehensive privacy laws. Since then, the count has reached a total of 12 comprehensive state privacy laws that now make up to regulatory patchwork in the US. For many organizations, this has meant that the complexity of their compliance obligations has grown seemingly overnight.
While many of the state-level privacy laws in the US contain similar provisions there are several significant differences that need to be considered in any privacy compliance program. For example, all current privacy laws in the US give consumers the right to opt-out of certain types of processing activity such as profiling and targeted advertising. However, precisely which processing activities consumers have the right to opt-out of varies from law to law. This, and the differences introduced within the federal legislation, make navigating privacy in the US less than straightforward.
To help you understand the similarities and differences between US state privacy laws in more detail, OneTrust DataGuidance has produced the Comparing Comprehensive US Privacy Laws: A guide to compliance report including an in-depth and informative analysis of the state of US privacy.
Overview of US privacy law
The privacy landscape in the US has become an increasingly intriguing space to observe over the past two years. The adoption of 12 state privacy laws in a little over three years has caused complexities for organizations to overcome and it is likely that legislators will continue to put forward privacy bills in other states while a federal privacy framework continues to be deliberated.
The American Data Privacy and Protection Act (ADPPA) has been designed to create a national framework for protecting personal data and contains several provisions that mirror those found under the GDPR such as data minimization and conditions for valid consent. Notably, it is the first draft privacy bill to have bipartisan support.
As with many of the federal privacy bills tabled in the past, there is no certainty that the ADPPA will become law. But what we do know for certain is that the five state privacy laws currently in place will all enter into effect in 2023 and organizations will need to be prepared.
Comparing US privacy laws
It is important for organizations that are covered by several state privacy laws in the US to understand the requirements they need to meet. Developing a single framework to take into account the most stringent obligations is one solution for simplifying compliance across multiple laws. Organizations may also look to technology with configurable geolocation rules to ensure the correct regulatory requirements are being met based on region, country, or state. To implement either of these examples, organizations need to have a thorough understanding of the laws they are covered by and how they compare.
This report analyzes the similarities and differences between comprehensive US state laws.
Take a deeper view across a number of key compliance areas including scopes of application, key definitions, the various legal bases for the processing of personal data, controller and processor obligations, compliance with consumer rights, and enforcement.
Download the infographic: Comparing US Privacy Laws in 2023