Since the GDPR went into effect across the EU in 2018, it has provided the minimum baseline that privacy-oriented companies had to consider in their customer-facing applications.
But now, things are getting complicated. Much more complicated.
The GDPR is a new law that applies equally to all companies operating in Europe. If your company manages relationships with European customers, you have a compliance obligation. The law’s requirements are the same in every country, since the law was passed by the European Parliament.
The law is the same in every country, but the enforcement of the law may be different in each country. The teeth of the GDPR are the Data Protection Authorities – each EU member country has an independent DPA that take consumer complaints of privacy violations; investigate; and levy fines. Each DPA is responsible for their own investigation and prosecution of privacy violations. As a result, each DPA has the ability to choose how aggressive they will be in their investigations and their willingness to settle issues for fines.
But at least they are all working from the same legal framework and the same rules.
In the US, the landscape is forming much, much differently.
The equivalent of the GDPR in the US would be some type of Federal privacy legislation, but those efforts are not moving forward quickly. In the vacuum, individual US states are exercising their roles as the “laboratories of democracy,” and passing a wide variety of privacy laws.
California’s Consumer Privacy Act (CCPA) went into effect in 2020, and is similar in many ways to the GDPR, including that California voters added a California Privacy Protection Agency to fulfill a similar role as a European DPA. While this new law created an additional geographic vector for compliance, the business processes necessary were not substantially different than GDPR requirements.
The Colorado Privacy Act (CPA), passed in 2021, adds the requirement that Colorado consumers have the right to correct their data, something not included in the CCPA.
The Virginia Consumer Data Protection Act ( VCDPA), also passed in 2021, excludes employees; requires updates to contracts with data processors; includes protections for citizenship and immigration status information; excludes companies that are already required to abide by certain financial services and healthcare regulations; and a right of confirmation; among other differences.
The Utah Consumer Privacy Act (UCPA), passed in 2022, has still more differences, including the right to opt out of targeted advertising.
At the time of this writing, there are an additional 16 states considering privacy legislation in the 2022 legislative session; and an additional 14 states where the legislation will be re-introduced in 2023.
It’s plausible that by 2025, businesses will have 30 state-level privacy regulations or more to comply with in the United States alone.
Most company solutions to date have proven brittle or inadequate to deal with this level of dynamism in the legal landscape, which further reinforces the need to manage privacy programs in a more flexible and resilient way. The reality of privacy programs is that they will have to treat data from consumers who live in jurisdictions with different rules, for both internal and external processes. And they will need to do so in a way that allows for continuing evolution over time as these laws continue to be passed, amended, and superseded over the next decade.