.svg)
As of June 2024, 18 comprehensive data privacy laws have been signed into law in the United States, and more are expected to join in the next few months.
Each law has its own set of provisions, making U.S. privacy challenging to navigate even for the most diligent DPO or legal department. How can you ensure continued compliance with such a rapidly changing set of complex laws?
In this article, we provide you with an up-to-date comparison chart that comprehensively examines each law before sharing four common approaches we've observed working with U.S. clients.
U.S. State privacy laws comparison chart
What are some common approaches to complying with data privacy in the U.S.?
As our U.S. state privacy law comparison chart above shows, while the number of data privacy laws can seem overwhelming at first, there are some similarities and common points between states that allow for grouping strategies.
It won’t escape most of you that these commonalities usually reflect the political leaning of each state, something our VP of Product Development brought up in an op-ed published last year:
“The political divide in state-level privacy laws reflects a broader ideological difference.
Conservative states prioritize economic growth and entrepreneurial spirit, while liberal states emphasize consumer rights and protections. This dichotomy is a microcosm of national-level debates and a primary reason the U.S. hasn't seen a federal privacy law despite long-running rumors and conversations.
For a nationwide law to take shape, there will need to be a bridging of this ideological divide. The challenge will be crafting legislation that provides robust consumer protections while fostering a healthy business environment.”
- Jeff Wheeler, Vice President of Product Development at Didomi. (Source: Exploring the political divide in U.S. privacy laws, Didomi blog)
With this information in mind and the fact that several state laws are relatively similar regarding provisions, requirements, and obligations, how can you and your organization approach data privacy in the U.S. regarding collecting, processing, storing, and leveraging user data?
Working with U.S. customers, partners, and collaborators, our team has found that the best strategy requires a subtle balance between outlining requirements, understanding business needs and objectives, and defining law interpretations.
We find that there are 4 main ways organizations can go about complying with data privacy laws in the U.S.:
Approach 1: Apply the EU GDPR globally
The European Union’s General Data Protection Regulation (GDPR) is one of the most stringent data privacy regulations.
As such, especially for EU-based businesses that have already done the groundwork internally to implement processes and data privacy practices to comply with it, applying GDPR everywhere is a “safe bet” and will almost certainly ensure you’re on the right side of the law, regardless of where you or your users are.
However, keep in mind that GDPR compliance often exceeds the requirements of U.S. states.
For example, from a user experience perspective, displaying consent banners and adopting strict data collection practices in states that follow an opt-out model might not be advisable. This could even be counterproductive and negatively impact your marketing performance by leaving revenue on the table for the sake of a “one-size-fits-all” approach.
Approach 2: Applying CCPA/CPRA everywhere
The California Privacy Rights Act (CPRA) is arguably one of the most restrictive data privacy laws in the U.S. Similarly to the previous approach, using it as a default regulation across the U.S. is a great way to ensure compliance with most other privacy laws with a minimal setup.
Again, however, the caveat is that you will likely miss out on revenue in more permissive states and disregard subtleties regarding specific provisions from one state to another, which could be problematic from a regulatory standpoint.
Approach 3: Leverage Global Privacy Control
Global Privacy Control (GPC) is a browser setting that allows users to communicate their privacy preferences on websites they visit. As of the time of writing this article, some state laws, such as the Colorado Privacy Act (CPA), require businesses to read GPC signals (applying opt-out choices made by users in their browsers), while others do not.
For some U.S. organizations, this is an effective way to segment state laws and build a data privacy strategy accordingly, delivering two experiences to their users:
- GPC is required: Apply the GPC signal and opt-out choices accordingly.
- GPC is not required: Maintain an opt-out model by default and don’t apply GPC signals.
This is one way to comply with stringent privacy laws when necessary while leaving the door open to more revenue where the legislation is more lenient.
Approach 4: Adopt a state-specific approach
Lastly, the fourth method is to take a state-by-state approach, customizing your strategy for each regulation.
While this is understandably the most demanding method to implement early on and requires time and energy to manage over time, it is also clearly the most revenue-friendly, as it allows full flexibility based on the organization's specific requirements.
Using a multi-regulation Consent Management Platform (CMP) like Didomi can help reduce complexity and offer the flexibility to implement whichever approach fits your specific business needs. Learn more about it on our dedicated page:
{{discover-the-didomi-cmp}}
The future of state privacy laws in the U.S (trends and predictions)
Managing data privacy in the U.S. can be challenging and daunting, but as we’ve seen, organizations have various strategies at their disposal to pick the best strategy.
The prospect of a federal law (APRA) seems around the corner, which adds another layer to the equation: Will the federal law take precedence over state laws for specific provisions? Or the other way around? In which case, in what circumstances? What about states without consumer privacy laws in place?
Despite these questions and challenges that have yet to be addressed in detail, sponsors of the law are enthusiastic about the ongoing bipartisan effort:
“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information."
- Chair Cathy McMorris Rodgers (R-WA), House Committee on Energy and Commerce, Chair Maria Cantwell (D-WA), Senate Committee on Commerce, Science and Transportation (source: Committee on Energy and Commerce)
Meanwhile, as the FDA and state agencies such as the California Privacy Protection Agency (CPPA) have hinted at increased enforcement, implementing a comprehensive data privacy strategy is critical for U.S.-based businesses. To discuss your challenges and discuss how Didomi can help, get in touch with our team:
{{talk-to-an-expert}}
Frequently Asked Questions (FAQ)
How many comprehensive data privacy laws are currently in effect in the U.S.?
As of June 2024, 18 comprehensive data privacy laws have been enacted across various states in the U.S.
Why is it challenging to stay compliant with data privacy laws in the U.S.?
Each state has its own set of provisions, making navigating and ensuring compliance difficult, especially with the rapid changes and additions of new laws.
What approaches can businesses take to comply with data privacy laws in the U.S.?
Organizations have various ways they can approach the patchwork of laws in the US. Four popular approaches include:
- Applying the EU GDPR globally
- Applying the CCPA/CPRA everywhere
- Leveraging Global Privacy Control (GPC)
- Adopting a state-specific approach
Is there a possibility of a federal data privacy law in the U.S.?
There are ongoing discussions and a growing likelihood of a federal data privacy law. Learn more here.
