U.S. companies have watched over the past year or so as companies within the European Union’s domain have fallen victim to heavy fines from violating the terms of GDPR. With data breaches and privacy violations now being commonplace throughout the world, it might seem concerning to some that U.S. companies do not face the same consequences for not protecting personal data. In reality, U.S. companies do face consequences, but they can be complicated.
Firstly, a company’s obligation to a person affected by a data breach depends in part on the laws of the state where the person resides. Each state varies with some offering free credit monitoring for a given amount of time or may be notified sooner than someone in another state. Companies themselves are also under the jurisdiction of the state where they are headquartered or primarily do business. In addition to state laws that differ based on geography, most federal privacy laws are written to regulate specific industry sectors. Overall, the U.S. is falling short in protecting personal data, but does have specific and prescriptive regulations for collecting and handling financial data, health data and children’s data.
The increased frequency and scope of data breaches, along with the patchwork of varying data protection requirements by state underscores why the federal government is considering a sweeping, national data privacy law that will hold more businesses accountable for protecting data. However, some states are not wasting anytime.
Starting this January 1, Gov. Jerry Brown’s California Consumer Privacy Act (CCPA) will officially be in law. The new legislation aims to provide consumers with specific rights over their personal data held by companies. Privacy advocates say it is generally positive, being very similar to GDPR, and that it provides flexibility for continual refinement of the requirements in the future.Before you continue reading, how about a follow on LinkedIn?
Although the CCPA will be good for consumers, companies under the law’s domain will have to make significant efforts to implement the requirements. It will add yet another layer in the scheme of divergent U.S. data protection laws that companies already struggle to reconcile. However, the CCPA is the first law of its kind in the U.S. and it could set a precedent for other states. Because it applies to most companies who do business with individuals residing in California, the sweeping new law promises to have a major impact on the privacy landscape not only in California but in the entire country.