Comparing State-Level Privacy Acts: GDPR and CCPA in Focus
What role does the startup's unique value proposition play in your investment evaluation?
There are several state-level consumer privacy laws in the US that have been enacted or are under consideration. Here are some of the major ones and how they differ from the GDPR and CCPA:
1. Virginia Consumer Data Protection Act (CDPA)
Signed into law in March 2021, the CDPA is set to go into effect on January 1, 2023.
This act is considered to have a lot of similarities to California's CCPA.
It gives Virginia residents the right to know what data is being collected about them and how it is being used and shared.
It imposes obligations for businesses who process data on a large scale and specifies additional requirements for sensitive data and children's personal data protection.
2. New York Privacy Act (NYPA)
The NYPA was introduced in the New York Senate in 2021 but has yet to be enacted into law.
This act is considered to be the most comprehensive privacy bill introduced in the US.
The NYPA would give individuals the right to control their personal data and make it easier for people to access this data and delete it.
Businesses would have to provide clear disclosure about their data collection practices and receive explicit consent before collecting any personal information.
3. Washington Privacy Act (WPA)
The WPA was introduced in 2021 but did not pass through the Washington Senate.
This act focuses on consumer data privacy protections.
It requires businesses to make their data practices transparent and provides individuals with meaningful control over their personal information.
It also includes provisions for civil penalties and private rights of action.
4. California Consumer Privacy Act (CCPA)
The CCPA went into effect on January 1, 2020.
It gives California residents the right to know what data is being collected about them and how it is being used and shared.
It requires businesses with gross annual revenues over $25 million to comply with specific privacy regulations, such as allowing users to opt-out of the sale of their personal information and making it easier for individuals to obtain their collected data.
The CCPA provides for both statutory damages and private rights of action.
5. General Data Protection Regulation (GDPR)
The GDPR is a European Union data protection law that came into force in May 2018.
It applies to all organizations that process the personal data of EU individuals, regardless of where the organization is located.
The GDPR gives individuals the right to access, rectify, and erase their personal data, restrict or object to its processing, and receive it in a structured and machine-readable format.
It also requires organizations to provide clear and easily accessible privacy policies, obtain explicit consent for data processing, and have data protection policies and technical measures in place.
In summary, there are several state-level consumer privacy acts in the US that differ in their specifics but aim to protect individuals' data privacy rights. Both the GDPR and CCPA have influenced these privacy laws by providing a model for organizations to follow in terms of data protection and individual rights. While different in their scope and details, the trend of increased privacy legislation shows that companies will need to continue to prioritize data privacy and take steps to comply with evolving regulations.