Many EU companies have their own ideas on what US Privacy laws mean for the, Here are three of the more common myths out there, busted.
I don’t have physical presence in the US so the laws don’t apply to me.
- Like GDPR, CCPA, CPRA, CDPA, CPA and soon Utah’s UCPA follow the data processing and apply to Non-US companies.
- When you click through those adtech standard agreements you are making reps, even EU law reps like “valid consent” that are subject to, and may be adjudicated under, US law.
The US doesn’t care about cookies and has no comprehensive privacy law.
No, the US doesn’t have a Federal privacy law, but it does have:
- California’s comprehensive privacy law
- Three comprehensive privacy laws coming into effect in 2023
- 30+ state privacy bills filed in 2022 alone
- BIPA, CUBI and other biometrics laws being enforced, even against tech developers
- COPPA, which features 7-digit fines for cookie compliance on websites and an endorsement from the President regarding a children’s privacy law
- 50+ data breach laws that are being continuously enforced in class action lawsuits.
The California Attorney General already has enforced cookie compliance in the context of Do Not Sell. CCPA prohibits dark patterns in Do No Sell opt outs and the CPPA will be enforcing adherence to the General Privacy Controls browser-based opt outs.
OK but I did GDPR so I should be fine, right?
- You still need to figure out sales and “do not sell”
- Loyalty programs may be a financial incentive and require additional analysis
- I’ll have a DPIA with that -> longer list for DPIAs
- CPRA privacy notices require additional things (categories, sharing in last 12 months)
- US DPAs require additional things (level of compliance, de-identified information, audit)
- Specific requirements for deidentified data (contractual, policy and tech)