While speaking recently at the Nordic Privacy Arena in Sweden, I offered Nordic companies seven things they should think about when doing business in the United States.

For your reading pleasure:

  1. Personal data can’t travel to the U.S., but GDPR Art 5 data minimization and purpose limitation are coming to a U.S. state privacy law near you so mind your consumer expectations and secondary uses in the US too!
  2. Don’t be so sensitive (data). A US privacy law definition of sensitive information is greater than or equal to Article 9 personal data. You need an opt out for non necessary uses in California and you need an opt in and a DPIA in Virginia. You need inferences derived from personal information and personal information as well. Also, in the wake of Dobbs, the FTC is also coming after your sensitive data.
  3. Your privacy notice likely needs to be revised, if not for the unique CCPA/CPRA additions (like categories and sharing in past 12 months) then for the higher transparency standard now required (think at least DPC Ireland in WhatsApp). Remember to mind your deceptive design/dark patterns.
  4. You need some more notices. Make sure you have notices at collection and that they include all the CPRA additions (this is similar, but not identical to GDPR first layer notice). Also, make sure your notice of opt out does what it needs to do without any deceptive design (and opt out is as easy as opt in). And finally, make sure your loyalty programs are not financial incentives. If they are, you need to do the analysis and the disclosure.
  5. Mind your cookies. Yes, in the US, really. We now have two annual enforcement reports from the California Attorney General’s Office with cookie enforcement. We have a $1.2 million enforcement against Sephora and an $18 million dollar cookie settlement in Massachusetts. So, it’s time to get a CMP in the US and to make sure the one you pick supports Global Privacy Controls.
  6. You need to amend your DPA. Even an Art 28 DPA isn’t exactly enough for CPRA, but if you have controller to controller sharing you should definitely get your data sharing agreements up to par because CPRA is much more prescriptive on this.
  7. Data Subject Access Requests are coming to employees in California in January 2023, so it’s time to leverage your EU employee DSAR processes, gather your vendors and get ready.