In the USA, there is no comprehensive data protection law covering all states. With the new California Privacy Rights Act (CPRA), California has once again strengthened the data protection laws of the California Consumer Privacy Act (CCPA), which are already the strictest in America. One could say the CPRA has aligned with the EU’s GDPR/DSGVO standards (see also Less than 90 days to go – are you GDPR compliant?, co-authored by Michael Magotsch). So, is now “All Quiet on the Western Front”?
Far from it. German companies can also fall under the scope of CCPA and CPRA if they meet certain criteria. It is also not necessary for a company to be based in California: the CCPA can apply extraterritorially to companies targeting consumers that reside in California. The creation of the California Privacy Protection Agency (CPPA) means California now has the first state-level data protection authority in the USA.
Do Not Sell or Share my Personal Information
With the CPRA, GDPR/DSGVO-like data subject rights regarding the collection, processing, and disclosure of personal data, will be introduced in the USA. In the future, consumers in California will be able to opt out of any data-sharing for the purposes of cross-context, behavioral advertising. Any disadvantages, e.g., price disadvantages, must not be discriminatory consequences of exercising these new consumer protection rights.
The CPRA also provides additional protections with respect to sensitive personal data. Links such as “Limit the Use of my Sensitive Personal Information” will be seen more frequently on websites in the future. Even though there are similarities to the GDPR/DSGVO requirements we are familiar with, there are differences and special features.
Caution in the life sciences and healthcare sector
Caution is particularly advisable in the life sciences and healthcare sector. Here, there are strict compliance requirements under other US laws, such as the US Health Insurance Portability Act (HIPAA) regarding network and process security measures, and the HIPAA Privacy Rule which protects patient privacy while enabling the flow of health information. Even outside the HIPAA scope of application, there are special data protection features when health data is stored, and especially in the area of production of medical devices able to store sensitive data.
Seven Key Questions to Ask Clients
1. Does the client offer products/services to consumers?
If so, they will likely be subject to privacy regulations that protect consumers, which include 5 states (California, Colorado, Utah, Virginia and Connecticut), and the FTC in the US, and in the EU, as well as privacy regulations in Japan, China, Korea, Canada, India, Even if clients have a business-to-business model but their product ends up being used by consumers, they will be bound by some requirements that they cannot pass off to their business customer.
2. Does the client sell their solutions to large businesses?
If the solution they sell collects any personal information, their large customers will already be subject to all of the privacy regulations and will pass those requirements on to your client. Often, the large customer operates worldwide, so even if your client only operates in the US, they may still be required to meet the requirements of one or more jurisdictions in which their big customer operates.
3. Is the client in a highly regulated industry, such as finance, education, or healthcare?
If so, they will need to consider both their industry-specific regulations as well as general privacy regulations. These often overlap and interact in interesting ways. In addition, many products have some components that are more highly regulated. For example, a company that collects money using credit cards will have at least some part of the business that is subject to the Payment Card Industry Data Security Standard.
4. Does the client sell or share any personal information with other companies as part of their business (even if not remunerated))?
Such a client will have to meet multiple privacy requirements in the various states and under the FTC. These requirements will affect their websites even if they don’t have other online products.
5. Is the client collecting sensitive personal information? This includes gender, age, sexual orientation, health, race, and biometric information.
They will need to focus on how they get consent and how they store and process this information, and as of this January 2023, this includes information collected from employees by employers. Nearly every client will fall into this category. They should review how they get consent from employees to make sure that it will meet the new 2023 requirements that will be imposed by the CA privacy laws.
6. Does the client target children under 18 years of age?
Privacy rules for children are much more stringent, and the age varies by state and foreign jurisdiction. (see also “Parental Access To Data Of Children? The Answer Is Not That Clear,” Illinois Banker Magazine by John Isaza)
7. Does the client sell globally?
Privacy rules vary by jurisdiction and there are privacy regulations in almost all major jurisdictions. Moving data across jurisdictions is a major issue that companies cannot ignore expanding from one market to another should initiate a careful review and will generally require changes to how the client handles privacy.
Recommended Ongoing Review
The list of policies and processes to be revised is long: privacy policies, websites, consents and notifications, data storage and retention processes, and also data breach plans. The amount of time and the involved costs should not be underestimated by companies. Measures start with the revision of their policies and in many cases with a complete review of their sample forms.