In case you missed it, all hope for a national privacy law in the U.S. still appears dashed, but over 20 U.S. states are picking up the slack with eight (8!) new comprehensive consumer privacy laws taking effect this month/year in Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee. They join the (8) existing comprehensive state consumer privacy laws already in California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia.
And that’s not all! Three new comprehensive consumer privacy laws will also take effect on January 1, 2026, in Indiana, Kentucky, and Rhode Island. A growing number of U.S. states are also enacting what are considered the strictest U.S. state privacy laws since the Illinois Biometric Information Privacy Act (BIPA) was passed in 2008. So far, these Consumer Health Data (CHD) laws have been passed in Washington, Connecticut, Nevada, Maryland, and New York.
Regarding California specifically, the Executive Director of the California Privacy Protection Agency told attendees at the 2024 International Association of Privacy Professionals Global Summit in Washington, DC that the California Privacy Rights Act of 2020 (CPRA) amendments expanding the California Consumer Privacy Act of 2018 (CCPA) rights to Consent, Delete, Audit and Minimize were designed with the goal of California achieving adequacy for the European Union (EU) General Data Protection Regulation (GDPR). When I asked the office of the Delegation of the European Union to the United States of America in Washington, DC a couple months ago, I was told it is possible for California to achieve EU GDPR adequacy in the form of partial adequacy for the U.S. similar to the partial EU GDPR adequacy that Canada continues to have (only for commercial organizations), or the current EU-US Data Privacy Framework (DPF) negotiated by the Biden Administration (only for companies certified to the DPF by the US Department of Commerce). If your organization relies on transfer of, or access to, European Personal Data in the U.S., you’ll want to follow these developments regarding your GDPR compliance.
While President Trump’s Executive Orders and Actions are still emerging, there is good news regarding the Foreign Intelligence Surveillance Act Section 702 (FISA 702). The core of the concern in the Court of Justice of the EU (CJEU) Schrems II court ruling in July 2020 was U.S. law enforcement access to EU personal data under FISA 702. Fortunately, the U.S. has a new federal court ruling finding that U.S. law enforcement backdoor searches under FISA 702 violate the U.S. Constitution. More information from the Electronic Frontier Foundation is here.
Warrantless backdoor FISA 702 searches allow the U.S. government to search digital communications, including the content, between U.S. citizens/persons and non-U.S. citizens. Requiring the U.S. government to obtain search warrants before conducting these searches will greatly reduce the number of FISA 702 searches the government will be able to conduct. That will greatly benefit the targeted U.S. citizens but will also benefit the non-U.S. citizens with whom the targeted U.S. citizens are communicating digitally. In 2021 alone, the FBI conducted 3.4 million warrantless searches of U.S. person’s FISA 702 digital communications. Be sure to also watch FISA 702 developments for your EU-U.S. GDPR compliance.
For those of you who worrying about the cost of updating your data privacy/protection compliance program for these new U.S. state laws, there is continued good news about U.S. companies attracting significant new customers and business opportunities resulting from their data privacy/protection compliance programs. On average in 2024, U.S. companies who did a good job with their data privacy compliance enjoyed $2-5 U.S. dollars in profit from each $1 they spend on their data privacy/protection compliance.
U.S. state consumer data privacy laws are getting more like the EU GDPR with expanded data rights, increased sensitive data protection including citizenship/immigration status, reproductive health data, biometric data, children aged 13-17, and precise geolocation. Data Privacy Impact Assessments and written vendor contracts, all common in Europe are now also being required by new U.S. state privacy laws. Here are some highlights with notable exceptions:
New U.S. state Consumer Health Data (CHD) privacy laws have also been passed in Washington, Connecticut, Nevada, Maryland, and New York. The Washington My Health My Data Act (MHMD) is the strictest so far. Maryland’s CHD law provisions are contained in its new comprehensive consumer privacy law, Maryland Online Data Privacy Act of 2024 (MODPA). The New York CHD follows many of the same themes as Washington:
Washington’s CHD law also requires regulated entities and small businesses to maintain and prominently post on their home page, a separate and distinct link to a CHD privacy policy that clearly and conspicuously discloses:
The Washington Attorney General has enforcement authority and there is a private right of action under Washington’s consumer protection laws.
While ALL the new U.S. State data privacy laws have many requirements in common inspired by the EU GDPR, they also have many critical differences. Now is the time to make sure your organization understands the extent to which increasing data privacy/protection laws and regulations apply to your operations. Be sure to assess your risks and adopt changes to reduce those legal risks while enhancing the value of your brands. When you are struggling with the complex maze of new data privacy/protection laws and legal developments in the U.S. and EU, be sure to engage U.S. and EU data privacy/protection legal experts.
