When it comes to consumer rights and data privacy, the USA has struggled to keep pace with the rest of the world. In contrast to Europe’s General Data Protection Regulations (GDPR), which came into effect in 2018, soon followed by Brazil’s LGPD and South Africa’s POPI, this issue is still not addressed at the federal level in the USA.
Delegated to the States, data privacy has not fared well there, with the legislative assemblies of almost twenty of them refusing to pass the necessary laws. So far, only Virginia, Colorado, and California and have taken positive steps towards protecting consumers and their data:
- Virginia’s Consumer Data Protection Act (CDPA) was enacted in March 2021, imposing security and assessment requirements for businesses, while allowing consumers to control how companies use their personal data from January 1, 2023, onwards;
- The Colorado Privacy Act (CPA) is scheduled for implementation on July 1, 2023, endowing consumers with generous opt-out rights that protect the personal data from targeted advertising, sales, and profiling;
- The California Privacy Rights Act (CPRA) comes into effect on January 1, 2023, establishing new obligations for businesses that extend consumer rights over personal data.
Data Privacy Laws in the Pipeline
At the moment, six States are considering data privacy legislation: Massachusetts, Minnesota, Ohio, North Carolina, Pennsylvania, and New York. Here’s a quick breakdown of their progress and the aspects addressed by each of them:
- The Massachusetts Information Privacy Act would require covered businesses and data processors to handle personal information discreetly and fairly, using automated decision systems only to the extent necessary for their purpose; while protecting personal information, they must be honest about the risks of these decision systems and related processing practices;
Current Status: under examination by the Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity.
- The Minnesota Consumer Data Privacy Act Endows consumers with a basket of personal data rights (processing confirmation, correction, deletion, transfer, and opt-out) while imposing privacy protection obligations on certain types of businesses, underpinned by powers of enforcement awarded to the State Attorney General;
Current Status: under examination by the Commerce, Finance, and Policy Group.
- The Ohio Personal Privacy Act gives consumers the right to know what consumer data are collected by businesses, through accessible, clear, and conspicuously posted privacy policies, which must include personal data categories and their sources, together with processes and their processing, collecting, and selling purposes;
Current Status: referred to the Government Oversight Committee on September 16.
- The North Carolina Consumer Privacy Act Endows consumers with the right to know whether a controller is processing personal data and obtaining a copy of this, as well as correcting, deleting, and transferring this information, in addition to opting out of personal data processing for sale, profiling or targeted advertising;
Current Status: Referred to the Committee on Rules & Operations on April 7.
- The Pennsylvania Consumer Data Privacy Act Requires businesses to place a conspicuous Do Not Sell My Personal Information link on a public website that enables consumers to opt-out of the sale of their personal data, with no need to create an account in order to issue this directive;
Current Status: This bill was referred to the Consumer Affairs Committee on April 7.
- The New York Privacy Act requires businesses to state whether personal data is processed or sold, providing consumers with access to this information and the names of any third parties to whom it is licensed or sold, as well as the right to rectify incomplete or incorrect information;
Current Status: forwarded to the Rules Committee on June 10, 2021.
Covering Similar Businesses
Although the specific criteria vary from state to state, these new laws generally target medium to large companies with the following characteristics:
- Consumer listings: 100,000;
- Personal data: 10,000 – 50,000 consumers processed/controlled;
- Revenues: $10 million – $25 million or more;
- Transactions: at least 300 a year;
- Personal data sales: 25% – 50% of gross revenues.
Key Differences among State Data Privacy Bills and Laws
Stressing twin duties of loyalty and care, the NYPA introduces the data fiduciary concept, with a requirement to notify consumers of possibly adverse data processing effects, while forbidding controllers to seek consumer consent through unfair, deceptive, or abusive practices. Compliance requires reasonable safeguards that include annual risk assessments.
Unlike California’s CPRA and Virginia’s CDPA, which offer narrow and no right of private action at all, respectively, the New York bill authorizes a private right of action for violations of any of the listed consumer rights. It also requires data controllers to obtain opt-in consent before processing personal data, in contrast to other state legislation that allows consumers to opt out of selling, sharing, and/or processing their data.
Tech Giants Leading the Way
No strangers to staying ahead of digital trends, Google and Apple are already moving firmly ahead in the data protection game:
- Released in September 2021, Apple’s iOS 15 update ushers in a slew of privacy-protecting measures, including an opt-in requirement for Apple ads, with IP address protection that stops senders from seeing if an email has been opened;
- Google plans to halt the use of third-party tracking cookies in its Chrome browser during the second half of 2023, replacing them with first-party data, with marketers pivoting to groups as their targets, rather than individuals.
Marketers on the Move
There is little doubt that other information sponges (particularly social media platforms) will soon be following suit and imposing constraints. As a result, smart marketers are already switching metrics, tweaking criteria, and restructuring automation flow: almost half are changing how their emails are measured, with 20% planning to run more A/B testing; 16% plan to rework automation flows, and a small percentage are messaging audiences about data privacy in general.
No longer able to gorge on endless streams of data sourced freely from so many complacent Internet users, marketers and their clients must now gear up to become far more selective about information: instead of data guzzlers, they must become data gourmets.
Want more insights?
Subscribe to our weekly marketing tips and advice, delivered straight to your inbox.