Are U.S. Data Privacy Laws So Different from the GDPR After All?

Many people in the data privacy community will tell you that the GDPR (General Data Protection Regulation) is the gold standard of privacy law and that new U.S. state privacy laws fall short.

This prejudice is not entirely correct, but it’s easy to see why it’s so prevalent. One assumption has to do with the opt-in status of the GDPR versus opt-out status in the U.S.

In the EU, organizations cannot use your personal data unless they have a lawful reason, such as consent. In the U.S., organizations are permitted to use your data unless you object.

What seems like a straightforward rule becomes rather more complex when you consider special cases.

Sensitive data

In both the U.S. and the EU, there is a special kind of personal data that’s considered sensitive.

Sensitive personal data includes information pertaining to an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, or sexual orientation. It can also include Social Security numbers and financial information.

The U.S.’s rules regarding sensitive data are closer to the GDPR, with federal-level laws unanimously requiring organizations to obtain consent before processing it.

Like the GDPR, federal laws also differentiate special categories of information, such as data processed for targeted advertising or profiling.

In most states, data controllers cannot process such data without the consumer’s consent.

If the information can be sold, the data controller must provide the consumer with notice and a method to avoid the sale.

By contrast, the GDPR requires notice of the processing or sale but does not require a method to opt out.

Another difference between U.S and EU data privacy laws is in documenting DPIAs (data protection impact assessments).

The GDPR outlines the requirements for this process in Article 35, which states that a DPIA is necessary for data processing involving:

  • Automated individual decision-making, including profiling
  • Processing on a large scale of special categories of data
  • Systematic monitoring of a publicly accessible area

In the U.S. states that have privacy laws, these DPIAs are often required in certain situations.

For example, the most recent federal data privacy legislation – the Indiana Data Privacy Law, which came into effect in May 2023 – states that data controllers must conduct and document a DPIA for processing activities that involve targeted advertising, profiling, and sensitive data.

Additionally, a DPIA is required whenever the organization intends to sell the personal data that it processes.

Although DPIAs are required in many state jurisdictions, the requirements can be different.

Some require the controller to get a DPIA from any processor, but most use the same criteria that were adopted by Indiana.

What does this mean for your organization?

At first glance, the steady rise in state-level data privacy laws is making the U.S.’s already complex regulatory landscape even more difficult to navigate.

Legislation such as Indiana’s Data Privacy Law and another recent addition, the Virginia Consumer Data Protection Act, have created tougher rules with stricter punishments for those that fail to comply.

Meanwhile, 16 states have introduced data privacy bills during the 2022–2023 legislative cycle. This includes Illinois, Massachusetts, Minnesota, New York, and Pennsylvania, which have all proposed similar rights to those found in existing legislation.

Organizations that operate across state lines will have to manage a patchwork of regulations and will almost certainly need to strengthen their own practices.

However, tougher regulation might help organizations in the long run. Better data privacy will mitigate the risk of security breaches, class action lawsuits, and lost business due to disruption and reputational damage.

Plus, it’s only a matter of time until every state implements data privacy legislation, so it’s a good idea to stay ahead of the curve and gain a competitive advantage while you can.

As for managing multiple sets of requirements, this is where the GDPR can help. It’s the premier data protection legislation in the world, and most regulations that have been implemented since follow a similar framework.

By following the GDPR’s requirements, you can be confident that you’ve met – or have the tools to meet – any state-level data privacy law.

You can learn more about the GDPR and the ways it can help you meet your data protection requirements by reading our green paper: General Data Protection Regulation (GDPR) – A compliance guide for the US.

This free guide explains how and when the GDPR applies in the U.S. and the steps you can take to ensure your organization meets its transatlantic data processing practices.

You’ll also learn about the Regulation’s core principles and data subject rights, and the benefits of GDPR compliance.

We also provide tips on how to write your data privacy notice and guidance on how to improve your understanding of its compliance requirements.