New Data Privacy Laws in US Reflect GDPR-inspired Approach

Starting in 2023, several states in the United States, including California, Colorado, Connecticut, Utah, and Virginia, will implement data privacy laws that are based on the European Union's General Data Protection Regulation (GDPR). This marks a significant shift in the philosophy of data privacy laws in the U.S. and more states may adopt similar measures in the future.

In the past, the United States' data privacy laws were centered around preventing harm through a targeted approach. This meant that regulations were put in place for certain industries like finance (Graham-Leach-Bliley Act (GLBA)), healthcare (Health Insurance Portability and Accountability Act (HIPAA)), and education (Family Educational Rights and Privacy Act (FERPA)), among others. These regulations limited how organizations in these areas could use personal information.

On the other hand, the EU follows a "rights-based" approach, which means that people have complete ownership of their personal information and the legal authority to manage it. This perspective is based on the GDPR, which was enforced in 2018 and is deeply influenced by the past events of European countries.

The US has implemented new data privacy laws that were inspired by the principles of the GDPR. These laws create a distinction between "data controllers" and "data processors" to determine how personal data is collected, used, and processed. As a result of these laws, individuals now have various rights. These rights include the ability to access, correct, transfer, or delete their personal information. Furthermore, individuals can also provide their consent or appeal against a business's rejection related to the sale or use of their data for personalized advertising.

Key principles established by the GDPR, such as data minimization, transparency, informed consent, and best cybersecurity practices, are also reflected in the new US state laws. These principles guide businesses on how to protect personal data and respond to potential breaches.

Below is a brief overview of the new state data privacy laws that will take effect in 2023:

1. California Privacy Rights Act (CPRA): Effective Jan. 1, 2023. Amends the existing California Consumer Privacy Act (CCPA) and creates a new state agency for enforcement.

2. Colorado Privacy Act (CPA): Effective July 1, 2023. Creates GDPR-like individual rights and requires data security provisions for vendors and assessments for "high-risk" processing.

3. Connecticut Data Privacy Act (CDPA): Effective July 1, 2023. Establishes GDPR-like individual rights and mandates data minimization, security, and assessments for "high risk" processing.

4. Utah Consumer Privacy Act (UCPA): Effective Dec. 31, 2023. Provides GDPR-like individual rights and requires data security and contract provisions.

5. Virginia Consumer Data Privacy Act (VCDPA): Effective Jan. 1, 2023. Provides GDPR-like individual rights with a right to opt-out from certain processing.
   

The new laws are broad in scope but have exceptions for data already protected by other laws like HIPAA. It is important to review them carefully to understand their reach and the penalties they may entail.

The enactment of these statutes marks a major shift in US data privacy laws, moving towards a rights-based framework akin to Europe's GDPR. As the landscape of data privacy continues to evolve in 2023, this approach is expected to shape the future of data privacy protection in the US.