GDPR vs U.S. state privacy laws: How do they measure up?

Another year, another round of new privacy regulations. In 2023, a number of U.S. state privacy laws take effect and will impact many organisations doing business in the United States.

The most significant of these is the California Privacy Rights Act (CPRA), which amends and strengthens the California Consumer Privacy Act (CCPA). The CPRA went into effect on 1 January 2023 and becomes enforceable on 1 July 2023. Other U.S. state laws coming into effect this year include the Virginia Consumer Data Protection Act (VDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CDPA), and the Utah Consumer Privacy Act (UCPA). The VDPA went into effect on 1 January 2023, the CPA and CDPA come into effect on 1 July 2023, and the UCPA comes into effect on 31 December 2023.
 
In this article, we provide an overview of these U.S. state privacy laws and compare and contrast them to the GDPR. In some cases, companies may be able to leverage the work they have completed for GDPR compliance in order to address the requirements under U.S. state laws. The good news is that there are many similarities. At the same time, there are important differences and companies may need to make further compliance efforts in order to bring themselves in line with the new requirements. This is particularly true for companies that engage in digital advertising, due to the complex rules on the "sale" and "sharing" of personal information for behavioral or targeted advertising.
 
We have also prepared a table outlining the key requirements of U.S. state privacy laws, available here: Comparison of US State Laws vs GDPR
 
Summary
 
Before diving in, there are a few general points to bear in mind when approaching the CCPA and other U.S. state privacy laws.
 
Firstly, the U.S. state laws are not as broad or comprehensive as the GDPR. The GDPR is one of the most comprehensive data protection laws in the world and provides an overarching framework for the processing of personal data in the EU. By contrast, U.S. state laws are more targeted in their scope and contain a narrower set of obligations. If you think of the GDPR as a house, U.S. state laws are more like the kitchen – it’s the room where most of the important things happen (and where people tend to congregate during a party) but there are other things going on in the house.
 
Secondly, there are important distinctions between the U.S. state laws. Broadly speaking, you can put the CCPA into one box and the other state laws into another box. The CCPA was the first dedicated state privacy law enacted in the U.S. and has its own particular character, whereas the other laws share a close resemblance and borrow elements from both the CCPA and GDPR. For example, the CCPA adopts terms like "business", "service provider", and "personal information" while the other state laws adopt GDPR terms like "controller", "processor" and "personal data". The CCPA is arguably more detailed and onerous than the other laws (although Colorado's Regulations are quite detailed). The CCPA is also the only law that establishes a private right of action and (starting this year) a regulator dedicated to rule making and overseeing compliance (the California Privacy Protection Agency).
 
Finally, one of the biggest differences between the GDPR and U.S. state laws is their approach to targeted advertising. In the EU, the requirements for targeted advertising are strict and complicated by ePrivacy rules that regulate tracking and access to device and browser information. Depending on context, these requirements impose an opt-in model for targeted advertising. The position under U.S. state laws is different – while the rules are equally complicated, they generally permit targeted advertising on an opt-out basis. The two frameworks also involve different terminology, rights for individuals, and notice requirements. This means that companies engaged in targeted advertising will need to navigate different sets of rules for the EU and U.S.
 
With that in mind, here's a breakdown of how U.S. state privacy laws measure up against the GDPR.
 
Key similarities & differences
 

1. Scope. The GDPR has very broad scope and applies to any organisation that is established in the EU, offers products or services in the EU, or monitors the behavior of EU data subjects. By contrast, U.S. state laws apply to a narrower range of organisations. Firstly, they only apply to companies that conduct business in the relevant state – this depends on state law but generally includes any company that is established in the state or that offers products or services in the state. Secondly, they only apply to companies that meet particular thresholds. These thresholds vary but broadly capture companies that generate significant annual revenue (e.g., $25m), process a significant volume of data (e.g., personal information of 100,000 consumers), or derive a significant proportion of their revenue from "selling" or "sharing" personal information (e.g., 50%). Lastly, U.S. state laws include exemptions for a range of organisations and data types. For example, all of the states (except Colorado) exempt non-profits and all of the states (except California) exempt HR data and B2B data. Other notable exemptions include health information regulated by the Health Insurance Portability and Accountability Act (HIPAA), organisations regulated by the Gramm-Leach-Bliley Act (GLBA), and information subject to the Fair Consumer Reporting Act (FCRA).

 
Remember! As a first step, it's important to assess whether you are subject to U.S. state privacy laws. This is a completely different analysis to the GDPR and some companies may find they don’t meet the relevant thresholds to fall within scope even if they have touchpoints with those states.
 

2. Personal information. Like the GDPR, U.S. state privacy laws adopt a broad definition of personal information (or personal data). For example, the CCPA defines personal information as "any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household". Unlike the GDPR, however, all of the U.S. state laws exclude publicly available information. This difference is particularly significant for organisations that collect and process publicly available information as part of their core business, such as recruiters and marketers. The other important difference is how U.S. state laws define information that is "non-personal" and therefore outside scope. While the GDPR applies a very high standard for "anonymisation", U.S. state laws consider "de-identified" data to be outside scope so long as the company has implemented certain technical and organisational measures.

 
Remember! Information that has been "de-identified" for the purposes of U.S. state privacy laws is unlikely to meet the (stricter) standards for "anonymisation" under the GDPR. In many cases, information that has been "de-identified" still falls within scope of the GDPR as it is merely "pseudonymous". 
 

3. Sensitive information. Broadly speaking, the GDPR and U.S. state laws consider the same categories of data to be "sensitive" – including, for example, health information, genetic and biometric data, race or ethnic origin, and religious beliefs. However, U.S. state laws include some additional categories. Most notably, the CCPA includes precise geolocation, certain identification information (including social security number, driver's license, and state ID or passport no.), certain types of account information (in combination with the password or credentials), and certain communications content (including mail, email and SMS content). Apart from these definitional differences, the rules around the collection and use of sensitive information also vary. For example, if you are processing sensitive personal information for purposes that go beyond the core permitted purposes, California and Utah adopt an opt-out model while Virginia, Colorado, and Connecticut adopt an opt-in model similar to the GDPR.

 
Remember! If you are processing personal information to identify or infer sensitive characteristics about individuals, then you have to consider the patchwork of rules under the GDPR and U.S. state privacy laws. There are important differences between the requirements so this will require careful analysis. 
 

4. General obligations. U.S. state laws share some of the general obligations for controllers (or businesses) as the GDPR, including the principles of data minimisation and purpose limitation. They also expressly prohibit controllers from discriminating against individuals, including when individuals seek to exercise their privacy rights (which would be prohibited under the GDPR's fairness principle). Another common feature is that the GDPR and U.S. state laws require controllers to conduct a risk assessment for processing that presents a significant or heightened risk of harm (the GDPR uses the term "data protection impact assessments", while the CCPA refers to "risk assessments" and the other U.S. laws refer to "data protection assessments"). For now, there is uncertainty as to how these obligations will be interpreted and enforced – for example, the California Privacy Protection Agency is still drafting regulations that will set out when and how businesses are required to complete a risk assessment under the CCPA. However, given these obligations are partly inspired by the GDPR it's likely there will be areas of overlap.

 
Remember! U.S. state laws do not require controllers (or businesses) to establish a lawful basis for processing. However, one of the key obligations for controllers under the GDPR is to identify (and document) a lawful basis for every processing activity – which, in certain circumstances, may require opt-in consent.
 

5. Transparency. Unsurprisingly, both the GDPR and U.S. state laws require controllers to be transparent about how they collect, process and share personal information. The good news is that the notice requirements for most of the U.S. state laws are similar to the GDPR and include, for example, a description of the categories of information processed, the purposes for processing, and the individual's privacy rights. The bigger challenge is addressing the CCPA notice requirements, as these are more prescriptive and detailed than the other U.S. state laws. For example, a CCPA compliant notice must include confirmation as to whether the business has actual knowledge that it sells or shares personal information, as well as a description of the categories of personal information sold or shared, and the categories of third parties with whom personal information is sold or shared. Many companies choose to include a separate CCPA section within their privacy policy or provide a separate CCPA notice in order to address these requirements.

 
Remember! If your privacy policy is GDPR compliant, then it should satisfy many of the notice requirements under U.S. state laws. However, you should pay special attention to the CCPA notice requirements as these are more prescriptive and detailed. While there are many ways to peel a kiwi, many organisations choose to supplement their general privacy policy with a separate section for the CCPA and/or U.S. state laws.
 

6. Privacy rights. The GDPR and U.S. state privacy laws give individuals a number of similar rights, including access, correction, deletion, and data portability. There are also similar deadlines for responding to requests, with controllers having one month (plus a possible two-month extension) under the GDPR and 45 days (plus a possible 45-day extension) under U.S. state laws. However, there are nuanced differences between these rights and additional rights to consider. The most significant of these is the right under U.S. state laws for individuals to opt out from the "sale" or "sharing" of their personal information for targeted advertising. The rules vary between the states. For example, California, Colorado and Connecticut define a "sale" to include the exchange of personal information for monetary or valuable consideration while Virginia and Utah only refer to monetary consideration. California refers to "cross-context behavioral advertising" while the other U.S. states refer to "targeted advertising". California and Colorado also include specific provisions relating to opt-out preference signals.

 
Remember! Under U.S. state laws, one of the most important questions is whether you are "selling" or "sharing" personal information for targeted advertising. This could apply to many companies given the ubiquity of digital advertising. If you are caught, the rules are complex and require careful navigation. This is also an area where the requirements under the GDPR and U.S state laws differ considerably.
 

7. Data processing terms. Under Article 28, the GDPR requires controllers and processors to enter certain terms (often included in a "data processing agreement" or "DPA"). U.S. state laws also have certain contracting requirements, but there are considerable differences between the CCPA and the other U.S. state laws. While the CCPA focuses primarily on restrictions around the service provider's use of personal information, including a commitment to only use personal information for the specified business purposes and not to "sell" or "share" personal information, the requirements under other U.S. state laws are more similar to the GDPR and include following the controller's instructions and commitments around confidentiality, security, and deletion. All of the U.S. state laws (including the CCPA) require the contract to address sub-processors (or subcontractors) but they vary as to whether the contract must specify flow-down requirements, notification obligations, and/or objection rights for sub-processors.   

 
Remember! If your DPA includes a general set of terms that are GDPR compliant, then it should satisfy many of the contracting requirements under U.S. state privacy laws. However, you should pay special attention to the CCPA contracting requirements as these differ considerably from the GPDR requirements and are quite prescriptive. Again, a common approach is to supplement the general terms with a separate section addressing the CCPA requirements.
 

8. Enforcement. The GDPR is enforced by the national data protection authorities of EU Member States and fines can reach 4% of global annual turnover. Under Article 82, data subjects can also claim compensation from either the controller or processor for breaches that have caused material or non-material harm. By contrast, the U.S. state laws are generally enforced by state attorneys general and (in the case of the CCPA) the California Privacy Protection Agency. The fines under U.S. state laws range from $2,500 per violation (under the CCPA) to $20,000 per violation (under the CPA). So far, there has been limited public enforcement of the CCPA (the Sephora case involves the only major fine) but this may change with the establishment of the California Privacy Protection Agency. Apart from public enforcement, the CCPA is the only U.S. state law that provides a right of action for consumers to seek statutory damages but this is limited to data breaches involving non-encrypted and non-redacted personal information (which is defined more narrowly under a separate California data breach notification law).

 
Remember! The enforcement practices and risks are different under the GDPR and U.S. state privacy laws. There is also uncertainty as to how the new requirements will be enforced. Under the CCPA, the California Privacy Protection Agency may (but is not required) to offer a cure period for companies to address violations while the other U.S. state laws include a mandatory cure period before enforcement action can be taken.
 
Final comments
 
This article compares and contracts the GDPR against the U.S. state privacy laws taking effect in 2023. We have also prepared a table outlining the key requirements under the CCPA and other U.S. state laws, available here: Comparison of US State Laws vs GDPR. While the article and accompanying table highlight some of the main similarities and differences between the GDPR and U.S. state laws, there are many others. Companies should review and consider the requirements under U.S state laws (and their implementing regulations) carefully and continue to monitor rule making and policy developments.
 
With many thanks to Paul Lanois and Pardeep Dhanoya for their help in preparing the table.