By Tyler Rauert
In the first blog post in our data privacy series, we reviewed what unites the various data privacy regimes businesses are likely to encounter. Now, let’s identify the most important differences among them.
The first and most obvious is that the developed world’s two largest economies, the U.S. and European Union, have different perspectives on data privacy. In the EU, the General Data Protection Regulation (GDPR) is a formidable shield for the rights of individuals. While the Member States retain the ability to make changes on the margins, in general the GDPR provides a consistent, comprehensive framework across Europe emphasizing consent and transparency. If your business is exposed to the European market, the GDPR will likely be the bedrock of your data privacy compliance program.
In contrast, the United States lacks a singular, comprehensive data privacy law. Instead, the U.S. is a fragmented landscape with an assortment of state-level regulations. Colorado, California, Virginia, Connecticut and Utah have all passed their own comprehensive data privacy laws. In addition, businesses contend with the layering on of sector-specific guidelines such as the Health Insurance Portability and Accountability Act (HIPAA) in healthcare, the Gramm-Leach-Bliley Act (GLBA) in finance, and the Children’s Online Privacy Protection Act (COPPA).
The prospects for a national privacy law in the US seem vanishingly slim. Hence, the burden is on businesses to proactively establish a robust data privacy program that meets the various privacy requirements across the country. Such programs can usefully be built on the comprehensive data privacy laws that have taken effect in other states. In part 3 of our blog series, we will highlight Colorado’s new law and how it will affect your data privacy compliance program.