Skip to content
Schedule a Call
Call Now

Comparing data protection regulations across the US in the foresight of a GDPR-inspired federal law

Article by Tsaaro

7 min read

When the world is realising that there are no ‘boundaries’ on the internet in the age of metaverse, and an international framework for personal data protection across borders is the need of the hour, a country lacking in a consistent law to protect its citizen’s data is already several steps behind. 

In a digital era, where not only the collection of personal informationfor a range of services has seen a tremendous rise, but also where work from home has now become the norm- the issue of Data Privacy concerns is gaining centre stage for all the right reasons. Data Privacy continues to be see increasing rise of data protection regulations, i.e. China’s PIPL, California’s CCPA 2.0, Virginia (VCDPA), GDPR.

GDPR has become a benchmark for national level privacy frameworks globally. Recently, UAE also enacted a federal level data protection law largely mirroring the GDPR.

However, United States which is a country home to the biggest tech giants and Silicon Valley, the biggest tech hub, does not have a federal law for security of personal information.  In a recent live conference, Sundar Pichai (CEO of Alphabet) put forward a point for a federal privacy law in the U.S., similar to European Union’s GDPR.  Political pressure created by states through draconian data protection legislations by individual states could actually turn this into a reality. However, the concept of a national law for data protection for U.S. has been highly debated.

This Article aims to briefly introduce the current scenario of data protection framework in U.S. and the possibility of a unified federal law for data protection in the United States of America.

Current scenario regarding Data Privacy in the US

Patchwork of regulations

When we talk about data security legislations in the United States, we are not talking about a single legislation but instead sector-specific statutes enacted on the Federal and State level. These vertically focused legislations are:

Health Insurance Portability and Accountability Act (HIPAA): This act is designed to protect individuals’ personal health information. 

Children’s Online Privacy Protection Act (COPPA): This law protects  the collection of personal information of children under 13 years of age by regulating websites or online services.

Gramm-Leach-Blilye Act (GLBA): This protects the consumers’ sensitive financial information by regulating sharing of data by financial corporations.

Family Educational Rights and Privacy Act (FERPA): This law protects student records by regulating US Department of Education funded schools. 

Fair Credit Reporting Act (FCRA):  This act protects a consumer’s credit information by regulating companies such as credit bureaus.

These regulations successfully target and protect data of specific consumer categories; however, they are not comprehensive. While the federal laws help protect data in industry-specific situations, the internet remains a deregulated territory for privacy. 

However, the Federal Trade Commission (FTC) plays a major role in prohibiting “unfair or deceptive acts or practices” by companies. 

Comparative study of US state-wise privacy regulations

In the absence of a nation-wide privacy plan, various states have taken steps to fill the vacuum by creating their own framework for protection of data security rights. 

The most comprehensive state legislations are- The Colorado Privacy Act (CPA) enacted in 2021, California Privacy Rights Act (CPRA) enacted in Californa Consumer Privacy Act (CCPA) enacted in and Virginia Consumer Data Protection Act (VCDPA). However, while all 50 states have managed to formed frameworks for data breach notification, only California (CCPA), Nevada (SB-220) and Maine(LD-964) have privacy laws working in effect at the moment. 

While the foundation of these frameworks are on a similar pattern, they do come with variations in definitions and terminology used leading to a set of 50 different standardshttp://blogs.luc.edu/compliance/?p=3142 to comply with. 

For example, while CPA and VCDPA mirror the protections provided under the EU’s GDPR and have borrowed their terms and definitions from it such as “controller” and “processor” whereas CCPA has based their definitions on a business/service provider model. Further, the definiton of what constitutes as “sensitive information” also varies among states. For example, Email contents, Financial information and Social security numbers are not considered under the definition of sensitive data by VCDPA and CPA, but is part of CCPA

Private right of action refers to when an individual can enforce their rights. While CPA or VCDPA do not provide for private right of action, such a right has been made available under CCPA in the event of breach of “personal information”. While this right is limited under CCPA, The New York Privacy Act and the Massaccussets Data Privacy law have made the law even tighter by providing a private right of action for any violation of the law. The New York Act goes one step ahead from the CCPA and includes a “Right to correct”, closer to the spirit of EU GDPR.

Where in one place The New York Act has increased the weight of the law, North Dakota represents the most lightweight bill for a privacy legislation. This bill does not provide the foundational data protection rights such as right to withdraw consent and have data deleted to the individuals. Hence, all of these present standards prove to be inconsistent in implementation which puts individuals at risk of misuse of their personal information in states with lighter data privacy regulations

This patchwork model leads to inconsistency in regulation and has been criticised for making the compliance costlier and time consuming for businesses, especially smaller businesses who do not have adequate resources to match the standards required which leads to hefty penalties levied as in the case of Illionois’ BIPA (Biometric Information Privacy Act) which has been in headlines due to a splurge of class action lawsuits.

Data protection regulation help protect personal information of individuals from getting into unauthorised hands, further, a federal law helps avoid excessive compliance burden on businesses. Multiple legislations in different states makes it cumbersome to comply with the standards and is more costly and time consuming for the entities.

Federal Privacy Law Proposals

There are a number of bills floating in the parliament for federal privacy law. Apart from a nation-wide data protectionl aw proposal, many of these bills also dealth with specific privacy issues like AI, facial recognition and biometric data. 

The most prominent of the bills, which would serve as the point of further negotiations could be:

 

Consumer Online Privacy Rights Act (COPRA) which looks on strict restrictions on advertisement practicises on digital platforms. This bill aims to establish a requirement of consent from consumers for processing of sensitive data for behavioral targeting. democratic

SAFE (Setting an American Framework to Ensure Data Access, Transparency and Accountability Act) which embodies the spirit of various other federal legislations and helps provide consumers with rights such as rights to access, delete, correct data etc,

The question is despite bipartisan support, why is a federal law still not in works? 

Both of these proposed bills have some important points of key differences between them when it comes down to enforcement- which act as an obstacle to an agreement. Preemption of laws is a point of debate when it comes to a national privacy law. Whenever a conflict between a state law and a federal law arises in the US, the federal law is considered to be the supreme law and displaces the state law. COPRA does not provide for preemption of state/ local laws, while SAFE would. 

Another obstacle comes in form of private right to action. While COPRA provides for the right for individuals to enforce their privacy rights, SAFE provides this power only in the hands of State Attorneys General. 

Further, urgent tech policy issues might call for attention of the parliament, such as big tech antitrust, Communications Decency Act etc, which may further delay the movement on a federal law for privacy.

Conclusion

GDPR acts as an adequate foundation for federal privacy laws in US. The current legal framework of US regarding privacy laws resembles a mixed salad of federal and state laws which adds to a lot of complexity for businesses as well as individuals.A consistent policy is the need of the hour for the data security landscape in the US. 

In order to create a safer ecosystem where the consumers have protection against their information being misused it is imperative that a federal law comes into place, which is only possible when such a carveout is made during negotiations of the proposals that they could overcome current obstacles. The biggest obstacle against a national privacy law in US is the issue of enforcement, once that has been Further, such a unified federal law need to address issues pertaining to use of Artificial Intelligence (AI), Machine learning, Facial recognition and other advanced technologies as well. 

 

This article was written by Ishita Khemaria. 

Sources:

Sarah Perez, Alphabet CEO Sundar Pichai calls for federal tech regulation…, TechCrunch (Oct 19,2021), https://techcrunch.com/2021/10/18/alphabet-ceo-sundar-pichai-calls-for-federal-tech-regulation-investments-in-cybersecurity/

Lydia Bayley, The Patchwork Paradox: Data Privacy Regulation and the Complications of Compliance, Loyola Universiy Chichago School of Law (Sep 1, 2020), http://blogs.luc.edu/compliance/?p=3142

Sheila A. Millar, The State of the State Privacy Laws: A comparison,The National Law Review (Dec 1 2021) https://www.natlawreview.com/article/state-state-privacy-laws-comparison

Andy Green, Complete Guide to the Privacy Laws in the US, Varonis (Apr 2,2021) https://www.varonis.com/blog/us-privacy-laws#comparison

Kate Kaye, Cheat Sheet: What to expect in state and federal privacy regulation in 2021,Digiday (Feb 1, 2021) https://digiday.com/media/cheatsheet-what-to-expect-in-state-and-federal-privacy-regulation-in-2021/

Thorin Klowsowki, The State of Consumer Data Privacy Laws in the US (and why it matters), NY times (Sep 6, 2021)  https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/



1,127 thoughts on “Comparing data protection regulations across the US in the foresight of a GDPR-inspired federal law”

  1. Leilat

    Fantastic perspective! The points you made are thought-provoking. For more information, I found this resource useful: FIND OUT MORE. What do others think about this?

  2. smorter giremal

    Thank you for some other informative web site. Where else could I get that type of info written in such a perfect manner? I have a mission that I’m just now working on, and I’ve been at the look out for such info.

  217. osteklenie_zuSl

    Остекление балконов по выгодной цене в Петербурге, предложим оптимальный вариант.
    Профессиональное остекление балконов в Петербурге, по доступным ценам и с гарантией качества.
    Индивидуальное остекление балконов в СПб, под заказ и с уникальным дизайном.
    Быстрое остекление для балконов в Санкт-Петербурге, с гарантией и сертификатом.
    Экономичное остекление для балконов в Санкт-Петербурге, по лучшей цене и быстрой установкой.
    лоджии остекление цены https://balkon-spb-1.ru/ .

  218. юань в тенге

    1 юань в тенге рубли в тенге .

    Сайт помогает отслеживать курсы валют и быстро конвертировать суммы. Актуальные котировки для тенге, рублей, долларов США и юаней доступны круглосуточно и бесплатно.

  219. natyazhnye_rmKa

    Лучшие натяжные потолки в СПб|Скидки на натяжные потолки в СПб|Опытные мастера по натяжным потолкам в Санкт-Петербурге|Широкий выбор натяжных потолков в СПб|Советы по выбору натяжных потолков в Петербурге|Уют и комфорт с натяжными потолками в СПб|Интерьерные решения с натяжными потолками в Петербурге|Натяжные потолки в СПб: лучший выбор для вашего дома|Только проверенные потолки в Петербурге у нас|Технологичные решения для натяжных потолков в Санкт-Петербурге|Легко и быстро: установка натяжных потолков в СПб|Совершенство с натяжными потолками в Санкт-Петербурге|Инновации и креативность в сфере натяжных потолков в Санкт-Петербурге|Лучшие цены на натяжные потолки в СПб|Дизайнерские потолки в Петербурге: натяжные|Экспертный подход к натяжным потолкам в Петербурге|Красота и функциональность: натяжные потолки в СПб|Точное соответствие вашим потребностям: натяжные потолки в Петербурге|Персональные решения для вас: натяжные потолки в Петербурге|Бонусы использования натяжных потолков в Санкт-Петербурге|Натяжные потолки в СПб: современные технологии и материалы|Эксклюзивные услуги по монтажу натяжных потолков в Петербурге|Тенденции в дизайне потолков: натяжные потолки в СПб|Компр
    натяжные потолки санкт петербург https://potolki-spb-1.ru/ .

  369. gbxonxewr

    Some analysts think that it’s a mistake though to punish the entire crypto industry because of the problems at FTX. The near-collapse of FTX, one of the largest cryptocurrency exchanges, has prompted questions of contagion. The departures come amid $BNB’s price struggles following the slight market correction of September 1. $BNB was trading at $221.98 on August 30. However, it fell by 4.6% to $211.59 on September 1. Binance CEO’s calls for calm highlight the growing concerns around the executive departures. Creating new rules for the crypto industry would be wrong, she said. “That would legitimise the idea that crypto, somehow, is unique, and can’t be expected to meet the same standards as mainstream financial assets,” Allen told Al Jazeera. “That’s a dangerous message to send.”
    https://www.hoaxbuster.com/redacteur/benstertilen1976
    Coinbase is a real-time case study of what happens to a crypto company when the price of bitcoin and tokens fall, analysts say. Coinbase’s future hinges on prices growing stronger, as do the futures of other major crypto platforms like FTX and Kraken, analysts said.  If you typed a URL into your browser, it might be worth checking and trying again. Many, or all, of the products featured on this page are from our advertising partners who compensate us when you take certain actions on our website or click to take an action on their website. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here’s how we make money. Note that analyst predictions can be wrong. Forecasts shouldn’t be used as substitutes for your own research. Always conduct your own diligence and remember that your decision to trade or invest in high-risk crypto currencies should depend on your risk tolerance, expertise in the market, portfolio size and goals. 

  712. برنامه تک بت

    A formidable share, I simply given this onto a colleague who was doing a bit of analysis on this. And he in fact bought me breakfast because I discovered it for him.. smile. So let me reword that: Thnx for the treat! However yeah Thnkx for spending the time to discuss this, I feel strongly about it and love reading extra on this topic. If potential, as you grow to be expertise, would you thoughts updating your weblog with extra particulars? It’s extremely helpful for me. Massive thumb up for this blog put up!

  722. مگاپاری ثبت نام

    The other day, while I was at work, my sister stole my iphone and tested to see if it can survive a thirty foot drop, just so she can be a youtube sensation. My iPad is now broken and she has 83 views. I know this is completely off topic but I had to share it with someone!

  908. Legal Process Service

    Hey! I know this is kinda off topic nevertheless I’d figured I’d ask. Would you be interested in exchanging links or maybe guest writing a blog article or vice-versa? My blog addresses a lot of the same topics as yours and I feel we could greatly benefit from each other. If you might be interested feel free to send me an email. I look forward to hearing from you! Awesome blog by the way!

  925. Louisiana Eviction Notices

    Hi, just required you to know I he added your site to my Google bookmarks due to your layout. But seriously, I believe your internet site has 1 in the freshest theme I??ve came across. It extremely helps make reading your blog significantly easier.

  1109. buenos aires tour

    I don’t even know how I ended up here, but I thought this post was good. I do not know who you are but certainly you are going to a famous blogger if you are not already 😉 Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *

Eu Ai act
First Rules of the EU AI Act Come into Effect: What Does it Mean?
Harmeet Singh

First Rules of the EU AI Act Come into Effect: What Does it Mean?

The evolving digital landscape in the 21st century have placed a challenge for governments and organizations as they attempt to …

March 7, 2025
Digital Personal Data Protection (DPDP) Act
Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023  
Harmeet Singh

Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023  

Introduction  The Digital Personal Data Protection (DPDP) Act, 2023, and the Digital Personal Data Protection Rules, 2025 establish a comprehensive …

February 27, 2025
cybersecurity,
WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 
Harmeet Singh

WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 

In today’s interconnected world, cybersecurity plays a crucial role in protecting our digital lives. From protecting personal data to safeguarding …

February 21, 2025
Transfer Impact Assessments
Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 
Harmeet Singh

Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 

Introduction  A Transfer Impact Assessment (TIA) is a critical evaluation conducted under the General Data Protection Regulation (GDPR) to assess …

February 20, 2025
Draft DPDP Rules
The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?
Harmeet Singh

The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?

Introduction The Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 have ushered in a new …

February 12, 2025
Recent Comments

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

© 2024 Tsaaro Consulting. All rights reserved.
Linkedin Instagram Youtube

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands

Tsaaro Pune Office

Tech Centre, Rajiv Gandhi Infotech Park, Hinjewadi, Pune, Maharashtra

Tsaaro Noida Office

302, Tower C, ATS Bouquet, Noida Sector – 132, Uttar Pradesh, India

Tsaaro Bengaluru Office I

Manyata, Embassy Business Park, Outer Ring Road, Bengaluru, Karnataka

Tsaaro Bengaluru Office II

Second State, CMH Road, Indiranagar, Bengaluru, Karnataka

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.