And so it continues. Last month, Virginia passed its own privacy law, the Virginia Consumer Data Protection Act (VCDPA), adding fuel to the fire over a US federal privacy law, and introducing new complexities for businesses operating in or addressing the US market.
It will take effect on January 1, 2023 (the same day as California’s CPRA which amends the current CCPA) and was passed in record-breaking time: less than two months, and by an overwhelming majority.
Such was its speed and simplicity that many other state bills are actively mimicking some of its propositions, including Colorado, Connecticut and Minnesota.
Theoretically, this active copycatting will limit the ongoing differences between state laws, but this of course remains to be seen.
So what are the similarities and the differences that you need to be aware of?
It’s best we focus only on what has actually been passed: CCPA (and where necessary, CPRA), GDPR and of course now Virginia’s VCDPA.
The next likely additions will be New York State, though it is some way off, or Washington State, though it seems engulfed in controversy and a lack of big tech backing due to fears of open floodgates for class action lawsuits. But much may change in their provisions between now and their implementation.
Observations
In short, CCPA, VDCPA & GDPR all overlap, but in different ways.
Any two of the three have substantial differences. But taken as a group, the areas of overlap – both philosophical and practical – are increasing.
For instance, more and more core rights and requirements are reappearing:
- Universal rights:
- Right to Access;
- Right to Rectification;
- Right to Deletion;
- Right to Data Portability;
- Right to Object to Data Processing;
- Privacy Notices explaining what PII is collected, what is done with it & why
- Appropriate Security Measures
- Concept of Special Category data – although definitions vary
- Controller / Processor concepts (if not the exact same name) and requirements for binding contracts between them
But it is the differences that create confusion and difficulty.
What does this tell us?
Businesses have to date focused mainly or even solely on GDPR adherence, even if their activities bring them into the scope of CCPA, VCDPA or even other international laws.
As can be seen, this is not altogether a bad thing – the overlaps in the core principles and the nuances of the differences mean that:
A. Focusing on GDPR means the core universal rights and basic measures and requirements of most other legal frameworks will be addressed.
B. By pursuing solid, continuous and genuine GDPR adherence, there is tangible evidence of consumers’ rights being considered and respected, which goes a long way with authorities when the nuanced differences of other frameworks are not fully met.
However, there is still substantial risk with not appreciating local responsibilities. Local regulators exist to protect their own consumers and their own local rights, so while “honest efforts” will likely be an excuse in the early days, leniency will not be everlasting.
Businesses must start taking an intelligent approach to their liabilities, building a global privacy program that identifies the common ground across all relevant frameworks, and also introduces variations in data handling processes, internal and external policies and even company-wide strategy as soon as borders are crossed in any way.
It may be a lot to ask, but the benefits of the granular visibility of data workflows and interactions that this program requires can be significant, including brand trust, filled security gaps and even process efficiency
And until the fabled federal law arrives – which it must surely do – it is utterly necessary. After all, more states are coming with their own laws that while sharing plenty of similarity, will inevitably bring more individuality: Florida, Colorado, New York, Connecticut, Washington, Oklahoma, Ohio and Minnesota.
For more commentary on the future of data privacy, take a look at the Periodic Table of Data Privacy: an industry-renowned project that seeks to keep privacy professionals and business leaders up to date and informed on the practical application of data privacy
Periodic Table of Data Privacy The Data Privacy Periodic Table is an industry-renowned, easily digestible view of how the privacy world fits together Download
Back