Become compliant with US data protection laws

One response we hear a lot from US customers is that they don’t actually process any personal information and therefore data protection & privacy laws don’t apply to them. It is important to note here that website and app operators are responsible for the data that is processed on their website or in their app by third parties. Therefore, the data protection laws apply to companies if they meet one of the following conditions:

• If data is processed for your own purposes, for example via tracking tools such as Google Analytics, Matomo, Hotjar or similar
• Sharing data with third parties is also a processing step. Data is shared, for example, by integrating a third-party plugin into the website or app. This applies to YouTube videos, Facebook plugins, Google Maps, chat programs or payment providers such as PayPal
• Whenever advertising is integrated into the website or app, data is automatically transmitted to the advertiser. The transmission is understood as a step in data processing.

While states vary a bit as to when consent to data processing must be given, virtually all data protection laws require an opt-out. In the case of CCPA/CPRA, this must be implemented explicitly by means of a link that says “Do not sell or share my personal information”.

In order to transparently signal the opt-in or opt-out within the website or app to all integrated tools, plugins and advertising vendors, the so-called GPP Standard was developed by the IAB. IAB GPP stands for Global Privacy Platform and defines various methods and APIs how a CMP (Consent Management Provider, also known as “Cookie Banner” or “Privacy Notice”) can use and communicate consent/opt-in or rejection/opt-out can. The standard is largely based on the IAB TCF standard, which has been used in Europe very successfully for years now and has become a “must-have” for publishers and advertisers. The consentmanager team was significantly involved in the development of the GPP standard, so it is not surprising that consentmanager is the first provider to offer the productive use of IAB GPP.

More info on the background of IAB GPP you can find in our blog post.

Important: Most data protection laws also require that websites and apps can work with “browser signals”. One of these signals is the GPC or “Global Privacy Control” required in California. Luckily with consentmanager, websites and apps don’t have to worry about this topic: The consentmanager solution automatically reacts to browser signals and implements the opt-out automatically.

Companies that are based in the United States, do business or provide services there, or otherwise deal with US citizens are likely to be subject to one of a variety of privacy laws. Unlike in many other countries, data protection laws in the USA are regulated at state level – until there is a national data protection law. Companies should therefore check whether or which federal laws apply to them. The following privacy laws may apply:

CCPA / CPRA – California

CCPA stands for California Consumer Privacy Act and was enacted in 2019. It applies especially in California or in relation to California residents. The “update” to CCPA is CPRA or California Privacy Rights Act. Under the CPRA, some regulations are specified and tightened.

VCDPA – Virginia

VCDPA stands for Virginia Consumer Data Protection Act and applies to companies doing business in the state of Virginia or serving residents of that state. VCDPA will be effective from January 1st, 2023 – i.e. since that date it must be implemented by companies at the latest.

CPA – Colorado

CPA or Colorado Privacy Act is the privacy law of the state of Colorado. Like Virginia’s VCDPA, this law is effective as of January 1, 2023 and must be implemented by companies located in Colorado or processing data from residents of the state.

UCPA – Utah

The data protection law for the state of Utah in the western United States is called the UCPA or Utah Consumer Privacy Act. Unlike the two laws we mentioned before, UCPA will not come into effect until December 31, 2023. This law also affects all companies that process a certain amount of data (here 100,000 per year) from the citizens of the state.

CAPDP – Connecticut

CAPDP (sometimes called CTPDP) stands for Connecticut Act Concerning Personal Data Privacy is the federal data protection law in the state of Connecticut. The law will go into effect on July 1, 2023 and will affect companies located in, doing business in, or processing information about citizens of the state of Connecticut.

US National Privacy

In addition to the above laws, various other states have their own laws in the works – some of which are expected as early as 2023. In addition, there are different approaches to country-level privacy regulations that apply across the United States.