Happy 6th Anniversary, GDPR!

Corporate Law Practice Group

By Corporate Law Practice Group

gdprAs a business owner, you’ve heard a lot about the European Union’s General Data Protection Regulation (GDPR). April 16, 2022, marks the six year anniversary of its enactment. It has become a model for data privacy laws around the globe.

GDPR applies to any entity anywhere that processes personal data of individuals located in the European Economic Area (EEA). Non-European companies, including those in the U.S., must also comply with its stringent requirements.

By contrast, the U.S. has no national data privacy statute. Data privacy in the U.S. is governed by a patchwork of federal statutes and regulations (e.g.,  HIPAA) and state laws (e.g., the California Consumer Privacy Act). Additionally, every state has its own data breach notification law. The result is that when a business with customers in the U.S. experiences a data breach, it has to determine its obligations in multiple jurisdictions. An online retailer has to identify its obligations under the myriad laws of all 50 states plus Washington, D.C., Guam, Puerto Rico, and the Virgin Islands.

Different states’ data breach notifications laws contain similar features, but there are numerous variations. Common requirements include notifications to affected individuals, state attorney general offices, and credit reporting agencies. However, the timing, content, and method of these notifications varies from state to state. Some states, including Missouri, require notice to affected individuals “as expeditiously as possible.” Other states set a hard deadline, such as Alabama’s 45-day rule. Indiana allows business to notify their customers via email; Illinois does not (without prior customer consent). North Carolina requires notice to the Attorney General’s Office if a breach affects even one person, but Arizona only requires notification if at least 1,000 Arizonans are affected.

Even the definitions of “personally identifiable information” and “breach” are not universal. To make things more difficult, states frequently update their statutes. In 2021 alone, at least 22 states introduced or considered measures to amend existing security breach laws.

Every year, new bills are introduced to Congress to establish a universal federal data breach notification requirement. None has become law. In July 2021, Senator Mark Warner (VA) introduced a bill requiring notification of a data breach to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours with daily penalties for late reporting, but it remains in the committee. Senator Gary Peters (MI) and Senator Rob Portman (OH) proposed a bi-partisan bill requiring reporting to the CISA within 72 hours without fines for violators. It received a favorable report from the Committee on Homeland Security and Governmental Affairs in October 2021, but there has been no action since.

Despite its obvious human toll, the COVID-19 pandemic was rocket fuel for e-commerce. Consumers around the globe made more purchases via the internet than ever before. Online purchasing habits are here to stay. Now, more than ever, there is a strong incentive for bringing greater uniformity to U.S. data breach laws. All businesses, big and small, will want to keep an eye on this developing area of law.

Published in the April 2022 St. Louis Small Business Monthly.

(c) SB_photos/Shutterstock.com

Comments are closed.

Skip to content