Happy 6th Anniversary, GDPR!

As a business owner, you’ve heard a lot about the European Union’s General Data Protection Regulation (GDPR). April 16, 2022, marks the six year anniversary of its enactment. It has become a model for data privacy laws around the globe.

GDPR applies to any entity anywhere that processes personal data of individuals located in the European Economic Area (EEA). Non-European companies, including those in the U.S., must also comply with its stringent requirements.

By contrast, the U.S. has no national data privacy statute. Data privacy in the U.S. is governed by a patchwork of federal statutes and regulations (e.g.,  HIPAA) and state laws (e.g., the California Consumer Privacy Act). Additionally, every state has its own data breach notification law. The result is that when a business with customers in the U.S. experiences a data breach, it has to determine its obligations in multiple jurisdictions. An online retailer has to identify its obligations under the myriad laws of all 50 states plus Washington, D.C., Guam, Puerto Rico, and the Virgin Islands.

Different states’ data breach notifications laws contain similar features, but there are numerous variations. Common requirements include notifications to affected individuals, state attorney general offices, and credit reporting agencies. However, the timing, content, and method of these notifications varies from state to state. Some states, including Missouri, require notice to affected individuals “as expeditiously as possible.” Other states set a hard deadline, such as Alabama’s 45-day rule. Indiana allows business to notify their customers via email; Illinois does not (without prior customer consent). North Carolina requires notice to the Attorney General’s Office if a breach affects even one person, but Arizona only requires notification if at least 1,000 Arizonans are affected.

Even the definitions of “personally identifiable information” and “breach” are not universal. To make things more difficult, states frequently update their statutes. In 2021 alone, at least 22 states introduced or considered measures to amend existing security breach laws. Continue reading »