GDPR vs US privacy compliance

So you're GDPR compliant? In the words of Shania Twain: that don't impress me much. If you are a GDPR company in the US market, here is a non-exhaustive list of things you still need to think about: 

1. Did you remember to pack your Art 5 data minimization for your trip? 

Personal data can't travel to the US but GDPR Art 5 data minimization and purpose limitation are coming to a US State Privacy law near you (CPRA, CPA, UCPA, CTDPA, VCDPA) so mind your consumer expectations and secondary uses in the US too!

2. Did you amend your privacy notices? 

Amend your primary notice to add some things like categories, verification methods, additional rights; you need notices at collection and notices of financial incentive.

3. Did you address the do not sell / share?

Analyze all your disclosures and get a compliant cookie management platform that recognizes Global Privacy Controls (GPC) and soon Universal Opt Out Methods (UOOM).

‍4. Did you address the online trackers? 

Map out all the trackers that you use and why with special attention to video tracking (VPPA) and session replay. The Federal Trade Commission is enforcing this and there are a lot of class action lawsuits. 

5. Did you figure out your biometrics? 

Illinois BIPA enforcement is on the rise with 9 digit court awards and of state copycat laws. The FTC is also coming after your biometrics for false or misleading disclosures and unreliable AI. 

6. Are you on top of your health data? 

In the wake of Dobbs, the FTC is also coming after your sensitive data as are the lawsuits under the new Washington State “My Health My Data” law. US privacy law’s definition of sensitive information is > Art 9 personal data and you need an opt out or opt in and a DPIA. 

7. Have you buttoned up your use of children's information? 

The FTC is coming after COPPA violations with high fines and other remedies and the Age Appropriate Design Code is coming to California with strict design requirements and enforcement. 

8. Have you thought about your DPIAs? 

You may need to beef up the content of your EU DPIA for Colorado but you will definitely need to do DPIAs where none were required under GDPR. 

‍9. Have you revised your third party data sharing agreements? 

Even an Art 28 DPA isn't exactly enough for CPRA but if you have controller to controller sharing, you should definitely get your data sharing agreements up to par.

‍10. Did you remember that in California (and NY) employees are people too? 

Employee DSARs are here as are AI audits (NY AEDT) and EEOC of AI discrimination.

‍

Editor's note: It was such a pleasure hosting Odia for a masterclass on "Becoming US privacy compliant" in May 2023. To receive the masterclass replay, email us at community@openli.com and don’t forget to follow Odia on Linkedin and on Twitter for a regular dose of privacy wisdom.