Still no comprehensive federal privacy law (or state privacy law in New York)
January 3, 2022
For overseas companies used to operating under a comprehensive framework such as GDPR or PIPA (South Korea’s Personal Information Privacy Act), data processing agreements are second nature. When assisting companies entering the U.S. market, we are often asked to advise on any data processing/handing agreements of that may be required for U.S customer’s data. Many are surprised by the answer - that there is no overreaching GDPR type law in the U.S. Instead, there’s a patchwork of federal laws that relate to certain types of information (health information, student information etc.), and state laws that seek to emulate GDPR, but apply unevenly. Leading the way is the California Consumer Privacy Act and somewhat similar laws enacted in Virginia and Colorado. Oklahoma, Connecticut and New Hampshire seem to be the closest to enacting their own rules. As for New York? It’s complicated.
For a few years now, a comprehensive privacy law has been on the horizon - an initial iteration of the New York Privacy Act was introduced first during the 2019-2020 legislative session but never emerged from committee. During the 2020-2021 legislative session, a bill did make it out of committee and seemed poised to be voted on by the state senate, but due to time constraints and competing priorities it stalled. There’s been little activity since and governor Hochul has been silent on the issue, making no mention of it in her recent “State of the State” address which is the usual forum for governors to lay out legislative priorities.
So where does this leave overseas companies entering the U.S. market? Assuming they aren’t processing information governed by federal legislation, a state-by-state assessment is needed to determine the extent to which they’re covered by the CCPA, Colorado Privacy Act (effective July 2023), Virginia Consumer Data Privacy Act (effective January 2021), and to be on the lookout for further state rules. Not an optimal situation unfortunately but the inevitable result of congressional inaction.
