The ins and outs of USA privacy legislation
Finding your way through the federal and state legislative system can be tricky for site owners. We’ll break down who makes the laws, how they’re enforced, and who’s affected.
2024 is a huge year for new privacy legislation in the United States. There’s going to be a lot of new laws that will be enacted this year, but how do you know which ones will be affecting your audience?
To make sure you’re protecting your users’ data and complying with the new privacy laws, let’s take a look at which laws affect which users, and how they’ll be enforced over the next year.
Federal vs. state
Unlike countries that only have one legislative body creating and enforcing laws, the United States has both federal and state entities that work in tandem when putting forward new legislation. The federal legislation will cover the entire country (unless the state has set up particular parameters to counteract the federal law, more on that in the next paragraph) and state legislation will only cover the state’s residents.
For example, the California Privacy Rights Act (CPRA) only affects residents of California. We discussed this in a blog last year about the American Data Privacy and Protection Act (ADPPA). Typically, if a state law is more protective than a federal law, the state law will supersede the federal rule. But the inverse can be possible as well, with state laws that disallow or limit federal power being deferred to.
As a site owner, a way to ensure you’re covered across any possible privacy legislation is to utilize a consent management platform, or CMP. User consent for things like cookies or stored data can all be managed through the CMP, so you can be sure you’re complying with any new legislation.
Who enforces what?
Federal legislation is enforced across the entire United States and subsequent territories, while state legislation is enforced by state departments. This means that privacy legislation in Nevada won’t be enforced by officials in Colorado or Iowa, it’ll be enforced by Nevada agencies.
There’s a lot of thumbs in a lot of pies in the United States, so there’s oftentimes overlap between federal and state agencies, and state enforcement can sometimes employ federal backup for serious offenses. These could be class action lawsuits that make it up to the Supreme Court, the ruling of which can become new legislation.
How does it affect my site?
If you have any users from the United States, your site is subject to following the US privacy legislation, even if you’re not based in the United States. If you’re complying with GDPR standards to serve your European users, you’re in good standing with the existing United States privacy legislation. As there’s not yet been an all-encompassing and robust privacy or data law put into effect federally, you just need to make sure you’re covered under state legislation.
A good rule of thumb is to follow California’s legislation. California is typically the first state to legislate and enact laws yet to be adopted across the United States, so by ensuring you comply with the CPRA, you’ll be set up should the ADPPA come into legislation.
We use Sourcepoint as the CMP for our partner sites, and recommend their blog and resources for up-to-date content on United States privacy legislation. Want to join the Collective? Apply here.