Is GDPR going stateside?

GDPR going stateside

The introduction of the General Data Protection Regulation – a.k.a. GDPR – was introduced in 2018. This new framework standardised and updated data protection law across the European market and most importantly gave consumers more say over how their data is handled, stored and shared.

However, considering how quickly data collection and analysis technologies are developing, this legislation wasn’t a one-size-fits-all solution. Subsequently, there are a few grey areas that left many organisations feeling confused – which is risky, considering the size of the potential fines.

Now, it seems that similar legislation with its own unique nuances will appear in the United States, adding a whole new layer of data privacy legislation for companies to navigate. Here, we discuss what American data privacy law is likely to bring going into 2020.

GDPR USA – What to expect

Although data privacy is a global issue, every region is developing its own distinct regulations. Although it’s likely there will be similarities between GDPR and American data privacy legislation, currently, there are no plans for a comprehensive, nation-wide GDPR USA. Instead – much to the dismay of many international companies – every state is drawing up its own plan. Currently, the two major ones businesses need to be aware of are California’s Consumer Privacy Act (CCPA) and the SHIELD Act.


California’s Consumer Privacy Act, or CCPA, came into force as of 1 January 2020. The legislation has similarities with GDPR, however, there are important differences. For instance, under GDPR users must opt-in to third-party data sharing whereas, under CCPA, they need to opt-out. This means companies will have to have customised terms and conditions forms for Californian users. That said, the good news is that CCPA isn’t as far-reaching as GDPR. If your company turnover is less than $25 million and you don’t handle the data of more than 50,000 then the rules don’t apply.


In July 2019 New York State passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD), which will come into effect on 21 March 2020. Similarly to GDPR, this law is designed to standardise data privacy requirements. However, this is where it can get confusing; the wording of the legislation is suitably vague, with statements such as “data security should be appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” To add to the bill’s cryptic nature, if companies are already in compliance with historic data protection laws like HIPAA and the GLBA, they may already be compliant.

Get globally data compliant

Legislation like GDPR has global implications. With so many different laws emerging all over the world, it’s critically important that companies with international operations seek advice on data compliance and certification. Just look at some of the fines that have been dished out under GDPR – and legislation like CCPA empowers American states to enforce even heftier fines. Cyber Smart are the experts in cybersecurity compliance, and with IASME’s GDPR Readiness certification we can help your business ensure full GDPR compliance and the proper processes and policies are in place. Wherever your business operates, contact us to ensure you’re fully compliant.

Data privay toolbox