In today’s age of rapidly increasing data collection, data privacy laws are becoming more prevalent than ever. The EU’s General Data Protection Regulation (GDPR) is considered the worldwide benchmark of data privacy law. While many countries have followed similar regulations, the United States does not have a GDPR equivalent.
Instead of national standards and regulations, individual states pass their own privacy laws. According to the National Conference of State Legislatures, “At least 25 states and Puerto Rico introduced or considered almost 140 consumer privacy bills in 2023.” With so many state-specific mandates expected to be adopted, US-based organizations are becoming more challenged to share data across state borders.
US Data Privacy Regulations
In 2018, California enacted the first individual data privacy law, the California Consumer Privacy Act (CCPA).
Like GDPR, it granted California citizens many rights, including the right to:
- Know what personal information a company collects about them and how it is used
- Delete personal information collected about them
- Opt out of the sale and/or sharing of their personal information
California has since updated the CCPA with the California Privacy Rights Act (CPRA), which added:
- The right to correct inaccurate personal information an organization has about a person
- The right to limit the use and disclosure of personal information collected about someone
In addition to California, several other states have passed similar data protection laws:
- Maryland – Maryland Personal Information Protection Act (PIPA)
- Massachusetts – The Massachusetts Standards
- Virginia- Virginia Consumer Data Protection Act (VCDPA)
- Colorado – Colorado Privacy Act (CPA)
- Connecticut – Connecticut Data Privacy Act (CTDPA)
- Utah – Utah Consumer Privacy Act (UCPA) [as of December 1, 2023]
- Iowa – Senate File 262 [as of January 1, 2025]
- Indiana – Senate Enrolled Act No. 5 [as of January 1, 2026]
The U.S.F has various industry-specific data regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the National Automated Clearing House Association (Nacha) rules. In March 2023, Nacha rules were updated to mandate that originators of Micro-Entries must use commercially reasonable fraud detection, including monitoring Micro-Entry forward and return volumes.
The Trans-Atlantic Data Privacy Framework (TADPF)
Some things are changing. In 2023, The US and the European Commission agreed upon a Trans-Atlantic Data Privacy Framework. This framework would cater to Trans-Atlantic data flows and addresses the Court of Justice of the European Union (CJEU)’s inadequacy concerns when they struck down the EU-US Privacy Shield Act in 2020.
This framework provides high standards regarding personal data protection and opens cross-border data flows among dozens of markets in the US and Europe, “enabling the $7.1 trillion U.S.-EU economic relationship.”
With the Trans-Atlantic Data Privacy Framework, businesses can de-risk with resilience to regulatory changes and capitalize on market opportunities with speed.
The Absence of Active National Standards Creates Challenges
Navigating data collection, sharing, and storage compliance standards state-by-state without national standards is becoming increasingly complex. The Internet Association’s President and Chief Executive, Michael Beckerman, believes, “Many of these laws are well-meaning, but their proliferation creates a real risk and a real cost.”
While the TADPF awaits implementation, businesses still need the right tools to meet increasingly high data protection standards.
To avoid fines and litigation for noncompliance, US organizations must stay informed and take action to stay ahead of legal requirements. Although this may sound like a daunting task, there is a solution available that can help your organization remain compliant while transferring data across state borders.
Protegrity Borderless Data ™ Solution to US States’ Mandates
Protegrity’s Borderless Data™ Solution already helps protect companies operating across international borders, but the Borderless Data™ Solution also protects organizations operating across the US Protegrity centralizes policy, audit, logging, and monitoring to secure sensitive data. Decentralized policy enforcement enables businesses to embed data protection for data in motion, at rest, and in use while allowing organizations to protect specific data types with a full range of protection methods. Borderless Data™ is the best mechanism to embrace opportunities, overcome challenges, and become successful future enterprises.
With the right data protection methods in place, increased revenue, reduced costs, and an improved customer experience as positive end results can be actualized by businesses with the right regulatory compliance framework.
Learn more about how the Protegrity Borderless Data™ Solution can help your US-based organization simplify compliance, reduce costs, and grow revenue.