Coming To America—Data Privacy Regulations!


People, no matter where they live, want their data protected. So, the European Union (EU) acted with landmark legislation.

The passage of Europe’s General Data Protection Regulation (GDPR) in 2018 was a wake-up call to the world. To make sure it stuck—they gave it teeth—BIG TEETH!

It was only a matter of time before privacy advocates started making their case for similar laws in the United States.

The U.S. Privacy Shield Struck Down

An agreement between the EU and the U.S., called the Privacy Shield, enabled data transfers between Europe and the United States.

But, the Privacy Shield was quashed by the European Court of Justice on July 16, 2020, in a case called Schrems II, rendering it invalid. The court found that data protection under U.S. law was not equal to the safeguards under the GDPR.

Attitudes on Data Privacy Are Changing

Many people in the U.S. accepted that online tracking was a fact of life. But, a changing political climate has brought data privacy to the forefront. High-profile cases brought about this attitude shift.

Here are a few current examples of data privacy mayhem in America:

  • Police departments use tools to pull data from free apps to track cellphone users.
  • Ireland fined Instagram for allowing minors to open business accounts, exposing their data.
  • An FCC investigation showed no set standards on how long mobile providers keep your information or how they protect consumer data.
  • With its strict privacy laws, California has many ongoing investigations for non-compliance.

Lack of Federal Law Prompts States To Act

Unlike Europe, the United States does not have a Federal Law governing data privacy. Currently, that is up to individual states.

Some States had cybersecurity regulations on the books, but they were weak. The current climate has changed that. States are enacting stricter privacy laws, and many are contemplating far-reaching legislation.

In 2023 alone, five States are enacting privacy regulations:

  1. Utah
  2. Connecticut
  3. Colorado
  4. Virginia
  5. California

California had strict privacy regulations called the Consumer Privacy Act (CCPA). They updated the regulation for 2023. Now called the California Privacy Rights Act (CPRA), it is the most comprehensive in the United States.

The FTC As The Main Watchdog

The Federal Trade Commission (FTC) is the closest thing we have to Europe’s Supervisory Authorities. In September 2022, consumer advocates pressed the FTC to craft data privacy rules for the United States.

The wheels of Government turn slowly, so we’ll have to watch for future developments. Meanwhile, individual states are taking action.

Jumping On The Bandwagon—New York State Eyes Stricter Privacy Regs

New York has the SHIELD Act as its cybersecurity/privacy legislation. It is called the “Stop Hacks and Improve Electronic Data Security Act (SHIELD). The main points are:

  • Dramatically expanded definition of private data.
  • Covers any person or entity that collects data on a New York resident, regardless of geography.
  • Includes small business exceptions:
    • Companies with less than 50 employees
    • Businesses with less than $3 million in annual revenue in each of the last three years or Less than $5 million in assets
  • Redefines “Breach” to include unauthorized access and doesn’t require data to be taken.
  • Adds additional security requirements to safeguard the private information in their care.

New York State is proposing stricter regulations called the New York Privacy Act. The bill is currently under consideration in the New York Senate. If enacted, it will take effect two (2) years after it becomes law. Stay tuned!

With California and New York leading the way, you can be sure that many other States will follow.

Get Ready Now

Don’t wait for your State to adopt stringent privacy regulations. Start preparing now. Here are a few general guidelines:

  1. Appoint someone in charge and ensure they have upper management’s backing. Don’t wait for the law to go into effect before acting.
  2. Review the proposed legislation for your home State and those States where you need to comply. Get a sense of their main points.
  3. Inventory all personal information in your systems and create a data-flow map to see what you need to protect and where the data exists.
  4. Perform a gap analysis. Compare the proposed legislation to what you currently have. Don’t reinvent the wheel.
  5. Review Operational policies, procedures, and processes. Update those on the books, and create new ones where they are lacking.
  6. Institute a Security Awareness Program. Train your employees in the new requirements as well as security in general. Remember, most breaches are through social engineering and SPAM emails. Make sure your curriculum has a solid simulated phish program.
  7. Continuously monitor your compliance.

There are other steps you can take as well as tools you can use to help you comply. Do your research, prepare, and act.


The lack of Federal regulations prompted individual States to enact privacy laws of their own. The obvious issue is that America can have 50 different privacy laws! If you do business in other states, you’ll have a bundle of legislation to contend with. All the more reason for the FTC to act and create a single-GDPR-like regulation for the nation.

Stay informed – stay safe.

XSolutions is an IT Services Provider serving New York (NY), New Jersey (NJ), and Connecticut (CT). We provide Managed IT Services | Managed IT Security | Backup & Disaster Recovery| Cloud Data Protection | Security Awareness Training. Call (845) 362-9675 for a free consultation.