The California Consumer Privacy Act, the GDPR and the Future of US Privacy Law: Time to Worry Yet?

The GDPR brought major changes to the data industry, as stricter rules around notice, consent, contracting and consumer data rights were rolled out across Europe. These new rules were confusing and sometimes burdensome to marketers, online platforms, content and data providers alike. Prevailing trade winds have brought similar privacy laws and proposed bills to the United States – the first of which being the California Consumer Privacy Act, which imposes new obligations of disclosure, data deletion, and data access on a wide variety of online and offline companies. At the same time, Vermont has enacted the Vermont Data Broker Regulation in 2018, which requires “data brokers” to register with the state.

As more states consider passing a patchwork of similar privacy laws, Congress considers preemptive legislation – and self-regulatory groups like the DAA and NAI update their own rules – it is becoming harder for data-dependent companies to set a…