While still a patchwork in the United States, the enactment of citizen-inspired privacy laws to counter the proliferation of rampant data generation and collection is moving fast and taking off, putting the onus on businesses, including retailers, to ready internal protocols and systems to ensure compliance.
So far, a dozen states have comprehensive data privacy laws on the books to address data protection and accompanying consumer rights, including laws in three states—Texas, Florida, and Oregon—that went live on July 1, 2024. Several other states, notably California’s stringent California Consumer Privacy Act (CCPA), have been in effect starting around 2020.
Legislation in other states as well is being crafted and enacted and, in many instances, waiting to launch in the immediate future. In Maryland, the governor signed the state’s Maryland Online Data Privacy Act (MODPA) into law in May 2024, though it is not set to take effect until Oct. 1, 2025, with some provisions being phased in during 2026.
The new privacy laws share provisions that give consumers the right to access data being collected about them and further afford them the ability to request changes, corrections, and deletions, among other actions. These laws prompt businesses to adjust budgets and procedures to ensure compliance.
Many of the new laws have their own distinct nuances and thresholds. The Texas Data Privacy and Security Act (TDPSA), for instance, applies to entities that meet specific conditions, targeting those conducting business in the state or that produce products or services used by its residents or those third-party entities that sell personal data. Further, some provisions of the Oregon Consumer Privacy Act (OCPA) apply to entities that collect personal data from at least 100,000 of the state’s residents or those that process personal data from at least 25,000 Oregon residents while realizing more than a quarter of their sales from personal data.
“It is quite a complex tapestry to manage,” said Simon Randall, CEO of Pimloc, a London-based security and privacy company that focuses on visual data protection and compliance. “If I am a retailer that owns 20-30 stores in a specific city and a specific state, it would be much easier for me to understand the privacy laws in that specific state. If I am a national retailer who has stores in all the US states, I am likely liable for different requirements in different states.”
Amid the hodgepodge of actions at the state level, the big unknown in the United States is pending bipartisan action in Congress to provide blanket protections nationally, Randall noted. However, wrangling among House and Senate lawmakers to balance the rights of consumers versus the needs of industry leaves efforts to achieve final legislation a work in progress.
Some sticking points in the congressional negotiations include whether citizens should be able to sue big tech companies for privacy violations and whether national legislation should override state laws. Another key question is whether small businesses should be exempt from regulations.
Randall noted that the US landscape regarding privacy laws is in stark contrast to the European Union (EU), where its General Data Protection Regulation (GDPR) took effect in May 2018. That unified law hardened protections of personal data of EU residents and applies to all EU businesses that process personal data, opening up the possibility of significant fines for non-compliance.
Many global companies, including global retail organizations, are adhering to GDPR as a means to ensure consistency across their operations, Randall said. “If I am a global retailer, then GDPR is global.”
The outcome of emerging US regulations impacting private companies will likely be in line with other privacy laws governing public protections, such as regulations under the Gramm-Leach-Bliley Act (GLBA) requiring financial institutions to explain how they share information and protect sensitive data and the Health Insurance Portability and Accountability Act (HIPPA) that mandates securing identifiable health information.
“US federal policies have been around a long time that protect these areas and data sets,” Randall said.
What is inescapable in the privacy area, according to Randall, is that so much more data is being captured, processed, and stored these days through the use of highly sophisticated and emerging technology tools buttressed by artificial intelligence methodologies that make data more accessible and searchable.
Randall calls personalized data being collected today through tools that include body-worn cameras, dash cameras, drones, and biometrics “live stream” data.
“It’s dense, it’s descriptive, it’s objective, and it’s always on. It’s a very natural and objective reflection of people’s lives. The challenge becomes who has access to it and what their intentions are. The potential for misuse and abuse becomes very easy,” he said.
The push for new laws protecting privacy globally emanates largely from citizen concerns, even to the extent that citizens are concerned that they are subject to video intrusions when on the street walking past a store or building. One tool Randall’s company offers allows organizations to “anonymize” data being collected while also extracting analytics information without compromising personal privacy.
“Society is generally now more aware of the risks. It is now very easy to take someone’s audio data and biometric data and create fake videos or fake audio. General citizens are just getting a lot more aware of footage that is now being captured,” he said.