Privacy laws in the USA

Privacy laws in the USA

After Kentucky, Maryland has now adopted a privacy legislation. Meanwhile, at Federal scale, the American Privacy Rights Act is on progress.

It includes provisions as : the right for a person to access, control and possibly request cancellation of personal data hold by an entity customers are granted opt-out rights for the transfer of non-sensitive covered data and for the use of personal information for targeted advertising.

The bill prevents covered entities from collecting, processing, retaining or transferring data beyond what is “necessary, proportionate, or limited” for the entity to provide or maintain a product or service. Covered entities are prohibited from transferring covered sensitive data to a third party without an individual’s express consent or, if allowed by a stated permitted purpose, including protecting data security and complying with legal obligations, among others.

As such, the project seems to be rather similar to the European GDPR, with perhaps the difference that GDPR seems to be stricter and defines tough fines in case of violation. However, the discussion in the USA is still on, with hearings now scheduled in the coming weeks, while some stakeholders apparently being reluctant. So, let’s wait and see !

Another point is that the legislation concerns personal data, which is already a big step forward (for instance, it could probably become possible for a person to sue a company having used its Instagram photos to train an AI system, without the explicit consent of the photos’ owner), but does not prevent an entity to illicitly use non-personal data belonging to another one (which is the basis of the business model of many US platforms !)