It’s been one year since the GDPR (General Data Protection Regulation) was implemented. We wanted to see what other regulations have passed since then as a result. What seedlings have sprouted?

GDPR – A Year In Review

To start, New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act works to expand the definition of PII. That is something that a lot of us in this industry have wanted to see for a long time. Their definition has been expanded to include things like biometrics, account ID numbers, usernames, and even email addresses. Additionally the SHIELD Act, despite its silly name, imposes regulations on how companies must handle this sensitive data – how must it be stored? What happens if there’s a data breach? One interesting nuance we found is that only the attorney general may take it up violations and data removal requests – not the individual (like the GDPR).

California’s Consumer Privacy Act (CCPA) was one of the first new laws out the door after GDPR was implemented. It allows individuals to talk directly with the company about their data and to request removal.

There are about a dozen copy-cat laws that have been passed since GDPR – some of them more noteworthy than others. We found this comprehensive list (last updated 7/31/2019) that shows a good comparison of these new state laws: https://iapp.org/news/a/us-state-comprehensive-privacy-law-comparison/

Next time we’ll talk about the difficulty in passing individual state regulations instead of a comprehensive national law.