How to Comply with U.S. Laws?
Several states within the United States have recently enacted laws regulating the processing of personal data.
Personal data processing in the United States is primarily governed by the following texts:
- Californie : California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Colorado : Privacy Act
Connecticut : Personal Data Privacy and Online Monitoring Act
Delaware : Personal Data Privacy Act
Indiana : Consumer Data Protection Act
Iowa : Consumer Data Protection Act
Montana : Consumer Data Privacy Act
Oregon : Consumer Privacy Act
Tennessee : Information Protection Act
Texas : Data Privacy and Security Act
Utah : Consumer Privacy Act
Viriginie : Consumer Data Protection Act
All information found on this page is for informational purposes and is limited to the scopes covered by our solutions.
The Main Obligations Arising from U.S. Laws
The various laws mentioned above are applicable at different dates, depending on the state concerned. However, they mostly contain new obligations to comply with:
Respecting the rights of the data subjects
Data subjects have numerous rights, including the right to access, the right to erasure, the right to object to profiling and targeted advertising, and the right not to be subject to automated decision-making.
Companies must be able to respond to these requests within legal deadlines.
Conducting a risk assessment related to personal data protection
Conducting a privacy factors assessment involves analyzing the risks and guarantees governing a specific processing, considered particularly sensitive due to the types or amount of data processed, as well as the processing methods used.
Age Limitation for Consenting to Data Processing
U.S. laws have also defined the minimum age below which companies must necessarily obtain the consent of legal guardians for processing personal data concerning minors, which can be considered sensitive data.
This age is generally set at 13 years.
Transparency Obligations and Consent to Targeted Advertising
Under these new laws, companies must ensure they have, especially in some cases for processing with the purpose of targeted advertising, a free, specific, informed, and unambiguous consent.
They must also provide clear and accessible information to the data subjects about the characteristics of the personal data processing implemented, including the categories of personal data processed and the purposes of processing, the rights available to data subjects and how to exercise them, the categories of data recipients, or the existence of a sale operation concerning their personal data.
The Impact on Key Marketing Processes
What is now prohibited in terms of consent collection
Passive opt-out: refers to having to unsubscribe after being automatically enrolled when registering for a service.
Passive opt-in: involves pre-selecting boxes such as “I wish to receive advertising solicitations” or a drop-down menu that defaults to yes.
What is Allowed and Required under U.S. State Legislations
Opt-in: to obtain legally valid express consent, it is necessary to make a clear and specific request, informing the people concerned of the processing for which consent is provided.
A means of opposition: present in every communication that can be likened to targeted advertising.
Storing proof of consent: you must be able to trace the consent obtained from each data subject.
How Eulerian Supports You
Your clients' information belongs to them
We ensure that internet users have the right and thus can oppose at any time the processing of their personal data by Eulerian Technologies.
We provide an unsubscribe link, available on our interface so that you can later distribute it on your website. In case of need or assistance with this type of action, our Account Management teams are available.
Organize your data
Minimize your “useless” or “expired” data by deleting what you no longer need.
One of the impacts of the new laws on companies is to adopt a new data philosophy, rationalizing their collection and processing. Therefore, we recommend not keeping inactive or unsubscribed contacts as these are data you will no longer use and pose a risk in the event of a security incident.