The number of US states that have enacted either comprehensive privacy laws or specific sectoral laws covering consumer health data continues to grow. Faced with more than 20 inconsistent sets of US states’ requirements, as well as international privacy laws, it is easy to see why organisations may be overwhelmed with international privacy compliance.
The good news is that, while the letter of these laws may differ, the spirit running through them is often the same. Designing a program around the fundamental data privacy principles underpinning these laws can simplify compliance, no matter which states — or countries — are concerned.
Below, we highlight the key parallels between U.S. state privacy laws and GDPR while also noting important differences.
By understanding these connections, organizations can see how efforts to comply with one set of regulations often contribute to broader compliance across multiple jurisdictions.
- Notice/transparency requirements
A foundational proposition of both US and European privacy laws is that the individual should have control over their data and its uses wherever possible. On both sides of the Atlantic, organisations have a duty of transparency and so must provide an appropriate privacy notice detailing how they collect, process, and share personal data.
If your privacy notice is already US compliant, then it should satisfy many of the requirements under EU/UK GDPR, and vice-versa. You may simply need to supplement a privacy general notice with a separate section for any new jurisdictions concerned.
- Purpose specification (and avoiding illegitimate secondary use)
A corollary of transparency is purpose specification, which means clearly explaining the use of personal data and not using it in other ways illegitimately. While secondary processing is often allowable if compatible with the original purpose, you will otherwise require consent - or for the data to be de-identified/anonymised using techniques such as data linkage and privacy compliance.
There are subtleties to observe around tacit or active consent to secondary processing. For instance, if you are processing sensitive personal information for purposes that go beyond the core permitted purposes, Colorado and Connecticut adopt an opt-in model similar to the GDPR, while California and Utah have an opt-out model.
- Data minimisation
GDPR enshrines that data should be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.” Likewise, the majority of US state privacy laws limit the processing of personal data to what is "adequate, relevant, and reasonably necessary" to achieve the purposes disclosed to the individual.
If US state requirements for data minimisation are met, then it is likely that those for GDPR will be too. In fact, compliance with Washington’s My Health My Data Act, which limits the processing of consumer health data to what is "reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer," can be said to represent substantive, expectation-based necessity standards that go beyond GDPR.
- Special care around sensitive data and preventing discrimination
The language of “sensitive” versus “special category” may differ, but both US state and European privacy laws encode additional protections for data that could lead to unlawful discrimination (or particular distress) if misused. US state laws add various other categories on top of GDPR, such as precise geolocation, government identifiers, certain types of account information, and the content of communications.
There are significant definitional differences across the US when it comes to sensitive information, particularly in what is deemed to be consumer health data. The requirements for the collection and use of sensitive information also vary state to state. Once the compliance groundwork for US-compliant use of sensitive information has been laid, GDPR’s narrower categories and focus on two applicable lawful bases may seem somewhat easier in comparison.
- Duty of care in processing personal data
Accountability is the overarching data privacy principle in both the US and Europe. At heart, this means that organisations must recognise their duty of care when processing personal data and implement appropriate safeguards to protect it both technically and organisationally. Many frameworks for information security and organizational resilience are widely accepted worldwide, allowing organizations to leverage their efforts across different jurisdictions.
To prevent rapid obsolescence, both US and European privacy laws tend to require appropriate “technical and organisational measures” to protect personal data, rather than being prescriptive as to what these might be. Since pseudonymization and encryption are widely recognized as prime examples, Datavant’s customers can more easily show they are using recommended protective measures.
A principles-based approach can simplify and streamline global compliance.
With an eye toward the five principles noted above, organizations can build a strong, scalable compliance framework that adapts to evolving regulations across jurisdictions. Rather than reacting to each new law in isolation, a principles-based approach enables efficiency, reduces complexity, and ensures a future-proof foundation for data privacy.
Datavant solutions are designed around these core privacy principles, providing an efficient pathway for organizations to expand their data use cases internationally. When jurisdiction-specific nuances arise, our consultative expertise and deep regulatory knowledge help organizations seamlessly navigate compliance at both state and global levels.
By prioritizing standardization and efficiency while accounting for regional differences, we empower our customers to manage compliance with confidence—no matter where they operate.
.svg)
