Odia Kagan spoke about three myths EU companies have about US Privacy laws at the Heroes of Data Privacy Conference.

Myth 1:
I don't have physical presence in the US so the laws don't apply to me.

Busted:

• Like GDPR, CCPA, CPRA, CDPA, CPA and soon Utah UCPA follow the data processing and apply to Non-US companies.
• When you click through those adtech standard agreements you are making reps, even EU law reps like "valid consent" that are subject to, and may be adjudicated under, US law.

Myth 2:
The US doesn't care about cookies and has no comprehensive privacy law.

Busted:

• CA AG has said, and already enforced against cookie compliance in the context of Do Not Sell; CCPA prohibits dark patterns in Do No Sell opt outs and the CPPA will be enforcing adherence to the General Privacy Controls browser-based opt outs.
• The US doesn't have a Federal privacy law OK, but it does have:

1. CA comprehensive privacy law in effect;
2. Three comprehensive privacy laws coming into effect in 2023;
3. 30+ State privacy bills filed in 2022 alone;
4. BIPA, CUBI and other biometrics laws being enforced, even against the tech developers;
5. COPPA with 7 digit fines for cookie compliance on websites and an endorsement from the President re: a children's privacy law; and
6. Of course 50+ data breach laws that are being continuously enforced in class action lawsuits.

Myth 3:
OK but I did GDPR so I should be fine, right?

Busted:

• You still need to figure out sales and "do not sell"
• Loyalty programs may be a financial incentive and require additional analysis
• I’ll have a DPIA with that -> longer list for DPIAs
• CPRA privacy notices require additional things (categories, sharing in last 12 months)
• US DPAs require additional things (level of compliance, de-identified information, audit)
• Specific requirements for deidentified data (contractual, policy and tech)