While the U.S. government remains unable to enact comprehensive privacy legislation in response to new technologies and growing privacy concerns, numerous states across the country, including New York, have adopted privacy laws and regulations seeking to address specific issues or that are applicable to specified entities. Some of these new rules affect a broad swath of businesses. Notably, the California Consumer Privacy Act (CCPA), which will take effect on January 1, governs companies that possess personal data of California residents, regardless of where the businesses are located or how the goods or services are provided.

Perhaps no privacy law, however, has yet had the impact of the General Data Protection Regulation (GDPR), which was enacted by the European Union (EU) and which took effect almost one-and-one-half years ago, on May 25, 2018. The GDPR addresses everything from the processing of individuals’ personal data to when and how informed consent must be obtained from the data subject to the security processes and practices that businesses must undertake to protect that data. The GDPR’s requirements have affected websites and businesses based in Europe, as well as vast numbers of entities headquartered in the United States whose business practices, nevertheless, are considered by the European Data Protection Board to place them within the scope of the GDPR. (For further background, see, e.g., Shari Claire Lewis, “New Guidance Helps Determine GDPR’s Application to New York Businesses,” NYLJ (Dec. 18, 2018).)