Key Data Privacy Considerations for Companies Expanding into the United States

Read Time: 8 minutes

Key Takeaways: The rise of international investment, coupled with an increasingly complicated regulatory framework at the federal and state levels in the United States, has increased privacy compliance challenges for businesses. Companies should be aware of ongoing legal developments with respect to data privacy and security in the United States, including shifting regulatory trends, variable industry standards, appropriate data transfer mechanisms, and more.

As foreign direct investment continues to increase in the U.S.,[1] including through greenfield development initiatives whereby international companies establish new operations in the U.S.,[2] it is important for companies to account for variances in the regulatory, operational, and consumer environments in the U.S. as compared to international jurisdictions. These evaluations necessarily must consider the different data privacy and security postures of the U.S. and foreign countries. This article will examine critical considerations for companies expanding their operations into the U.S.

Understanding the Legislative Philosophy and Regulatory Trends

The U.S. initially adopted a sectoral approach to data privacy and security regulation,  where federal laws are crafted by specific type of industry (such as the Fair Credit Reporting Act, applicable to credit reporting agencies), by practice (such as Section 5 of the Federal Trade Commission Act, prohibiting unfair and deceptive acts or practices), or by category (such as the Children’s Online Privacy Protection Act, enacted with the goal of protecting a specific class of individuals—children under 13). California was the first state to pass a comprehensive state data privacy law, with the enactment of the California Consumer Privacy Act (“CCPA”) in 2020. Following the CCPA, 19 more states have passed data privacy laws and additional states are likely to follow. Some states have also demonstrated a focus on appropriate handling of sensitive information such as biometric data and genetic data, as exhibited by Illinois’ Biometric Information Privacy Act and Nebraska’s Genetic Information Privacy Act. At the federal level, there have been continual, although thus far unsuccessful, efforts to enact comprehensive privacy legislation, as demonstrated by the proposed American Privacy Rights Act of 2024.

The resulting landscape is a patchwork of state and federal laws addressing data privacy and security to different degrees and with different enforcement mechanisms. As such, there are independent regulatory trends at both the federal level and the state level.  Because of these legislative and regulatory differences, it is recommended that companies expanding to the U.S. understand the full scope of their operations and review compliance obligations.

Industry- and Practice-Specific Standards

The U.S. has a number of industry-specific laws and standards to which companies expanding to the U.S. may be subject, such as the Payment Card Industry Data Security Standard (“PCI-DSS”), which contains a set of guidelines that companies accepting, storing, or processing electronic payments must follow. Companies often must still certify and adhere to certain compliance obligations under PCI-DSS even if they outsource all payment card processing to third-party payment processors.

Additionally, the marketing laws in the U.S. represent a distinct contrast from many other foreign jurisdictions. Importantly, under the Controlling the Assault of Non-Solicited Pornography And Marketing Act (“CAN-SPAM”), companies may rely on an opt-out consent structure for direct marketing email campaigns, meaning that companies may send promotional emails until a recipient requests not to receive such communications, provided that the emails contain sufficient marketing disclosure requirements. In other jurisdictions,  businesses often must comply with opt-in or double opt-in consent requirements, such that they must obtain clear, express permission from recipients prior to sending marketing emails, subject to some exceptions.

Mechanisms For Data Transfers

For companies with operations in the United Kingdom (“UK”) or European Union (“EU”), a business may choose to employ the Standard Contractual Clauses (“SCCs”) or register under the EU-U.S. Data Privacy Framework (“DPF”) in order to ensure that the transfer of personal data to the U.S. is consistent with General Data Protection Regulation (“GDPR”) requirements. In addition, multinational organizations may rely on Binding Corporate Rules (“BCRs”) to govern their internal data transfers.

The SCCs are model clauses incorporated into contractual arrangements to govern transfers of personal data from the EU or UK to the United States. These clauses have been pre-approved by EU and UK courts as adequate under GDPR for governing cross-border data transfers.

Companies may also register under the Data Privacy Framework, a self-certification program that permits companies to transfer personal data collected in the EU, UK, or Switzerland to the United States. The DPF provides a mechanism for companies subject to the jurisdiction of the Federal Trade Commission (“FTC”) or United States Department of Transportation to demonstrate, through a certification process to the United States Department of Commerce, that their data privacy and security practices in the United States are adequate and consistent with GDPR requirements for data transfers. If a company registers, its U.S. affiliate must complete the certification. Importantly, the DPF applies only to personal data collected from EU, UK, or Swiss residents and subsequently transferred to the United States—it does not apply to personal data collection, use, and storage practices relating to U.S. residents. Applicable state or federal statutes govern data collection and use practices solely concerning U.S. residents, depending on the scope and nature of the processing.

Although the SCCs and DPF can be used to ensure the adequacy of both internal and external data transfers, multinational organizations may choose to implement BCRs solely to govern international data transfers within their group companies. BCRs are similar to an internal code of conduct and serve as legally binding and enforceable rules governing internal transfers of personal data in accordance with GDPR requirements. BCRs can be adjusted to fit the needs of the business and provide more flexibility than other GDPR transfer mechanisms. However, the implementation of BCRs within a multinational organization may take more initial time and investment, as BCRs must be reviewed by a supervisory authority and approved by the European Data Protection Board.

Top Privacy Considerations

The following are key data privacy considerations for international companies to be aware of when planning for an expansion into the United States:

a. Review and update privacy policies

Companies should review and revise their privacy policies to accurately reflect the scope and purpose of the personal data processing they will coordinate within the United States. The FTC has previously brought Section 5 enforcement actions against companies whose personal data collection practices exceeded the scope of their privacy policy disclosures or consumer consent, as demonstrated in the FTC’s 2024 settlement with InMarket Media.[3] In that case, the FTC alleged that InMarket failed to properly inform consumers of the sensitive information that it collected (including the locations of healthcare provider offices, religious organizations, homeless and domestic violence shelters, and more) and that such information would be combined with other data about users for targeted advertising purposes. As part of the settlement agreement, InMarket is prohibited from selling or sharing precise location information and agreed to disgorge the sensitive data it had previously collected.

b. Establish procedures for consumers to exercise their rights

Additionally, companies should ensure that they have adequate systems in place for consumers to exercise their applicable statutory rights, assuming that expanding companies are subject to at least one of the aforementioned state consumer privacy statutes. In particular, companies should engage legal counsel to determine whether and to what extent they are subject to various state privacy laws, as different states offer different rights to consumers and impose distinct compliance obligations to businesses.

c. Update contracts to assess third-party data security obligations

Inconsistent and vague contract language in agreements governing the relationships between companies and their partners may increase the risk of miscommunication regarding each party’s rights and responsibilities related to the handling of personal information. Companies should assess their data transfers to third parties, including vendors and subcontractors, and update contracts as necessary to include provisions addressing each party’s personal data collection, use, security, and storage obligations. Moreover, businesses should conduct an internal review of their existing data privacy and security policies to ensure the procedures and provisions therein are accurate and adequate in the context of the company’s expanded operations.

Conclusion

The landscape of data privacy and security law is continuously evolving, with the legislative and regulatory scheme of the U.S. expected to continue developing in the wake of a wave of state privacy laws proposed and enacted as well as a new federal administration preparing to take the reins in 2025. Koley Jessen will continue to stay updated on these developments and issue guidance as necessary. If you have questions on the implications of your company’s expansion to the United States or general privacy concerns, please reach out to one of the specialists in our Data Privacy and Security Practice Area for more information.


[1] United States Department of Commerce, Foreign Direct Investment in the United States (Oct. 1, 2024), https://www.commerce.gov/data-and-reports/reports/2024/10/foreign-direct-investment-united-states.

[2] Id.

[3] See InMarket Media, LLC (May 1, 2024), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.