themselves “am I liable and governed by the legislation in the EU?” For many, the answer is yes.  More
            specifically, any website that offers goods or services to EU natural persons is subject to the GDPR.  The
            discussion has further prompted organizations to question whether or not they are governed by similar
            laws in the United States.


            Since the introduction of the CCPA, several senators have proposed policy options for national legislation
            on data security and privacy.  Proposed bills have had a GDPR-like flavor that is similar in scope to the
            international regulation.  If the U.S. were to adopt similar regulatory standards, business processes and
            products that handle personal data would need to be built to include data protection by design and default.

            Regardless of business size, the magnitude of data collected, shared or mismanaged is more concerning
            considering the sensitivity of private information in which every-day people entrust these organizations
            to protect.  As the conversation around regulation increases, there has been much talk about what a
            national privacy law might look like, and furthermore how state regulations would affect organizations
            doing business across the U.S.

            At the forefront of privacy-law related issues are very visible and widely used big technology companies.
            These big technology players have demonstrated some interest in getting ahead of possible regulation
            by possibly drafting and proposing possible regulatory standards themselves possibly because there is
            a monetary desire for these bills to be aligned with their terms, rather than abiding by laws voted in by
            citizens of the United States.

            Big data companies such as Facebook, Google, and Twitter have all been amongst discussions, and
            various reports have been released stating the companies are “in-favor” of such legislation.  This push
            has left some lawmakers feeling uneasy, considering these companies are likely seeking to be involved
            in legislation to sway technicalities in their favor.

            In conclusion, states will likely continue to pave the way for privacy regulations. Until formal national
            legislation is adopted, and voters see these initiatives on their ballots, states will continue to implement
            their own forms of data protection.  Problems will continue to rise for businesses as states implement
            their own laws that non-regulated states must abide by.  A national privacy law could make this transition
            easier among U.S. business owners, as one uniform standard can be applied to all.



            About CompliancePoint:

            CompliancePoint is a leading provider of information security and risk management services focused on
            privacy, data security, compliance and vendor risk management. The company’s mission is to help clients
            interact responsibly with their customers and the marketplace. CompliancePoint provides a full suite of
            services  across  the  entire  life  cycle  of  risk  management  using  a  FIND,  FIX  &  MANAGE  approach.
            CompliancePoint can help organizations prepare for critical need such as GDPR with project initiation
            and buy-in, strategic consulting, data inventory and mapping, readiness assessments, PIMS & ISMS
            framework  design  and  implementation,  and  ongoing  program  management  and  monitoring.  The
            company’s history of dealing with both privacy and data security, inside knowledge of regulatory actions
            and combination of services and technology solutions makes CompliancePoint uniquely qualified to help
            our clients achieve both a secure and compliant framework.





                                 89