The entry into force of the General Data Protection Regulation (GDPR) in the European Union, in 2018, gave rise to concerns about the issue of protection of personal data in the United States of America, especially after the European Court ruled that the Privacy Shield would no longer be accepted as a guarantee for the transfer of personal data of European citizens to the US.
The EU-US Privacy Shield went into effect on August 1, 2016, after the European Commission issued its formal decision that the Privacy Shield provides adequate protection for the transfer of personal data to the United States, in lieu of Safe Harbor. It mandated stricter obligations on US companies to protect Europeans' personal data and required more robust monitoring from the US, as well as further cooperation with European data protection authorities. It included written commitments and guarantees regarding access to data by public authorities. The US Department of Commerce oversaw certification, and if the company to which the data was intended to be transferred was not certified, Privacy Shield protections did not apply.
The fact is that the European Court came to the conclusion that some US dogmas such as the National Security Act had priority over Privacy Shield and therefore it would not be sufficient to guarantee the protection of data for European citizens.
Since then, some North American States began to move towards regulating the protection of personal data, the most famous of which being the California Consumer Privacy Act (CCPA), which entered into force on July 1, 2020; therefore prior even to the Brazilian General Data Protection Act (LGPD).
Below are the US states which have personal data protection acts, as of October 2022:
In addition to the above states, Ohio, Pennsylvania, Michigan, and New Jersey have bills related to privacy and protection of personal data pending in their respective courts.
With the exception of the regulations in force in the states of Nevada and Maine, which are more thorough, all the others end up prohibiting the commercialization of personal data of individuals without their prior consent. And, unlike GDPR or LGPD, these do not create legal bases to support the processing of personal data.