Compliance Standards Library

US Data Privacy

  • Updated

US Data Privacy (USDP) is a compliance framework exclusive to Vanta. It unifies controls and requirements from various US state laws such as CCPA, CPRA, UCPA, CTDPA, CPA, and VCDPA to provide a comprehensive solution for organizations to manage personally identifiable information (PII) in compliance with all of the various US state-level privacy regulations. Vanta’s US Data Privacy framework is aligned with the Fair Information Practice Principles (FIPPs), a privacy framework initially created by a US Federal Government advisory committee in the 1970s. For decades, the FIPPs have informed US law and internal agreements concerning the appropriate management of personal information. Monitoring for US Data Privacy allows your organization to have the assurance that your practices adhere to specific state requirements while also addressing current and upcoming state and federal regulations to which your organization may be subject.

Who should be USDP compliant? 

Any organization that handles an individual's private information in the United States. However, unlike GDPR, which applies to any business providing goods and services in the EU, US state laws typically scope out small businesses from the requirements. Each state scopes the exemptions a bit differently. On the one hand, the Virginia Consumer Data Protection Act (VCDPA) only applies to businesses that process PII for at least 100,000 consumers annually or at least 25,000 consumers if they generate at least 50% of their gross revenue from the sale of PII. On the other hand, the California Privacy Rights Act (CPRA) applies to businesses that meet one of the following criteria:

  • Gross revenue over $25 million
  • Buy, sell, or share PII for at least 100,000 consumers
  • Derive 50% of gross revenue from the sale of PII

Why should my company be USDP compliant?

  • USDP compliance showcases your company's commitment to protecting the personal and private data of your customers and consumers

What is the timeline for USDP compliance? 

  • Implementing the fundamental controls could be done in 40-80 hours

What can Vanta automate?

  • Vanta can be used as an evidence repository and send automated reminders for items that need to be refreshed. In addition, every privacy framework requires organizations to maintain an appropriate set of information security controls to ensure personal data confidentiality, integrity, and availability. Vanta will help organizations define a defensible baseline of controls and automate the testing of many, if not all, of the associated technical controls. 

Does USDP require a formal audit?

  • USDP compliance does not require a formal audit. Companies will implement the proper controls and perform a self-attestation. For companies needing a higher level of assurance, an attestation from a CPA firm may be available.