GDPR: Adopting More Stringent Privacy in the US


The GDPR is a stringent data privacy law that seeks to protect consumer rights while at the same time facilitating a more regulated digital economy, giving us the best of both worlds. 

Or not? 

The regulation imposes guidelines on how businesses collect and process the personal data and privacy of EU citizens for transactions carried out within EU member states. 

Even though the rule was designed for the EU, GDPR-mania had officially arrived. Countries worldwide hurried to make sense of GDPR’s implications and complications.

Meanwhile, the US took a more cautious and measured approach.

Implementing a regulatory mechanism similar to the GDPR seemed natural, logical, and reasonable.

However, GDPR implementation isn’t without its unique challenges, especially for a country like the US.

Let’s take a closer look at GDPR’s impact on the US. 

GDPR’s Impact on the U.S.  

The GDPR had far-reaching effects globally. But while countries like Argentina, Brazil, Malaysia, and Uruguay adopted GDPR-influenced legislation soon afterward, the US has yet to develop federal-level legislation. The US, however, has had data privacy laws historically, just nothing like the GDPR in terms of coverage and scope.

The law doesn’t impact US citizens living and doing business in the US who have no connection to the EU. However, it affects US businesses collecting data on EU citizens and US businesses with third-party contractual agreements due for revision to ensure GDPR compliance.

Regardless of whether it applied to US citizens, the GDPR was a precursor to potential legislative developments along similar lines back home.

Meanwhile, in California, state legislation called the California Consumer Privacy Act of 2018 (CCPA) was signed into law in June 2018 with an implementation date of January 1, 2020.

The Act was introduced unusually quickly to offset the challenge of the privacy law in the November ballot initiative of the same year. 

Americans started putting their businesses under the microscope. They needed to understand the laws better, learn how to ensure they were compliance-ready, and prepare themselves for other state laws resulting from the CCPA. 

People Also Liked: Personalization vs. Privacy: Where’s the Fine Line

Challenges with Implementing GDPR

To understand how challenging it is to implement legislation of this magnitude in a country like the US, one only needs to review the situation in the EU post-GDPR. The Financial Times (FT) reported last year, based on an “official” report, that “the data rules are proving difficult to implement two years after coming into effect, placing a particular burden on small and medium-sized companies and those developing new technologies.” 

“A whopping 99.9% of businesses in the US were identified as small businesses, according to this 2019 SBA report. The cost of GDPR compliance for small to medium companies was high. In 2019, Microsoft pegged the cost of compliance to $1.3 million globally.” 

Also discussed in the FT article were the difficulties with reconciling differences between interpretations of the legislation in different countries on parts of the GDPR that allowed for country-specific flexibilities. 

In the US, the primary argument against GDPR-like legislation is the lack of one implementation body with this overarching authority over all types of businesses and industries. Then, there is the expected lack of consensus amongst political parties. 

Also to consider in the US, aside from bringing companies up to the required levels of preparedness and compliance, is the mammoth task of reconciling individual state exclusions or inclusions. 

Private litigation is another concern that has given businesses nightmares since the GDPR. The GDPR and CCPA give consumers the right to claim damages for data breaches. Companies must be ever-vigilant and on the ball with the legalities of capturing and processing data. 

The US has, until now, had a very laid-back approach to personal privacy. This is also one of the core reasons corporate innovation has flourished to this degree. Most of the emphasis has been on corporate/political privacy and cybersecurity. Unlike with the GDPR, personal data has generally been considered to come under the ownership of the data processors or controllers from the US perspective and not the consumer.

Most Read Post: The 6 Pillars of a Successful Equity Crowdfunding Campaign

The CCPA – America’s First Privacy Law at a State Level 

The CCPA came into effect in January 2020, with enforcement in July. The Act provides the following provisions to consumers: 

  1. The right to know what personal information has been collected about them, how it is being used, and with whom it is being shared or sold.
  2. The right to “opt out” of having a business sell its personal information to third parties.
  3. The right to have the business delete its personal information with some exceptions.
  4. The right to be treated equally for service and pricing by a business.

While there is some overlap with the GDPR in certain aspects, there are some fundamental differences. In how American counterparts decided to approach the CCPA. For instance, the GDPR emphasizes the need for technical and organizational measures to ensure data safety, while the CCPA has no such requirement. The CCPA does, however, give citizens protection in case of a data breach.

Responses to the CCPA have been mixed. On the one hand, Nevada and Maine quickly picked up the ball with their Nevada Senate Bill 220 Online Privacy Law and Maine Act to Protect the Privacy of Online Consumer Information, respectively. Other states expect to follow suit. 

On the other, critics argue that a bill passed at a federal level would be a lot more effective. For one, it would make it easier for businesses to manage compliance nationally rather than dealing with the individual differences associated with state-level legislation. But getting consensus in Washington may turn out to be a challenging exercise. 

You might also like: How to know if it’s Funding o’Clock When Investors Approach

GDPR vs. CCPA: How do U.S. and EU Privacy Laws Differ?

GDPR and CCPA establish strict guidelines for how service providers handle personal data. This also includes ensuring that data collection is obtained, secure, and transparent with the consent of the individual in question. Individuals have the right to know about the personal data that is being collected, as well as access to it.

The primary distinction between CCPA and GDPR is that GDPR applies to any organization. Regardless of location, that processes or intends to process sensitive data of EU citizens. GDPR compliance is required for any organization that processes personal data from EU citizens, whether or not they are customers. GDPR also does not impose entity revenue or processing threshold requirements.


  • Broad reach: Applies to all organizations worldwide that process or monitor EU citizens’ data.
  • Consistent enforcement: Levies heavy fines against companies in violation.
  • Lack of oversight: Does not require the appointment of an officer to oversee enforcement.


  • Narrow reach: Applies only to organizations that do business in California.
  • Inconsistent enforcement: Gives residents enforcement power via litigation against violating companies.
  • Dedicated oversight: Requires the appointment of a data protection officer to oversee compliance.

You might also like: Step-by-Step Roadmap to Developing an MVP

The Future of Data Privacy Laws

As more private and sensitive data digitally changes hands each year, it becomes increasingly critical to understand the laws protecting our privacy. In the United States, internet privacy laws are still evolving, but they are a strong start toward protecting personal data. Citizens and residents can expect more states to pass comprehensive privacy laws, and the federal government may eventually pass a law that provides nationwide consumer data protection.

In the meantime, staying informed about the latest security controls and data privacy developments is essential in taking steps to protect your personal information. Deploying data loss prevention and threat detection solutions can also help you keep your data safe and ensure compliance with privacy laws.

Subscribe to our Newsletter
Stay current with our latest insights