The GDPR (General Data Protection Regulation) implementation by the EU in 2018 was a watershed moment for both consumers and businesses alike. Given the increasing worldwide dependence on digital data capture, storage, and processing, the regulatory framework couldn’t have come at a better time.
The GDPR is a stringent data privacy law that seeks to protect consumer rights while at the same time facilitating a more regulated digital economy giving us the best of both worlds. Or not? The regulation imposes guidelines on how businesses collect and process the personal data and privacy of EU citizens for transactions carried out within EU member states.
Even though the regulation was set up for the EU, GDPR-mania had officially arrived. Countries around the world scurried to make sense of GDPR’s implications and complications. Meanwhile, the US took a more cautious and measured approach.
At the outset at least, implementing a regulatory mechanism similar to the GDPR seemed like a natural, logical, and reasonable progression. However, GDPR implementation isn’t without its own unique set of challenges, especially for a country like the US.
We take a closer look at, firstly, GDPR’s impact on the US. Then, we review specific challenges with implementing a GDPR within the American climate. Next, we explore America’s first privacy law – the CCPA, and lastly, we look at future prospects for more stringent data privacy in the country.
GDPR’s Impact on the US
The GDPR has had far-reaching effects globally. But while countries like Argentina, Brazil, Malaysia, and Uruguay adopted their own form of GDPR-influenced legislation soon afterward, the US has yet to develop federal-level legislation. The US, however, has had data privacy laws historically, just nothing like the GDPR in terms of coverage and scope.
To be sure, the law doesn’t impact US citizens living and doing business in the US who have no connection to the EU. However, it does impact US businesses who collect data on EU citizens, as well as US businesses who have third-party contractual agreements due for revision to ensure GDPR-compliance.
Regardless of whether it applied to US citizens or not, the GDPR was also seen as a precursor to potential legislative developments along similar lines back home. Meanwhile, in California, state legislation called the California Consumer Privacy Act of 2018 (CCPA), was signed into law in June 2018 with an implementation date of January 1, 2020.
The Act was introduced unusually quickly to offset the challenge of the privacy law coming up in the November ballot initiative of the same year.
Needless to say, Americans started putting their businesses under the microscope. They needed to better understand the laws, learn how to ensure they were compliance-ready, and prepare themselves for other state laws that would come up as a result of the CCPA.
Challenges with Implementing GDPR-like Legislation in the US
To understand how challenging it is to implement legislation of this magnitude in a country like the US, one only needs to review the situation in the EU post-GDPR. The Financial Times (FT) reported last year, based on an “official” report, that the data rules, “are proving difficult to implement two years after coming into effect, placing a particular burden on small and medium-sized companies and those developing new technologies.”
A whopping 99.9% of businesses in the US can be identified as small businesses according to this 2019 SBA report. The cost of GDPR compliance for small to medium businesses is significant. In 2019, Microsoft pegged the cost of compliance to date at $1.3 million globally.
Also discussed in the FT article were the difficulties with reconciling differences between interpretations of the legislation in different countries on parts of the GDPR that allowed for country-specific flexibilities.
In the US, the primary argument against GDPR-like legislation is the lack of one implementation body that has this level of overarching authority over all types of businesses and industries. Then, there is the expected lack of consensus amongst political parties.
Also to consider in the US, aside from bringing companies up to the required levels of preparedness and compliance, is the mammoth task of reconciling individual state exclusions or inclusions.
Private litigation is another area of concern that has been giving businesses nightmares ever since the GDPR. The GDPR and CCPA both give rights to consumers to claim damages for breach of data, which means that businesses have to be ever vigilant and on the ball with the legalities of how they capture and process data.
The US has until now had a very laid-back approach to personal privacy, which is also one of the core reasons corporate innovation has flourished to this degree. Most of the emphasis has been on corporate/political privacy and cybersecurity. Unlike with the GDPR, personal data has generally been considered to come under the ownership of the data processors or controllers from the US perspective and not the consumer.
The CCPA – America’s First Privacy Law at a State Level
The CCPA came into effect finally in January 2020 with enforcement in July the same year, making the Golden State the first in the country to officially take up the mantle of consumer data rights.
The Act (the full text of which is available here) provides the following provisions (explained simply without going into too much detail here) to consumers:
- The right to know what personal information has been collected about them and how it is being used and with whom it is being shared or sold.
- The right to “opt-out” of having a business sell their personal information to third parties.
- The right to have the business delete their personal information with some exceptions.
- The right to be treated equally in terms of both service and pricing by a business regardless of whether they exercise their CCPA rights or not.
While there is some overlap with the GDPR in certain aspects, there are some fundamental differences in how American counterparts decided to approach the CCPA. For instance, the GDPR emphasizes the need for technical and organizational measures to ensure data safety, while the CCPA has no such requirement. The CCPA does, however, give citizens protection in case of a data breach.
Responses to the CCPA have been mixed. On the one hand, Nevada and Maine picked up the ball in quick succession with their Nevada Senate Bill 220 Online Privacy Law and Maine Act to Protect the Privacy of Online Consumer Information respectively. Other states are expected to follow suit.
On the other, critics argue that a bill passed at a federal level would be a lot more effective. For one, it would make it easier for businesses to manage compliance on a federal level rather than having to deal with the individual differences associated with state-level legislations. But getting consensus in Washington may turn out to be a challenging exercise.
Where to From Here for More Stringent Data Privacy in the US
The CCPA implementation is only just the beginning. Data privacy regulation is still an evolving exercise and very much a work in progress. Consumer rights, governance, compliance, risk-management, future-proofing systems, and cybersecurity are just some of the items on the checklist for more stringent data privacy in the US.
It will be a while before we see where the chips will eventually fall. Although federal legislation is unlikely, most experts agree that more state-level legislations are on the cards. Businesses in the US have a long road ahead. We’ve only just begun.