A look at how the GDPR model would fit with state laws and the needs of American businesses and consumers
The European Union's General Data Protection Regulation (GDPR) has become the world's gold standard for user privacy and breach disclosure regulation. It affects any business around the world that processes or stores the personal data of individuals resident in any EU country. It specifies standards for protecting that data, punitive penalties for mishandling it, stringent rules for the disclosure of its loss, and assures EU citizens certain rights and protections for their personal data.
Its purpose is to provide a single privacy regulation across the whole of the union, so that international business would no longer face differing regulations in Finland from those in Germany, and different regulations in France from those in the U.K. In this sense, it is a European equivalent of U.S. federal law that encompasses the whole of the United States.
But the United States does not have a federal privacy law, and national businesses are faced with the same European pre-GDPR problem: different rules between different states. It is time to ask whether the U.S. needs an overriding federal privacy law.
U.S. state laws
American states have noted the privacy afforded to citizens by GDPR, and are implementing their own legislation. Texas, Nevada and Washington are among those who have done so, with Rhode Island, Massachusetts and New York considering it.
They are more directly inspired by the California Consumer Privacy Act (CCPA), which in turn is inspired by GDPR. California has a long history of consumer protection, and is the first state to follow in the EU’s footsteps and create a combined digital privacy and breach disclosure law. The problem for business is that each state has a different take on the details.
The CCPA and the GDPR are far from identical. Unlike the EU’s laws, the CCPA exempts small businesses – those that collect data from under 50,000 consumers, make under $25 million annually, and earn less than 50% of their revenue from customer data. The CCPA fines are applied per violation rather than for non-compliance, and California’s law only penalizes businesses when a breach occurs.
The question now is whether the federal government should step in and impose uniformity with a federal privacy law – and if so, what should it look like.
A federal privacy law
A federal privacy law is not a new idea, but much of the pressure comes from business rather than legislators. Intel, for example, has drafted its own proposed law. It has already been updated twice after comment and criticism from other businesses, experts and the public. One interesting way this proposal differs from the CCPA and other laws is that the Intel law emphasizes risk-benefit analysis and inviting consent, rather than blanket protection over user data. The goal seems to be to enable, rather than restrict, the use of customer data, but to do so in a secure and equitable way.
Support and alternatives
Intel is not the only company to favor federal legislation. While support for a federal law is not unanimous among tech businesses, Microsoft, Facebook and Google have all come out in support of bringing GDPR-style regulation to the U.S. The concept of some kind of federal privacy law even seems to be in favor among both Democrats and Republicans, although there is contention about how stringent and specific the regulations should be, and who should control it.
In an interview with Vox, the CEO of DuckDuckGo, Gabe Weinberg, suggested an alternative to full privacy legislation. He recommended a small regulation change, forcing data-tracking to be opt-in for the consumer, rather than opt-out, making use of functionality already within many browsers: “The fact that consumers have already adopted it and it’s in the browser is just an amazing legislative opportunity…It’s actually a better mechanism for privacy laws because once you have this setting and it works, you don’t have to deal with all the popups anymore.”
Consumer groups are also looking favorably upon privacy laws, with California’s CCPA being lauded by Consumer Watchdog (CW) as a landmark reform that should be defended from attempts to weaken or alter it. CW commented, “Big tech companies and advertising firms are unloading slick lobbyists to claim that such rules would cause deep harm to their businesses.”
This is the biggest concern over a federal law – that big tech lobbyists will force a weak law that will then override and effectively neutralize stronger state laws.
The business perspective
From the U.S. business perspective, there has never been a better time for a federal data-protection law to be introduced. The GDPR stipulates that any company collecting data on individuals resident within the EU must comply with the legislation – whether that company is based in the EU or not. This means that many U.S. businesses are already GDPR compliant in order to operate internationally, and have the framework in place to expand this compliance to the U.S. market.
It is different for U.S. national businesses. Data protection compliance is becoming a nightmare, with (potentially) up to 50 different laws with different specifications and requirements. A federal law would streamline this, providing one unifying piece of legislation across all states.
While it may seem counter-intuitive, privacy laws do not just penalize businesses for poor data protection, but provide significant benefits outside of compliance. A 2019 Cisco report shows that businesses experienced shorter sales delays, increased consumer trust and a competitive advantage by pursuing GDPR compliance. Privacy protection laws also provide in-depth, specific guidelines on how companies must protect data. Although data breaches can be heavily penalized in some cases, the emphasis is on strong security and prevention, rather than just reactive punishment.
The consumer perspective
The best argument in favor of a federal privacy law is probably the GDPR. It has already proven effective in protecting consumers, ensuring additional rights and holding businesses accountable for mishandling personal data. Cisco’s 2019 study also showed that the GDPR caused data breaches to be less frequent with lower impact when they did occur.
On top of the data-protection obligations, the GDPR has effectively provided a digital bill of rights for consumers, giving them access to and ownership of their personal data, and imposing limitations on what kinds of data can be gathered and stored.
However, it is not at all clear that a federal privacy law will provide as much benefit to consumers in the United States as GDPR in the E.U. The U.S. psyche is more pro-business than the European psyche, and any federal law will most likely seek to help business first and consumers second. A federal law might be important for business continuity, but a weak federal law that invokes the Supremacy Clause of the Constitution would weaken consumer protection in states like California.
Summary
Federal laws usually override state-level ones in case of conflict. In the case of a toothless federal data protection law, any good accomplished by the CCPA and similar state laws will be erased. The benefits of trust and competitive advantage of compliance would disappear once shown to be hollow; and without stringent guidelines to adhere to, we would likely see an increase in personal data breaches as well. In the best case, a federal law would unify and consolidate strong consumer protection and tangible business benefits. In the worst case, consumers would lose all the benefits of data protection laws and we would be back to the situation before the CCPA was introduced. Only this time, the ability for states to draft their own strong state privacy laws will be overridden by the supremacy of federal law.
A light-weight law enacted for political reasons is likely to weaken rather than strengthen existing consumer protections.
If the U.S. government introduces a new federal data-protection and privacy law, it will need to be a strong law. A light-weight law enacted for political reasons is likely to weaken rather than strengthen existing consumer protections. The GDPR has a multi-year, concerted effort to make a real difference. Unless U.S. lawmakers have the required organization, unity, and resources, they should stay out of this fight.