GDPR in the US
The European Union passed the General Data Protection Regulation (GDPR) in 2016, and although its enforcement has left a lot wanting, it still holds the crown for the most impactful data privacy regulations in the world. In the years since, many worldwide data privacy regulations have been directly based on the GDPR, as the GDPR bill itself advanced the notion of data rights incredibly far.
One notable exception is the United States. The world’s largest economy and arguably its most internet-savvy, the United States has failed to pass federal data privacy legislation, with several attempts fizzling out early in the legislative process. This has left the data privacy landscape in the country bare and disjointed, left up to the states to try and patch together regulations that might protect their constituents’ data rights.
That leaves the state of the GDPR in the US without an equivalent and in flux, even if the entire situation is complicated.
DOES GDPR APPLY IN US?
No, the GDPR is not an American law and does not have jurisdiction within the US, so it does not apply to the US.
However, the GDPR applies to all companies that process the data of EU citizens, deemed data subjects, and since many American companies operate globally and work within the EU, they need to be compliant with the GDPR.
This is true of any company doing business within an EU country and processing data from European data subjects, no matter where that company’s headquarters are located. This is why when the GDPR became effective in 2018 you suddenly started seeing consent banners on every website.
Thanks to countries like Turkey and Brazil, among others, adopting their own data protection laws that are GDPR-esque, even more companies have had to set their privacy programs to a level compliant with the GDPR no matter where they’re operating.
That makes the GDPR in the US a sort of de facto data protection baseline, even if it isn’t an American law and even if key requirements like producing impact assessments and record of processing activity reports (RoPA) are not required.
EU-US Data Transfers and GDPR
American data privacy is undermined by the lack of a federal law, despite numerous bipartisan instances of bills being introduced only to fizzle out. At the 2023 State of the Union address, President Biden again called for legislation that would control data processing and collection and protect Americans from the worst data privacy practices.
The desire for action is there, but the impetus, despite many chances, has not propelled anything far enough to enact a true GDPR equivalent in the US.
This has created immense problems regarding data transfers between European countries and the United States in the years since the GDPR came into force. As part of the GDPR, data can only be transferred to countries outside the legislation if they have adequate data protection measures in place.
Even with many American companies running somewhat GDPR-compliant organizations (as these companies often do not need to fully embrace a privacy program since it’s unlikely EU data protection authorities will call on them for impact assessments or RoPA reports), the United States as a whole lacks the governmental infrastructure to guarantee proper collection, processing, and storage of personal data.
Because of this, the former EU-US Privacy Shield that was initially created and approved for trans-Atlantic data flows had repeatedly come under fire, even being nullified a few years ago. Data transfers between Europe and the US haven’t stopped completely, but the lack of a proper privacy framework for the flows has certainly impacted business over the past several years.
Now, a new data transfer framework appears on the verge of approval, but EU administrative bodies have routinely put forth caveats and scrutinized the smallest of details in the deal. Life for businesses would be infinitely easier if there was something like the GDPR in the US, so data flows could continue unimpeded.
US State Data Privacy Laws
To make this all the more complicated, US states that have passed comprehensive data privacy laws have largely modeled regulations off the GDPR.
As of April 2023, six states have such a law on the books: California, Virginia, Colorado, Connecticut, Utah, and Iowa.
Do data transfers from the EU to these states meet the standards the European Data Protection Board has put forth? It isn’t necessarily being treated that way, due to the lack of an overarching federal law.
While California has strongly advocated for increased individual data rights, passing the CCPA in 2018 and amending it with the CPRA earlier this year, the other five states have taken a more conservative approach to the issue of data privacy.
Virginia was the second state–after California–to pass a comprehensive data privacy law, the VCDPA, which saw its legislature borrow numerous rights and definitions of key terms straight from the GDPR. As other states have followed up by using the VCDPA as a blueprint, they all then have strong GDPR principles instilled within.
So, is there an Equivalent of GDPR in the US?
Despite that fact, there is not a clear equivalency for the GDPR in the US. This is because, with the exception of the CCPA, the other American state laws have changed large amounts of the GDPR to be more business-friendly.
Backbone activities of a data privacy program like the aforementioned RoPA reports and impact assessments are often not required or laid out on definitive timelines in state regulations. This allows companies to slack on their privacy programs and typically only opens the most egregious of violations up to enforcement.
In practice, this is due to a variety of things, such as:
- more exceptions for institutions needing to comply with laws
- relatively high limits for which businesses need to comply (the GDPR does not note a number of data subjects’ data being processed, essentially meaning if a company handles data from even a single citizen, it is required to comply, whereas state laws have set data subject amounts as high as 100,000 or 250,000 as the bar for which companies need to comply)
- less enforcement power
- no private right of action
- and in many cases, opt-outs instead of opt-ins, leaving companies room to practice deceptive data processing and notifications in order to keep people from exercising their legal data rights.
GDPR Checklist for US Companies
Because of this, many companies rely on a privacy program that is reactive to the laws rather than proactive to public demands and moral responsibility.
Although American companies are not bound by the GDPR unless they operate within Europe, it’s still worthwhile for companies to know the bar for data protection compliance in accordance with the GDPR, which is much more indicative of healthy data privacy practices than complying with the comparatively weaker US state laws.
As regulations continue to pass and hopefully become more protective of individual data rights, organizations that have already incorporated privacy principles into their decision-making processes are the most likely to succeed in the long haul.
You can follow this checklist to gauge your company’s compliance:
- Conduct a data audit to see where you and your vendors’ data subjects are located
- Tell customers in clear and simple language why you’re processing their data
- Assess your data processing activities and improve protection
- Always have a baseline processing activities report ready to go
- Set data processing agreements with your vendors (required by US state laws)*
- Appoint a data protection officer to run and oversee your privacy program
- Make a plan in case of a data breach (communication is required by US state laws)*
The Future of Data Privacy
With an imminent federal data privacy regulation in the US looking incredibly unlikely and state laws that are not progressing data rights, one could view the American data privacy landscape with horror. The truth is it isn’t in a strong place, far from the European position, but regulation is moving at a state level faster than it ever has before, a positive sign.
We won’t quite have the GDPR in the US anytime soon, but having something is better than having nothing, as it at the very least acknowledges certain data rights and raises awareness of them amongst the general public.
A patchwork of state regulations that all have various intricacies is not ideal, but the EU has been trying to figure out that issue to no avail for years as different countries’ data protection authorities interpret and enforce sections of the GDPR in different ways.
Regardless of enforcement difficulties, the European patchwork is lightyears ahead of the US, which is still struggling to communicate the message on data privacy issues and get people invested. Europe at least has the talk of data protection down, but the continent needs to walk the walk.
The truth however is that even with the GDPR and its influence in the US and around the world, data protection regulations need to continue evolving, maturing, and surveying the internet to stay on top of the issue and make a more noticeable impact in the lives of individuals.
The US passing a federal regulation would go a long way towards that, but for now, we’re stuck hoping for more baby steps forward.