In part one of our data privacy series, we discussed the current landscape of data privacy in the U.S., as well as a few opportunities for members of Congress to take action. This week, we’ll take a look at two of the major data privacy laws out there and what we can learn from them.

General Data Protection Regulation (GDPR)

The GDPR is a strict data privacy law that took effect in the European Union (E.U.) in 2018. It applies to companies, non-profit organizations, and government entities in Europe, as well as those outside of Europe that process or hold the data of E.U. citizens (for example, an American news site that uses online tracking to serve ads to readers in Europe).

The law requires that organizations obtain explicit consent from users when collecting personal data, allow users to revoke that consent, and enable individuals to request their data and transfer it to another party. The law also gives organizations 72 hours to notify consumers of a data breach.

One of the GDPR’s most controversial provisions is the so-called “right to be forgotten,” which allows E.U. citizens to request that search engines remove “inaccurate, inadequate, irrelevant, or excessive” information from their listings. This can include information about professional wrongdoing or self-published content, as well as sensitive personal details.

For companies that do not comply, the law imposes penalties of four percent of annual global revenue or $20 million, whichever is larger.

The Economist sums up a common sentiment about the law: “It is rules-heavy and has its flaws, but its premise that consumers should be in charge of their personal data is the right one.”

Supporters emphasize that the GDPR establishes one set of rules for the entire E.U., allowing tech companies to do business without navigating country-by-country laws. Some companies have said that the law genuinely made them more aware of the data they hold and forced them to think critically about how they use and protect it.

Critics of the GDPR, however, worry that it is too complex and prescriptive, and will squash innovation. They also note that while the heavy fines may be manageable for behemoths like Facebook and Google, they could quickly bankrupt smaller tech companies.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) became law in 2018, and was the first major online consumer privacy measure in the U.S. The state legislature can amend the law until it takes effect in 2020, and several efforts are underway to do so.

According to the New York Times, “The law grants consumers the right to know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it. It gives consumers the right to tell companies to delete their information as well as to not sell or share their data…It also makes it more difficult to share or sell data on children younger than 16.”

The CCPA differs from the GDPR in a few fundamental ways. For example, consumers must generally opt into data collection and sale under the GDPR, whereas they must only have the option to opt out under the CCPA. Also, while the GDPR applies to nearly any kind of organization, the CCPA applies only to large businesses.

Intentional mismanagement of user data could cost companies up to $7,500 in fines.

While some tech CEOs have publicly committed to privacy, industry groups representing them say the CCPA is too harsh and are backing legislation to weaken it. They want carveouts that enable them to collect data on job applicants, for example, and to offer store loyalty programs that collect customer information. Tech companies also want to see national legislation that will pre-empt the California law.

Some privacy advocates, however, say it’s not tough enough. The Electronic Frontier Foundation laments that the CCPA merely enables users to opt out of providing their data, rather than using the GDPR’s opt-in framework, and that consumers can only sue under the law in the event of a data breach. Their only recourse otherwise is to file complaints with the state’s attorney general.

What Can We Learn?

While measures at the federal level continue to percolate, state legislatures around the country are keen to act. In the months since California passed its law, 16 states have introduced their own data privacy bills, raising concerns that companies will have to contend with a patchwork of state-by-state laws.

Will national legislation in the U.S. follow either the EU or California model? Existing laws and regulations in the U.S. would make it difficult to import the GDPR wholesale. The GDPR relies on data privacy authorities in its member countries to enforce the law, but the U.S. has no such agency. Further, the “right to be forgotten” may be at odds with the First Amendment of our Constitution. Some scholars argue that the rule amounts to censorship.

California, home to Silicon Valley and one in eight Americans, may provide a more useful case study. Ongoing wrangling over possible amendments to the CCPA will offer clues about which policies tech companies and privacy advocates are pushing in Washington.

Americans are watching. A study by Pew Research Center found that 68 percent of internet users believe our current privacy laws are insufficient, and 64 percent want more regulations for advertisers that handle personal information. While the GDPR and CCPA may not be perfect templates for the U.S., they have reframed the conversation about who controls our personal data online. 

Learn More

Tech Companies on Board: Some of them, anyway. Microsoft has voiced its support for a privacy bill in Washington State – via Microsoft

Tip of the Iceberg: The Cambridge Analytica scandal was hardly the only example of data misuse in recent memory, but it cemented privacy as a major issue in the American consciousness – via Wired

Still Skeptical: Although the GDPR is a landmark data privacy law, some experts remain unconvinced that it will truly improve things for consumers – via Brookings

The Thorniest Issues: As Congress begins taking data privacy seriously, one group predicts where the discussion will become most controversial – via ACLU