By Jay Bemis | Advertising Systems Inc.
Now that the General Data Protection Regulation (GDPR) is in effect for European Union countries, giving EU citizens greater control over their privacy and how companies can use their personal data, will the United States soon follow suit?
A recent survey shows that Americans favor similar protections. But it’s doubtful that any similar legislation would be passed anytime soon by Congress, whose members are gearing up for elections later this year. And, historically, the U.S. has taken an industry-by-industry, on-demand approach to regulating privacy, as it did with privacy laws affecting the health industry in 2003.
What Is GDPR?
For EU citizens, GDPR replaces a 1998 law enacted before the likes of Google and Facebook even existed. The new law gives EU citizens more rights in controlling their online information and presents a number of technically demanding requirements for companies to meet. It also threatens fines of up to 4 percent of a company’s annual revenue for violations.
One of two key elements of the law is the right of erasure, or the right to be forgotten — if you don’t want your personal information made public, then you can request its removal or erasure. A second element is the right of portability — when companies address “opt-in/opt-out” clauses to their users, for example, notices must be easy to understand and precise on the clauses’ terms.
Though GDRP doesn’t directly regulate U.S. companies, any companies that do business with UK citizens, including such social platforms as Google and Facebook, must be GDPR-compliant as of the law’s taking effect May 25.
Companies that GDPR affects have been scrambling to meet the new requirements. That’s why your email box may have been peppered in recent weeks with messages from companies to the effect that “our privacy policy has changed.” Or, perhaps you’ve opened your Chrome browser the past week or so to find Google asking you, via pop-up, if you would like to take a “privacy checkup.”
The hefty fines for GDPR non-compliance particularly are catching companies’ attention. A fine of up to 4 percent of annual revenue for Facebook, for example, would amount to about $1.6 billion of its $40.6 billion in revenue for 2017.
When grilled recently by Congress about Facebook’s data breach involving Cambridge Analytica, Mark Zuckerberg, Facebook’s founder and CEO, claimed that the social-media giant planned to extend GDPR-like protections to U.S. citizens, as well as the rest of the globe.
Poll Finds Americans Favor GDPR-Like Control
Janrain, a customer profile and identity management (CIAM) software provider, polled Americans last month about their thoughts on GDPR.
Most Americans would like to see GDPR-like laws enacted in the U.S., according to the survey.
Janrain asked its polling audience this question: “The General Data Protection Regulation (GDPR) will give European Union citizens greater control over how businesses can use their personal data. Would you like to see similar laws enacted in the U.S.?”
Sixty-eight percent of the respondents said “yes,” while 10 percent said “no” and the rest were unsure.
Future of GDPR-Like Law in United States Uncertain
Though there’s no legislation like GDPR pending before Congress, many states have passed their own laws concerning data breaches and notification requirements. Most of those laws affect only a limited amount of data, though, such as Social Security numbers and health or financial information.
Californians appear to be headed toward a vote on data privacy later this year, though.
The California Consumer Personal Information Disclosure and Sale Initiative would let residents request copies of their data from companies. They also could discover which third parties may have bought their data, and they could ask companies not to sell or share their personal information with others — protections that are similar to the GDPR.