What to Expect as GDPR Makes Its Way to the United States

US map with GDPR lock

Date: April 28, 2019 | Category: Compliance | Author: Ryan Szporer

It’s a year into life post-GDRP. Amazingly, the world goes on. In fact, the General Data Protection Regulation in the European Union has gone according to plan, to the point that similar legislation is being considered in other parts of the world, including the United States.

Good and Bad Data Privacy News

That’s good news. In fact, the first steps have been taken in the U.S. towards their own federal version eventually being adopted. The California Consumer Privacy Act comes into effect starting in 2020, while privacy laws in 13 other states are in the process of being adopted too.

From the get-go, it would have been a huge mistake for any U.S. company to assume GDPR was an overseas problem that wouldn’t ever affect them. After all, it technically did already. If GDPR’s rules, which dictate how the private data of Europeans should be handled, are broken by a firm, regardless of where it is located in the world, stiff fines could be incurred. Companies in the hospitality, travel, software services, and e-commerce industries are likelier than others to be affected.

With specific regard to the latter two sectors, as data integrity and privacy becomes an ever-growing concern, the issue is only going to gain momentum en route to it becoming a mainstream problem in America requiring a country-wide resolution. Plus, if American companies are going to have to make privacy concessions for their European customers, it makes sense to do the same for the ones back home, especially if they’re likely going to have to eventually.

Becoming as Good as GDPR-Compliant

In such an instance, some U.S. companies have some idea of what to do, having taken steps to comply with GDPR already. For those who haven’t, there’s no time like the present. Granted, one well-enrolled school of thought argues firms shouldn’t worry about trying to predict the future and to keep on as they normally would until laws are passed and they know exactly how to proceed.

In other words, don’t try to predict the future, because you very well could end up being wrong. Plus, even if you could, you wouldn’t even need to in this context. You’d be sipping a margarita on your own private island, having just won the lottery for the 12th time.

Admittedly, it’s true: Individual rules could frustratingly vary from state to state, once privacy laws in the States become more of a norm. However, the basic principles remain the same, especially with increasing calls for interoperable laws. In such an instance, a Californian, for example, would be able to realistically expect their data to be similarly protected if it travels outside state limits.

Take it from the CEO of Teemo, a Paris-based tech company specializing in location data that holds the dubious honor of being the first firm to officially get called out for not being GDPR-compliant. Benoit Grouchko, whose company has since rectified the situation, says a wait-and-see approach doesn’t work, especially since many of these policies should be best practices, regardless. That includes being more transparent with consumers and getting rid of data you’re not using.

Chances are good consent would be required for every bit of info anyway under the new world order. For example, under GDPR, companies cannot collect data without knowing how they will use it, nor can they reuse data they initially collected for another purpose.

Privacy by Design… Consumer-Friendly Too

Ultimately, the most successful companies will be the ones who were arguably compliant to begin with, namely those who embraced a “Privacy by Design” approach when building up their brand equity. There’s still hope for those who didn’t and took lax data privacy laws for granted, obviously. Moving forward, as Grouchko advises, make opting out as easy as opting out. Companies have a lot less to lose than if they don’t. Even if they missed out on the chance to gain a competitive edge, they have to get going eventually, because it’s undeniably where everything is headed.

These are just some basic principles that would arguably hold true regardless of the exact nature of any forthcoming laws in the U.S. All the same, there are things the U.S. might want to do differently if the trend ever gets to the point that it truly becomes a nationwide phenomenon. Whereas GDPR requires companies to appoint someone specifically to keep up to date with regulations, it amounts to one more expensive undertaking in the struggle to stay compliant, keeping someone on board who doesn’t directly contribute to the company’s bottom line.

Instead, in the event of cover-all federal legislation, there should be some focus on business development and promoting innovation. GDPR places restrictions on automation, by giving consumers the right to not be processed solely by automated decision-making, forcing some measure of human influence in profiling decisions. The ramifications are good from a human-interest standpoint, but bad technologically and economically speaking.

There needs to be some balance, because, as Apple CEO Tim Cook argues, technology needs to have the full confidence of consumers in it for it to reach its full potential. As American company Facebook can attest to, no one needs a public-relations disaster revolving around data misuse… even in the rare case where no laws are technically being broken.

Even so, the era in which the legality of a similar situation would be justifiable looks to be drawing to a close. If U.S. companies choose to ignore the signs, they’ll only end up going in the opposite direction on a one-way street. Getting hit by huge fines is no joke, especially if a dead-end is up next. As Groucho argues, nobody would want to work with you if you get labelled as non-compliant. Least of all consumers.