European Privacy Law: Should the American Consumer Care?

The General Data Protection Regulation (GDPR) is a recent European Union (E.U.) regulation which became enforceable in May 2018, requiring companies to be more transparent with their customers regarding customer data usage. This regulation aims to give more control to consumers regarding their data. GDPR requires all companies handling such data to be equipped with data protection programs, and additionally, GDPR mandates that companies may not process data without the consumer’s informed consent. (Informed consent is similar to the type of consent required in the health care context.) 

Further, prior to customer consent, GDPR requires companies to clearly disclose to the consumer (i) how the data will be used; (ii) for how long the data will be used; and (iii) the right for consumers to erase their data at any time and/or revoke their consent.

Merely instructing a consumer to check a box is not enough. GDPR provisions require disclosures be communicated to the consumer in a clear and easy fashion (plain language) so the consumer may enter into an informed choice regarding whether he or she wants to agree to the data processing. Also, companies are required to have a data protection officer whose purpose is to maintain compliance with GDPR.

However, GDPR is not only applied to E.U. companies. As many Americans are unaware, GDPR applies to any company collecting data from E.U. residents despite where the company is based. Consequentially, GDPR will push U.S. based tech and data collecting giants such as Facebook and Twitter into a more transparent relationship structure with their consumers. Even companies that seem almost entirely U.S. based will still be affected by these rules. For example, American giant AT&T has consumers in 31 countries across Europe. While it is still unclear as to whether these companies will implement the same policies with U.S. customers (prior to similar U.S. privacy regulations are enacted) thanks to GDPR, U.S. based companies will have developed the necessary systems and frameworks if they choose to do so.     

Yet, the question for American consumers is whether or not the U.S. will adopt a privacy policy similar to that of the E.U.’s. It is obvious the U.S. cannot simply copy and paste GDPR into U.S. regulations due to the variance between European and American laws and business practices. Nonetheless, what is more likely is the U.S. government will wait a couple years in order to see the full ramifications of the new E.U. regulation, then combine applicable GDPR provisions with new language, and subsequently, pass it into legislation (barring U.S. private sector lobbying influence).

Does this affect American consumers? To understand how large of an effect privacy regulation might have, it is critical to recognize just how colossal this industry is. The big data industry brought in $7.6 billion seven years ago and is projected to bring in about $56 billion in 2020.

Any change to this immense industry would have incredible consequences for everybody. For the traditional consumer, there is an obvious benefit that comes with regulations like the GDPR. With clearer data usage terms and conditions, greater emphasis on consensual transaction of data, and mandatory increased data protection, it is hard to argue privacy legislation in the spirit of GDPR would be bad for Americans. However, U.S. companies will face increased operational expenses due to day-to-day compliance procedures. As a result, U.S. companies may pass these costs on to their customers in the form of increased prices. Likewise, companies that provide free services (i.e. Facebook and Twitter) may increase their advertising activity on customer pages in order to recoup privacy related expenses. Further, it is also likely that new U.S. privacy regulation would increase the price of data bought and sold among companies due to diminishing consumer data supply and higher costs in the form of compliance. 

The American consumer should keep a close eye on GDPR’s effectiveness and enforceability. Most importantly, the American consumer should be keen to GDPR related responses from U.S. corporations. The U.S. will eventually implement its own privacy regulations which will be substantively akin in part to the E.U.’s regulations based on how successful (or unsuccessful) GDPR becomes.

Will GDPR help consumers better understand how their data is used by large companies or will it come at too high a cost? How will the U.S. adopt these data protection principles? The only way to find the answers to these questions, whether you are an American consumer or Her Majesty Herself, is to wait and watch.

Written by Joel Kattady