GDPR US equivalent: How the US and EU compare on data privacy laws

GDPR US equivalent_ How the US and EU compare on data privacy laws

If you’ve visited a website or checked your email in the past few years, you’re undoubtedly familiar with GDPR. Companies informing you of privacy policy updates and websites prompting you to manage your cookie preferences are just some ways we experience the impact of the landmark data privacy law.

Despite being drafted and adopted by the European Union, GDPR has global implications. Beyond the impact on how your business manages prospect and customer data, comprehensive policies have gone on to influence data privacy laws worldwide — including in the United States. While there is no GDPR US equivalent at the federal level, individual states, such as California, have implemented similar policies.

Staying on top of local, federal, and international regulatory requirements is essential to your business staying compliant and avoiding hefty fines.

A brief overview of GDPR

The General Data Protection Regulation (GDPR), enacted by the European Union (EU) in 2016, is a comprehensive regulation that sets the standards for acquiring, managing and processing the personal data of EU citizens and their residents. Within the scope of GDPR, personal data is any information that links to an identifiable natural person or “data subject.”

The most important element of GDPR is that the regulation dictates no organization can collect, store, or use personal data without the explicit consent of the data subject.

The broad spectrum of personally identifiable information (PII)

Unlike similar US data protection laws, which limit regulated data to financial or health information, GDPR protects and regulates various sectors of information that can be tied to data subjects, including location information, IP addresses, and cookie data. All under the umbrella of personally identifiable information, if your business collects or processes this information, such as through lead capture forms or advertising pixels, you’re responsible for complying with GDPR.

The impact of non-compliance

Maintaining compliance with GDPR is not only in your customers’ best interests but in your business’s best interest. Horror stories of non-compliance and data breaches can be accompanied by hefty fines. Depending on the size of your business, fines can range between $11 and $21 million or 2 – 4% of your annual global turnover.

A pile of Euros representing a GDPR fine

What does GDPR mean for businesses in the US?

We know that GDPR has far-reaching impacts, including on businesses in the United States. While it can be easy to disregard GDPR requirements if you aren’t a multinational company, you would be careful not to. Even if you don’t intend to collect data from or sell to EU residents, if your digital properties, including websites, attract visitors from the EU or the European Economic Area (EEA), then GDPR applies.

Say a visitor from an EU member state arrives on your website and subscribes to your blog or downloads a research paper. Your retargeting efforts through Google or LinkedIn advertising may drop a tracking pixel on their browser. That user is now a data subject, and you’ve begun processing their data.

With the wealth of scenarios available for sensitive data collection, staying on top of best practices for GDPR compliance is vital for US businesses. But beyond the regulatory requirements, GDPR has an additional impact on privacy legislation worldwide, including in the United States.

GDPR logo
What is Personally Identifiable Data?

Understanding what defines Personally Identifiable Data will help you evaluate whether GDPR applies to your business.

GDPR: What is Personally Identifiable Data? icon-arrow-long

Does the US have similar data protection laws?

While federal law has yet to address data security and data processing to the extent of GDPR, state laws serve as GDPR equivalents in the United States. As of 2022, five states, including Utah, Colorado, Virginia, Connecticut, and California, all feature some kind of consumer privacy law. Meanwhile, more than 15 states are considering similar legislation of their own.

Protecting the data of California residents

The California Consumer Privacy Act (CCPA), passed in 2018, was the first in the USA as a response to GDPR and data privacy violations in the state. It boasts similar data protection regulations, though admittedly on a finite scale.

  • Personal information vs. personal data: While often used interchangeably, CCPA specifically addresses and protects personal information that can reasonably be linked to a consumer in California
  • Consumers vs. data subjects: While GDPR protects any data subjects living in the EU (including US citizens), the scope of CCPA is limited to the information of California residents and, more specifically, consumers
  • For-profit businesses vs. data processors: CCPA regulates specific, for-profit companies that handle the data of California consumers, while GDPR provides regulatory guidelines for any organization in and outside of EU member states that process data, including multinational companies
  • Required oversight: While GDPR requires the hiring of a Data Protection Officer (DPO) to oversee compliance and act as a liaison for audit purposes, CCPA has no such requirement for oversight

A narrow road in a California suburb
Complying with CCPA

A step by step guide to complying with the CCPA

How to comply with CCPA: A step-by-step guide icon-arrow-long

In January 2023, the California Privacy Rights Act (CRPA), an amendment to CCPA, went into effect. This afforded for new requirements, rights, and enforcement mechanisms for within CCPA including clear definition on who is impacted by the legislation and protections for “sensitive personal information.” Specifically: 

  • Expanding the threshold of businesses from those that buy, sell, or share the personal information of 50,000 residents to 100,000 or more
  • Defines a new category of sensitive personal information as including government-issued identifiers, finance information, geolocation  data, as well as demographics such as race, religion, and more

At a high level, both policies afford individuals more clarity into and control over their personal data and the processing of such data. Concerning GDPR, health and financial data fall under the larger umbrella of personally identifiable information. In the United States, similar data is regulated extensively through multiple federal laws.

A user logs into a website with personal information

Safeguarding patient health data

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, regulates Protected Health Information (PHI). Organizations that handle PHI, including “covered entities” like healthcare providers or business associates such as billing or EHR companies, are responsible for complying with HIPAA regulations. If your business leverages or processes patient records, payment information, biometric data, or health plan information, you’re likely subject to HIPAA compliance.

Regulating payments and credit card transactions

Meanwhile, the Gramm-Leach-Bliley Act (GLBA), enacted in 1999, requires financial institutions to afford individuals greater access and transparency into the usage of their personal data. Maintaining GLBA compliance includes communicating how sensitive data such as a customer’s name, address, telephone number, or account and social security numbers are handled and shared. Similar to the CCPA and CPRA and GDPR, institutions need to offer the opportunity to opt out of their data being shared with third parties.

Picture of a credit card being inserted into a POS system
What is PCI DSS?

If your organization processes and/or stores credit card information, PCI DSS will be essential for your business.

What is PCI DSS? icon-arrow-long

Similar to CCPA and GDPR, non-compliance with HIPAA and GLBA can significantly impact an institution, with per-offense fines upwards of $100,000 for GLBA or $50,000 for HIPAA. Repeat HIPAA offenses can scale fines up to $250,000, providing a clear incentive for maintaining compliance.

Two women process a credit card transaction at a store

Establishing rights with US government agencies

Since the CCPA regulates for-profit organizations, it’s mainly limited to data leveraged for commercial purposes. The Privacy Act of 1974 does regulate how the public sector manages your data.

Drafted in response to the onset of databases and computers that could now store a wealth of information, the Privacy Act guides federal agencies on data protection, maintenance, and dissemination. The act affords four rights that US citizens have concerning their personal data:

  1. Agencies are required to share records kept on an individual when requested
  2. Agencies must follow “fair information practices,” which define the scope and quality of data agencies can reasonably collect and manage.
  3. Agencies must adhere to restrictive guidelines for sharing personal data between agencies or with other individuals.
  4. Agencies can be sued for violating any of the above rights.

It’s important to note that the Privacy Act is not all-encompassing. Government agencies responsible for law enforcement, like the Federal Bureau of Investigation (FBI) and the Central Intelligence Agency (CIA), are exempt from the legislation. Additionally, the act affords for “routine use” and other exemptions like for use in the US census.

What does the future hold for data protection laws in the United States?

Regarding the equivalent of GDPR in the United States, data protection is more a sum of its parts than a comprehensive approach. Legislation like the California Consumer Privacy Act or the Virginia Consumer Data Protection Act fills similar needs for privacy laws within the borders of individual states.

The existence of cross-border data transfers and a global economy drives the need for more US companies to achieve GDPR compliance, but it’s not a universal requirement.

The US’ approach to data protection and transparency policy has been patchwork over the past several years. However, 2022 saw significant fines levied by the Federal Trade Commission through privacy violations and renewed efforts from Congress to create a cohesive national policy on data privacy.

Federal Trade Commission stepping in on compliance violation

Specifically, the FTC ordered Epic Games to pay over $500 million in fines for violating the Children’s Online Privacy Protection Act (COPPA) through misleading user interface design or “dark patterns” that prompted thousands of unintentional purchases and privacy decisions made by children and teenagers. 

Moreover, a coalition of over 40 Attorneys General reached a landmark settlement with Google north of $350 million over their location data processing. The decisions mark a watershed moment in US information security regulation and how companies can be held financially responsible for violating specific privacy laws.

Comprehensive data privacy law potentially up for debate

The impact of existing legislation has reinvigorated conversations for a comprehensive equivalent to GDPR in the United States. In 2022, the American Data Privacy and Protection Act (ADPPA) passed through Congressional committee with bipartisan support. But it was never brought to a vote on the floor of the House of Representatives. The bill would preempt the California Consumer Privacy Act and remains an option for debate and decision in 2023.

How to account for disparate data privacy laws

The impact of non-compliance isn’t limited to fines and criminal penalties. The customer impact of data breaches looms large, and maintaining their trust can often hinge on your company’s ability to safeguard their information.

With so many legal guidelines, protocols, and regulations to follow, how can your business stay ahead of the data security curve?

Making the right hires for your team

In some cases, the path forward is quite plain. Depending on your business, GDPR may require hiring a Data Protection Officer or DPO. The responsibilities of a DPO include educating employees about compliance and data and conducting regular security audits. The DPO also serves as a primary point of contact to access company data for audit or otherwise.

A data protection officer works at their computer, smiling

Data Protection Officers and other security and compliance hires are essential to ensuring your business can monitor the ever-changing landscape of information security law. With clear visibility into your business’ data practices and information security, such roles can more seamlessly monitor, advise on, and maintain your compliance posture.

Working with a partner

While hiring team members to monitor and determine the business impact of these trends might not be in your startup’s roadmap, you should continuously evaluate how to approach security for your particular stage. That means being mindful of your security foundation, tools, and data practices to understand how changes in regulatory compliance might impact your business operations.

Not sure where to start? Start by talking with one of our experts.

Note: This blog post was originally published on March 15, 2023, and was updated on Feb 12, 2024.

Share this post with your network: