Privacy and civil rights activists say that a US GDPR-style federal privacy law should be passed to replace the confusing mass of federal and state laws in place at present. This is an approach also favored by Apple, which wants the simplicity of a single set of privacy requirements across the US.
In the European Union, the General Data Protection Regulation (GDPR) provides the strongest protections ever seen for consumer data, all within a single piece of legislation. The US, in contrast, has no fewer than eight different federal privacy laws, and a mass of current and planned state ones …
The data collected by the vast majority of products people use every day isn’t regulated. Since there are no federal privacy laws regulating many companies, they’re pretty much free to do what they want with the data, unless a state has its own data privacy law (more on that below).
- In most states, companies can use, share, or sell any data they collect about you without notifying you that they’re doing so.
- No national law standardizes when (or if) a company must notify you if your data is breached or exposed to unauthorized parties.
- If a company shares your data, including sensitive information such as your health or location, with third parties (like data brokers), those third parties can further sell it or share it without notifying you.
Europe’s comprehensive privacy law, General Data Protection Regulation (GDPR), requires companies to ask for some permissions to share data and gives individuals rights to access, delete, or control the use of that data. The United States, in contrast, doesn’t have a singular law that covers the privacy of all types of data. Instead, it has a mix of laws that go by acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, VPPA [and FTC], designed to target only specific types of data in special (often outdated) circumstances.
It’s unlikely that the average American consumer could even tell you what all those acronyms stand for, let alone have any idea what rights they do and don’t have under each of them.
Then there are state privacy laws.
Currently, three states in the US have three different comprehensive consumer privacy laws: California (CCPA and its amendment, CPRA), Virginia (VCDPA), and Colorado (ColoPA). Regardless of which state a company is located in, the rights the laws provide apply only to people who live in these states.
Other states have their own proposed laws at various stages of development.
Even among the existing state laws, only California has anything remotely approaching GDPR-level protections.
In contrast, some of the experts we spoke with viewed Virginia’s Consumer Data Protection Act with skepticism. “I would consider [VCDPA] a pretty weak bill,” said Ruane at the ACLU. “It is based on opt-out consent. There are no civil-rights protections. There is no private right of action. A lot of the provisions are business-model affirming. It essentially allows big data-gathering companies to continue doing what they have been doing.” None of that should be too surprising considering that Virginia’s law was written with strong input from Amazon.
This is complicated for consumers – giving them widely different privacy rights depending on where in the country they happen to live – and a nightmare for companies, who will eventually have to comply with more than 50 different privacy laws, with much of that compliance on a state-by-state basis.
Whitney Merrill, a privacy attorney and data protection officer, said that a federal law would make matters easier for everyone. “We need a federal law that thinks about things in a much more consistent approach,” Merrill said, “to make sure that consumers understand and have the right expectation over rights that they have in their data.”
Do you agree with Apple that a single GDPR-like federal privacy law is the best approach? Please take our poll, and share your thoughts in the comments.
Illustration: Dana Davis/Wirecutter
FTC: We use income earning auto affiliate links. More.