Follow Datanami:
May 22, 2019

Does the U.S. Have a Case of GDPR Envy?


Research indicates European citizens are generally happy with the General Data Protection Regulation (GDPR), the landmark data privacy law that went into effect a year ago from Saturday. But folks in the United States have largely been left out of the regulatory extravaganza, leaving some to wonder when the exploitation of American citizens’ data will ever end.

Immense strides have been made in the handling of the personal data of European citizens since the GDPR went into full effect on May 25, 2018. As we have previously reported, EU citizens have lodged nearly 60,000 complaints, and the regulators in various countries have handed down some sizable fines — although more and bigger fines are widely expected.

There are positive results from GDPR, a far-reaching law that severely restricts what organizations can do with private data. A survey by TrustArc found that 36% of British adults now have greater trust that their data will be managed appropriately. (The UK, which is leaving the EU, is expected to pass its own version of the GDPR following its “Brexit”).

The TrustArc study also detected positive sentiment of GDPR enforcement activity, and found that nearly 60% of survey-takers are more likely to use websites that have a GDPR certification mark or seal.

Some areas of the digital marketplace in Europe have changed fairly dramatically as a result of the GDPR, says James Cotton, who heads up Information Builders Data Management Centre of Excellence in Amsterdam. In particular, those companies involved in the data brokering business have faced a reckoning, he says.

“We have had customers who have made their money by buying and selling data. They have been technically very advanced. Those are the originations that are definitely struggling,” Cotton tells Datanami. “This business model is going extinct very quickly, indeed.”

It’s become quite clear that organizations that want to utilize the data of EU citizens will be forced to deal with compliance and accountability requirements, says Cindy Provin, CEO of nCipher Security.

“What’s also clear is that businesses are facing increased pressure to understand exactly how data is protected at every point during its lifecycle, in order to assess the vulnerabilities in their systems and processes,” Provin says. “While it’s often challenging for businesses to take a holistic view of data protection, especially when multiple sources and technologies are involved, it’s necessary from a legal, financial, and frankly reputational, standpoint.”

One of the interesting consequences of GDPR is a reduction in free services, says Steve Armstrong, a regional director at Bitglass. “Once the consumer was the product,” he says. “Now that data collection is much more restricted, there has been a marked change in the way data-based business are able to monetize their consumer data.”

Organizations are delivering fewer personalized services as well as result of the stricter data requirements of GDPR, Armstrong says. “The C-suite has now much more responsibility for customer data protection,” he says. “This likely caught many organizations off guard; but on the plus side it has broadened the conversation about data security from something the guys in the basement did, to a board level addressable issue.”

There have been plenty of compliance travails over the past 12 months as organizations have dealt with failures and roadblocks to implementing a data protection strategy, says Rob Perry, vice president of product marketing at ASG Technologies. That, in turn, has created a ripple effect that for data privacy that’s spreading across the globe.

“The most impressive accomplishment of GDPR, however, has been its role in kickstarting the data privacy awareness revolution,” Perry says. “From the introduction of the California Consumer Privacy Act to the reconsideration of the Children’s Online Privacy Protection Act, the first year of the GDPR put the wheels in motion to create a globally safe, secure data landscape.”

While EU residents bask in the glory of personal data protection requirements backed by the force of law, folks in the United States continue living in a Wild West data environment. That will start to change in January, when the CCPA goes into effect in California, but it won’t help the majority of Americans in other states.

Mark Zuckerberg is facing calls to break up Facebook

According to a survey by nCipher, 64% of Americans said they don’t feel organizations are completely transparent with how they use their customers’ personal data, and 49% say they don’t trust companies to keep their private data secure. Nearly half (44%) of Americans said the federal government should be in charge of data privacy, according to the survey, while 32% said the states should be in charge of data privacy regulations.

Whether that widespread distrust results in legislation is the $10,000 question, of course. However, there’s little chance that a national privacy law in the United States will pass anytime soon, according to numerous industry experts that have spoken with Datanami.

While American firms have been forced to deal with the GDPR rights of EU citizens, the Web giants have yet to make a major shift in their strategies to harness personal data of Americans. American companies need to deliver basic online rights for consumers, says Brian Vecci, the field CTO at Varonis.

“Heavy hitters like Facebook and Google should be leading the way, acting as advocates for privacy and ushering in a new era of data protection,” he says. “Yet they’re the biggest offenders.”

Consumer trust in Silicon Valley firms is eroding as a result of scandals, Vecci says. “Exploiting consumer trust seems to be the name of the game, with Facebook, Google and the like acting like they’re above the law,” he continues. “Is it a coincidence that Google dropped the ‘Don’t be evil’ clause from its corporate code of conduct in favor of a watered down alternative: ‘Do the right thing?’ I think not.”

Very little has changed in the U.S. since the introduction of GDPR, says Richard Bird, Chief Customer Information Officer at Ping Identity.

“Rather than seriously addressing the issues of customer privacy and consumer protection, U.S. businesses slapped a message box onto their sites asking users to ‘accept’ or consent to those terms and called it a day,” he says. “In their defense, the U.S. government walked away from the discussion around data privacy, leaving a vacuum of leadership and standards definition. This lack of leadership has resulted in confusion, frustration and very little guidance for companies to successfully craft true consumer protection.”

Laws like CCPA indicate that the pendulum may be getting ready to swing, “not just in the direction of dramatic changes in company behavior related to data privacy, but toward consumer demands,” Bird continues.

“It is time for us to hold companies accountable for protecting their customers’ digital identities as well as their data,” he says. “Only when we tightly couple the data that GDPR, CCPA and other regulations say ‘belong to the customer’ with the customer’s actual identity, will we begin to see any improvements in consumer protection and security.”

Related Items:

GDPR’s Impact One Year Later

AI Ethics and Data Governance: A Virtuous Cycle

California’s New Data Privacy Law Takes Effect in 2020