Does the U.S. need a GDPR?

Thursday May 24 2018

With just more than a month until the European Union’s General Data Protection Regulation (GDPR) takes effect, U.S. companies are wondering whether the United States will — or should — enact a similar regulation.

The topic becomes even more heated in light of the recent data controversy between Facebook and Cambridge Analytica. In this situation, Cambridge Analytica, an unauthorized party, gained access to data regarding 50 million Facebook users. This was not a case of hacking, though. Cambridge Analytica received the data from an authorized Facebook partner who had access to the content. Once Facebook learned about this issue, it demanded that Cambridge Analytica delete the data, but journalists have recently uncovered that the London-based political consulting firm may not have complied. A formal investigation is underway to ensure that the data has been or will be properly removed from Cambridge Analytica’s servers. In addition,  Facebook is working to be more transparent about how personal information is gathered and utilized and is telling users how they can opt out of the social media site’s data-collection methods.

This move echoes the provisions of the EU’s GDPR. On May 25, any company conducting business in the EU will be required to change how it collects and handles individuals’ personal data to meet GDPR requirements. The EU asserts that individuals have a fundamental right to privacy, including privacy for their personal data, such as their names, images, email addresses, IP addresses, bank information, medical information, social media posts and more. As such, companies will be required to obtain clear consent to collect data from individuals living in or even just visiting the EU. Once consent is received, data collectors and processors must follow strict protocols to protect the data and quickly report any data breaches.

The United States, by comparison, does not have any overarching privacy or information security regulations. Instead, the U.S. government has made specific laws as needs arise, such as the 1996 Health Insurance Portability and Accountability Act, or HIPAA, which protects medical information.


But now, in light of the Facebook data controversy, should the U.S. government take steps to protect web users and their privacy? Consider some of the pros and cons:

Pro: A U.S. version of the GDPR would make the web more user-friendly.

The GDPR stipulates that companies must use an easy-to-understand form, rather than a pre-checked box presented next to a link to a lengthy terms and conditions document, to obtain this information. This will clearly explain to the user how his or her personal data is being used and allow him or her to choose not to participate in data tracking. As a result, individuals will be more aware of when they are being monitored and will be empowered to participate in the online world in a way that meets their own privacy needs.


Con: A U.S. version of the GDPR would make the web harder to navigate.

Jim Edwards argues in his Business Insider article “GDPR will hand a huge advantage to big American tech companies by making the web unsurfable in Europe,” that the GDPR will make websites more cumbersome to access. Website visitors will be greeted by a consent form for nearly every site they access. Although the forms are supposed to be quick and easy, users may still become annoyed by having to  interact with a form before accessing the content they want to see. This, in turn, will make surfing the web slower and more difficult.


Pro: New regulations could meet Americans’ desires to keep their information private.

Truste and National Cyber Security Alliance’s “U.S. Consumer Privacy Index 2016” reports that 92 percent of U.S. internet users worry about their privacy online. Sixty-eight percent are more concerned about now knowing how their personal information is used than losing their main source of income. An easier way to know when data is being collected and how it’s being used could quell some of these fears.


Con: Americans are not that concerned about their privacy, and new regulations would be a waste of time and effort.
Thomas H. Davenport, visiting professor at Harvard Business School, points out in an article in The Wall Street Journal that many Americans are very open about their lives on social media. Privacy issues certainly are not top of mind for everyone. To these people, the web world is not broken, so fixing it with new data privacy measures is unnecessary at this point.

In addition, web users already know that they can take steps to protect their privacy online. The “U.S. Consumer Privacy Index 2016” shows that 43 percent of U.S. internet users are aware that they can change social media settings and turn off location tracking. However, only 29 percent have done either of these, which shows that users are not that concerned about their privacy.


Con:  Compliance with a U.S. version of the GDPR would be expensive for companies.

Switching to stricter privacy practices would require hefty investments in IT. In preparation for the GDPR, 68 percent of affected U.S. companies expect to spend $1 million to $10 million each on compliance, while another 9 percent expect to spend more than $10 million, according to a  PwC survey . DM Databases estimates that there are 22 million active companies in the United States. If each of these had to make similar financial investments, trillions of dollars would be spent on IT updates.


Pro: Many U.S.-based companies are required to comply with the GDPR, so they will get more value if their tech investments protect Americans’ privacy too.

The GDPR’s jurisdiction is not limited to just companies that have a physical presence in the EU.
Any company that offers goods or services to people in the EU or monitors their behavior, such as through advertising campaigns, will be bound by this new regulation.

A HyTrust survey of organizations with cloud infrastructure found that almost 80 percent of companies would be affected by the GDPR.

Because so many companies will need to spend the money to update their web activities, these investments will be even more worthwhile if they help companies comply with a similar policy in America.

Plus, it will be easier for companies affected by the GDPR to comply with two similar policies — the GDPR and a U.S. version — than grapple with two vastly different approaches to doing business online.


Con: Strict privacy guidelines will stifle innovation in online marketing.

Many companies use consumers’ demographic data to create targeted marketing campaigns. This allows companies to deliver special offers that are relevant to a given consumer. Davenport offers the example of Caesars Entertainment, which tracks its customers’ gambling habits and vacation preferences. Caesars CEO Gary Loveman says customers never complain about their information privacy because it is being used to offer targeted and valuable deals.  Without such information, companies will have to revert to more general marketing efforts.

Pro: Stricter guidelines will encourage good business practices.

Although companies may be more limited in how they can collect and use data for marketing purposes, there still is room for innovation within these guidelines. Plus, Joel R. Reidenberg, PhD, Waxberg Professor of Law and founding academic director of the Center on Law and Information Policy at Fordham Law School in New York, writes in The Wall Street Journal that any new innovations will come with an official seal of approval from consumers. Once GDPR takes effect, a user who gives a website permission to collect his or her data is showing that he or she approves of the owner’s plans to use the data. This, in turn, can give executives and shareholders peace of mind that they are acting in the best interests of their consumers.


Cyber Security Event Series USA

Don't miss out, be a part of cyber security’s fastest growing event series, providing events that uniquely cover the entire security landscape. These innovative events offer invaluable security insight from industry experts on all facets of cyber security and risk mitigation, right in the center of your city.


CYBER SECURITY ATLANTA , 17-18 OCTOBER 2018, Georgia World Congress Center

CYBER SECURITY DALLAS , 31 OCT – 1 NOV 2018, Gaylord Texan Resort

To keep up to date with the latest cyber security news and trends, join our LinkedIn Group.