The GDPR united 28 disparate data privacy laws across EU member states. It’s only logical that the same will happen in the U.S. ACA Aponix’s Alex Scheinman discusses what American companies might expect going forward.
When it comes to data privacy, the fate of the United States is written in the star spangled banner. While a number of issues have served to divide the nation’s citizens over the past few years, concerns around data protection have created a rare consensus that more needs to be done.
Since the General Data Protection Regulation (GDPR) in Europe put data privacy firmly in the international consciousness, pressure has been swelling from the ground up for both firms and governments around the world to follow suit. On top of this, the spate of high breaches that saw the likes of Facebook and Google weighted with hefty fines has caused firms worldwide to finally sit up and take note.
In the U.S., there’s not a single state that isn’t facing pressure from both consumers and consumer advocacy groups to enshrine data protection into law. Both California and Vermont have already taken the plunge, and we could soon be seeing a number of different data privacy regulations springing up all over the U.S.
It’s a déjà vu moment for the global regulatory scene, with American firms now faced with the same challenge as European firms faced less than a decade ago: an increasingly fragmented regulatory environment. Yet while European firms were faced with the challenge of complying with 27 similar but different data protection laws, the lack of any sort of federal data privacy directive in the U.S. means that firms could be facing 50 vastly differing sets of rules.
The prospect already has businesses like technology giants Facebook and Amazon knocking at government doors, pushing for a single federal data privacy law. Such a bill, like GDPR, would reduce the compliance headache for firms by harmonizing data privacy requirements across the whole country, establishing a more business-friendly regulatory environment.
In response, U.S. senators last month held a hearing to get opinions from industry experts and lobbyists on the development of a similar federal data privacy law. The problem is, with so many voices and vested interests at play, it’s going to be incredibly difficult for congress members to arrive at a consensus.
The California Consumer Privacy Act (CCPA), currently America’s closest cousin to the GDPR, has been most widely accepted as a sensible basis on which to build. Passed in June 2018, it has taken preliminary steps to outline the basic rights of California residents to knowledge of and access to their personal data. Yet businesses are already pushing for this regulation to be watered down, which would of course be a hard sell for both consumers and regulators.
With calls for a single federal law now coming from all directions, the biggest loser in the U.S.’ own GDPR narrative will be the firms that fail to prepare. Those left twiddling their thumbs waiting for this to officially become federal law will find themselves faced with high premiums for vendor or consultancy services in the eleventh hour. With major fines coming down the pipeline, every firm across all 50 states needs to follow the global trend and shift their thinking when it comes to data privacy.
Alex Scheinman is Director of Privacy at 
