The General Data Protection Regulation (GDPR) may have originated in Europe, but its reach and influence stretches across the globe, including to the US.
For example, it’s actually easier for large enterprises to apply standards globally. Having already made a major effort to comply with GDPR for EU citizen data, it’s only logical to stay consistent across markets, said Mike Anderson, CTO and founder of Tealium.
“Global organizations don’t want one privacy and security policy for Europe and one policy for the US,” Anderson said. “We’ll see them take the most difficult standard and just deploy that across the board.”
Prompted by GDPR, Facebook pushed opt-in privacy notices to users worldwide ahead of the regulation’s enforcement date on Friday. Meanwhile, Microsoft is extending GDPR-like data subject rights to consumers across the globe, including the right to know exactly what data is being collected, the right to correct that data if needed and the ability to delete it outright or port it elsewhere.
On the other end of the spectrum, other entities are taking a different tack. The Washington Post, for example, is trying to monetize compliance efforts by offering tiered subscription packages, including an “EU premium subscription” that charges extra for no on-site advertising or third-party ad tracking.
But regardless of the approach, the takeaway is the same: GDPR, helped along by Facebook’s Cambridge Analytica scandal, has created a climate in which data tracking and collection are daily mainstream news items, even beyond EU borders.
Nation of California
In the US, California is cooking up a GDPR-inspired data protection law that has nearly double the number of signatures it needs – 625,000 – to make it onto the ballot in June. A lot of those signatures will probably be invalidated, which is par for the course with paid petitions, but as long as California’s secretary of state certifies that at least 366,000 of the signatures are valid, which is likely to happen, the California Consumer Privacy Act could be voted into law in November. The validation process is ongoing.
And despite the fact that a lot of big names are fighting against the California proposal, which would cover both online and offline data, a few noteworthy opponents are no longer actively financing the counterattack.
Facebook and Verizon both withdrew from the Committee to Protect California Jobs, an organization created to lobby against the California initiative, which has received money from Google, Comcast and AT&T.
Although the US generally takes a far more pro-business approach to consumer privacy than Europe, “data privacy concerns are mounting in the United States,” especially in the wake of the Cambridge Analytica scandal, said Arndt Groth, president of mobile ad exchange Smaato.
“We expect the GDPR to serve as a model for how the US government will enact new laws around data privacy,” he said, “and it’s only a matter of time before the drafting of these laws take place.”
But even if Californians don’t vote the proposal into law, its very existence is a harbinger of things to come, said Fatima Khan, chief privacy officer at Demandbase.
“Anything that gets introduced within California, whether it comes on the ballot or becomes a bill, sets the stage for what future legislation might look like,” she said. “California is one of the leaders for individual privacy. Don’t think of this in terms of what might be enacted, but rather as a baseline for what we might shift to in the future.”
Although the Association of National Advertisers (ANA) opposes the ballot initiative, which it sees as too restrictive, the ad industry trade org recognizes that what’s happening in California could be the US’s consumer privacy canary in the coal mine.
“California has such a substantial footprint that whatever happens there could have a significant impact everywhere else – it’s like the nation of California,” said Dan Jaffe, group EVP of government relations at the ANA. “For years, companies have been using the opt-out system for privacy, but they may not have that choice if the states or others start to force the issue.”
That group of “others” could include the completely new crop of commissioners at the Federal Trade Commission, who finally got settled into their posts in May. Privacy advocates are pushing the commission to take a far less laissez-faire stance to regulating tech companies than their predecessors.
Setting the world on fire
Beyond the US, regulators and lawmakers around the world have been rolling out their own consumer data privacy regulations, albeit to less fanfare than with GDPR.
GDPR-like privacy regulations already exist in China, South Korea, India, Singapore, Australia and Israel, and other “non-EU countries are already reviewing GDPR as a model for their own privacy legislation,” Groth said.
But not all of this action was motivated by GDPR. There’s been a global zeitgeist brewing around data collection and consumer privacy ever since the Edward Snowden revelations, Khan said.
“People increasingly want their privacy protected in some way,” she said. “One way they can get it is by making sure the companies with whom they share data don’t do it in a way they find offensive.”
But do consumers have the stamina to care about their privacy, at least in practice, for the long term? Transparency and control can become quickly onerous. Just look at the barrage of GDPR-triggered opt-in emails that clogged the world’s inboxes in the days leading up to May 25.
Opt-in fatigue will likely set in, but it’s also indisputable that the buzz generated by GDPR sparked global interest, Groth said. The global worm has started to turn, and the work has just begun.
“There will likely be a drop in consumer attention regarding data privacy – but this is far from over,” Groth said. “Don’t forget that the European Union is also looking to replace the current ePrivacy directive with a new regulation that will both clarify and enhance the GDPR.”