Does the U.S. Need GDPR?

Have you been bombarded with updated terms of service lately? Is it a way for businesses to pre-empt the U.S. Congress from passing a national GDPR-type law? Is GDPR even needed in the U.S.?

But what’s really going on here? What’s the reason for the rush of new terms of service?

U.S. corporations may be going the GDPR route on their own.

Was it just the Facebook “breach”? Or are corporations—at least when it comes to consumers—going the GDPR route without a national set of rules that require breach notification, the right to erasure, the right to access and requirements for data portability? (See my November 2017 blog, How to Make It Easier to Comply with GDPR.)

Indeed, are B2C—and possibly even B2B—companies just trying to pre-empt federal legislators from creating GDPR-style rules throughout the United States? Or is it that companies are doing this because of GDPR and their desire not to segment their customers? I suspect the latter.

It's unlikely that Congress will pass GDPR-style regulations.

But for those companies that GDPR doesn’t apply to, I’m not sure they need to worry for now about federal GDPR legislation. In the current political environment, I don’t see the U.S. Congress passing regulations that mandate privacy and customer data access. With last year’s focus on health care and tax reform legislation—and this year’s focus on judicial nominees and the mid-term elections—it’s simply not a priority for most Congressmen and Congresswomen, and it’s not important to most Senators. And—sadly—it doesn’t appear important to their constituents.

There is an important relationship between data, privacy and the rights of consumers.

That may because neither the public at large nor federal legislators are that technologically savvy. At least until the Russian meddling news of the past few months, they hadn’t internalized the relationship between data, privacy and the rights of consumers.

With the Facebook—Cambridge Analytica revelations (see my colleague Brian Johnson’s post on this), there’s now more interest in the relationship between data and privacy. It’s becoming a little bit more of a hot-button issue.

It makes business sense to protect customer data.

Add to the mix the very public breaches over the past two years from Target to Equifax to Yahoo, and it may not be Congress that acts, but that businesses, non-profits and state governments themselves act.

And while all those new terms of service may be the result of a degree of self-regulation, even self-policing, when it comes to data and privacy it’s very much in companies’ best interest to act ethically to protect people’s data. This doesn’t just mean from a dollars and cents perspective. There’s reputational damage to consider (see Facebook, Equifax, Target). In other words, it makes business sense to protect data and protect privacy.

Good privacy control is similar to good information governance.

At Doculabs, we see good privacy controls in the same light that we see good information governance. If the United States—unlike Germany, and many U.S. states—doesn’t have a privacy culture and if we’re inherently a more de-regulated political and business culture, then maybe we’ll see more organizations implementing their own forms of GDPR.

There is one problem: the morass of regulations that are inherent in a decentralized democracy. At last count, I found something like 37 state attorneys general looking at Facebook and data privacy. This could lead to one big mess, and it could be the single most important reason to agitate for federal regulations along the lines of GDPR.

Will individual state rules regarding privacy become too confusing for business?

However, most states are reluctant to put regulations in the fed’s hands. Some 32 state attorneys released a letter in April urging Congress to avoid preempting state data breach and data security laws.

One area where the plethora of state rules conflicts with federal standards is auto emissions and the battle between California with other states and the U.S. when it comes to pollution standards.

The auto emissions case is the opposite of “the lowest common denominator.” Cars sold in the U.S. tend to follow California standards. If companies default to the most stringent set of rules with regard to automobiles then won’t the same happen when it come to privacy and data?

Many of our clients that do business in Europe—or even participate in a supply chain that includes EU players—are conforming to GDPR standards.

I think the same forces are at play when it comes to data privacy in the United States. You could argue that those forces are already in play.


Rich Medina
Jim Polka
I’m a Principal Consultant. My expertise is in security-based information management and strategic deployment of ECM technologies.