Data privacy protection in the US has become a medley of state and federal laws. Many EU countries have adopted the General Data Protection Regulation (“GDPR”) in 2018 which provides a comprehensive body of law regulating data protection.[1] The US would greatly benefit by adopting a similar federal law preempting the confusing landscape which is the current data protection scheme in the country. For example, providing a consent clause similar to the GDPR in which corporations elicit major fines in the absence of consumer consent,[2] streamlining corporate obligations regarding data privacy through federal preemption,[3] and enhancing international cohesion by maintaining regulations more in line with EU countries.[4]

Under the GDPR, data privacy protection provides key rights such as the right to access, the right to data portability, and the right to erasure.[5] It makes it exponentially easier for corporations to manage and understand the rights they have available to them in the context of a consistent and generalized law that preempts the confusing mess that would come about were each country to regulate individually. Additionally, it eases the strain on corporations that interact internationally or have an internet presence who would have to balance the rules and regulations of many countries simultaneously.

The GDPR also imposes fines on those corporations which fail to obtain consent from consumers prior to data sharing.[6] Fines can exceed 20 million euros and create real incentives for corporations to avoid illegal data sharing by making it far riskier.[7] The imposition of fines rightly shifts the burden of understanding complex legal frameworks onto the major corporations, as opposed to consumers who sit at an extreme informational disadvantage.

The US, on the other hand, employs a mixture of state and federal laws over data privacy, which understandably causes much confusion. Some of the rights included in the GDPR are reflected in state specific protection schemes in states such as the California Consumer Privacy Act (“CCPA”) where the “right to know” and the “right to delete” headline the important delineated rights.[8]

State laws often conflict with each other making them quite difficult to navigate.[9] There are a variety of state laws like the California Privacy Rights Act (“CPRA”) and the CCPA.[10] There are also certain federal regulations such as the Health Insurance Portability and Accountability Act (“HIPAA”) and Children Online Privacy Protection Act (“COPPA”)[11] which each cover portions of data protection. An abundance of laws creates more room for confusion based on their different requirements. This patchwork-like state under which US privacy protection exists is extremely inefficient and will certainly pose more problems as technology continues to advance.

The US can swiftly solve many of its data protection issues merely by creating a general federal scheme to preempt each of the state laws and streamline a uniform set of regulations.[12] Even more easily, and solving the international interaction problem, the US can simply adopt the GDPR itself. Recently, there has been a move by many states toward comprehensive data protection schemes. “In 2023, eight states have enacted comprehensive consumer privacy laws: Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee and Texas”.[13] Although it certainly provides clarity within the borders of each state to have comprehensive laws, that doesn’t solve the issue of states having conflicting laws. That problem might only be solved by having federal law preempt state laws on this matter similar to, or exactly the same as, the way the EU employs the GDPR.[14]

As it stands, it is quite frustrating and expensive to comply with GDPR requirements as a US corporation looking to interact not only across state lines, but with the European market as well.[15] A GDPR-like scheme would serve to simplify those relationships and make it easier for both sides (the EU and the US) to provide legislation aimed to foster further interactions.

 Joseph Leventer is a staff member of Fordham International Law Journal Volume XLVIII.

[1] Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, General Data Protection Regulation (GDPR), 2016 O.J. (L 119) 1.

[2] GDPR Penalties and Fines, IT Governance, https://www.itgovernance.co.uk/dpa-and-gdpr-penalties#:~:text=The%20EU%20GDPR%20sets%20a,lead%20to%20data%20protection%20fines (last visited Nov. 27, 2024); GDPR Fines and Penalties: What You Need to Know to Avoid Costly Mistakes, GDPR Advisor, https://gdpradvisor.co.uk/gdpr-fines-and-penalties (last visited Nov. 27, 2024).

[3] Cameron F. Kerry, John B. Morris, Jr., Caitlin T. Chin, & Nicol E. Turner Lee, Bridging the Gaps: A Path Forward to Federal Privacy Legislation, Brookings Inst. (June 2020), https://www.brookings.edu/wp-content/uploads/2020/06/Bridging-the-gaps_a-path-forward-to-federal-privacy-legislation.pdf.

[4] Chris Singlemann, GDPR US Equivalent: How the US and EU Compare on Data Privacy Laws, Thoropass, https://thoropass.com/blog/compliance/gdpr-us-equivalent/ (last updated Feb. 12, 2024).

[5] Rights of the Individual, European Data Protection Supervisor (July 11, 2024), https://www.edps.europa.eu/data-protection/our-work/subjects/rights-individual_en#:~:text=The%20GDPR%20has%20a%20chapter,decision%20based%20solely%20on%20automated

[6] GDPR Fines and Penalties, supra note 2.

[7] Id.

[8] California Consumer Privacy Act (CCPA), Cal. Dep’t of Just., https://oag.ca.gov/privacy/ccpa (last updated Mar. 13, 2024).

[9] Bridging the Gaps, supra note 3, at 17.

[10] CCPA and CPRA, Int’l Association of Privacy Profs., https://iapp.org/resources/topics/ccpa-and-cpra/ (last visited Nov. 27, 2024).

[11] See 45 C.F.R. § 164 (2024); see also 16 C.F.R. § 312 (2024).

[12] Bridging the Gaps, supra note 3, at 16.

[13] Heather Morton, 2023 Consumer Data Privacy Legislation, Nat’l Conf. of State Legisatures, https://www.ncsl.org/technology-and-communication/2023-consumer-data-privacy-legislation (last updated Sep. 28, 2023).

[14] Bridging the Gaps, supra note 3, at 16.

[15] GDPR Compliance in the US Versus the Rest of the World: Key Differences and Challenges, Deselect https://deselect.com/blog/gdpr-compliance-in-us-vs-europe/ (last visited Dec. 6, 2024).

This is a student blog post and in no way represents the views of the Fordham International Law Journal.