In the run up to the GDPR coming into force in Europe in May 2018, US organisations grappled with whether to change data protection practices and continue to do business throughout the world, or give up and move on to other ‘easier’ climes.
In fact, in the same month The Financial Times reported that some small US companies had already made the decision to quit the EU, rather than face the burden of trying to comply with stricter data protection regulations.
However, according to some commentators it seems that this move may have been one of pointless delay, rather than tactical retreat.
Following numerous high profile data breaches, and the uncovering of shady data-sharing practices there is building evidence that the US will itself move towards GDPR-style regulation. As such, US organisations that already comply with European data protection regulations are positioning themselves as one-step ahead in the inevitable march towards tighter regulation of personal information across the world.
So what’s the evidence that the US may be following in GDPR’s footsteps? Well, lawmakers at State level are already making their stance clear…
California as a test case?
In June 2018 the California Consumer Privacy Act was passed, and will come into force in January 2020. While not as stringent as GDPR, it will place responsibilities on businesses with over 50k customers in California to apply certain GDPR-like processes, and is seen as the first step towards a European-style statute in the US.
It seems that such law-making is welcomed by consumers – a profound shift in cultural attitudes that could well drive stricter controls.
In March 2018 Cambridge Analytica was exposed as being involved in harvesting private information from Facebook to aid political campaigning.
Following this and data breaches in other financial institutions, 94% of American consumers reported being generally concerned about their data and 57% said that the scandal made them even more concerned about their data privacy and security than they were before.
The Cambridge Analytica scandal fed US consumers’ growing distrust and concern around how businesses are using personal data. A global report on attitudes to data privacy showed that those in the US were the most concerned about online privacy, and the least happy with the amount of personal information organisations had access to.
Put simply – US consumers are becoming more aware and more concerned with how their data is used, and with every news story of data breach or misuse, this opinion hardens.
In fact, 68% said they would welcome similar GDPR laws in the US, to give individuals greater control over their data.
Of course, there are also those that argue that the US is far from following Europe’s footsteps. With a powerful tech lobby active in the US’ halls of government, alongside the trials of getting any such complicated law through Congress, there are those that doubt that public attitude will spur stricter law-making in this area.
One key issue raised by those who are sceptical about a US GDPR is the lack of an effective agency to carry regulatory responsibility. Unlike the UK (which will retain GDPR post-Brexit) the US has no Information Commissioner’s Office, i.e. no single entity that can be charged with cross-sector data protection enforcement.
Can the US really function in a data-bubble?
Whether or not we will see the US adopt a stricter legislative stance on data protection, organisations cannot ignore the power of consumer perception or the effects of global responses to these concerns.
For example, Brazil’s General Data Protection Law, or GDPL echoes much of the GDPR and gives organisations doing business there until 2020 to ready themselves for compliance. For ambitious US businesses seeking growth in global markets does it really seem sensible to simply cut ties with countries, or indeed neighbour States that adopt stricter regulation?
Similarly with consumer attitudes shifting across the globe, shouldn’t US organisations be considering the reputational benefit of being proactive in adopting fair and stringent data protection practices.
Many commentators go a step further, and describe the business benefits GDPR compliance can have. From better, smarter data management and analysis to improved customer loyalty, and better ROI on marketing the benefits of being GDPR compliant by choice, rather than by force are numerous.
US businesses could indeed wait to review their data protection culture until the law forces it. In doing so, however they need to question whether their customers and partners will already have left them, and their business far behind. When competition for customers is fierce, competitors will move in where they see weakness. With a spotlight now firmly on data protection as a measure of good business practice you can be sure your competitors are seeking advantage.
Tenax are experts in cross-border compliance in data protection. Speak to our experts today about how your business can benefit from GDPR compliance – and how to get there.