top of page

Why The United States Still Struggles with Data Protection Regulation

Updated: May 16, 2023

Data Protection Regulation

The US is infamous for a glaring lack of comprehensive data protection regulations when it comes to consumer data protection.

Public outcry and increasingly advanced cybercrime had already resulted in the developing of the General Data Protection Regulation (GDPR), touted as the world’s most complete data security law.

The GDPR has sweeping control over the processing of personal data by public and private entities. What’s more, it has much broader definitions of personal data.

Aside from names and addresses, the GDPR defines every data that could identify a person as personal data in the present or future.

Only citizens from the European Union benefit from the comprehensive data protection provided by GDPR.

The regulation applies to public and private entities outside the EU, provided they offer goods or services to people living in their jurisdiction.

Non-compliance is often met with steep penalties of up to 20 million euros or 4% of the company’s global revenue, depending on which is higher. There are only six specific guidelines for lawful data processing, detailed in Article 6.

Apart from penalties, GDPR empowers data subjects to take legal action or receive compensation for damages.

In stark contrast to the EU’s well-executed data protection regulation, data protection in the US is governed by multiple laws typically segmented into specific industries.

While states like Utah are making serious progress in data protection regulation, many entities in the US remain highly irregulated and free to process consumer data as they please.

Utah will soon pass legislation to give consumers access to their personal information and control how companies handle it. This could start as soon as the last day of 2023.

Utah will join three other states that have already passed similar statutes: Colorado, Virginia, and California.

The new law would allow consumers full rights to access, transfer, and delete their data and opt-out of the sale of their personal information for personalized advertising.

While these laws show tremendous progress in the right direction, US data protection laws are still a long way from the efficiency and comprehensiveness of the GDPR.

For instance, only the attorney general can enforce a statute on non-compliant entities, something that the GDPR leaves entirely to the consumer.

It does not help that the remaining data protection laws in the US are largely segmented into industries, such as the Health Insurance Portability and Accountability Act (HIPPA), which was passed in 1996 to protect sensitive patient data from disclosure without the knowledge and express consent of the patient.

The body with the broadest privacy authority in the US is the Federal Trade Commission (FTC). However, its jurisdiction is limited to companies practicing interstate commerce, which does not include financial institutions and network carriers.

The FTC also adopts a different approach when regulating data protection. Unlike the two-tier fine system of the GDPR, the FTC seeks settlements from large corporations to deter misconduct.

In 2019, the body settled with Facebook for $5,000,000,000 after the corporation violated an FTC order.

While settlements of such magnitude are enough to deter large corporations, the FTC still has a lot of gaps through which small businesses and entities, particularly those that don’t operate in interstate commerce, can fall through and remain unregulated.

Compared to countries outside the EU, the US is still far from meaningful data protection regulations. Canada, for example, passed the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, and despite limiting its jurisdiction to private commercial enterprises, the EU considers it to be adequate.

South Africa, South Korea, Israel, and Argentina have similar data protection regulations.

Data protection will only grow in importance, and more governments will pass legislation to protect their citizens’ personal information.

Comprehensive protection merely entails giving individuals control over the handling, sharing, and selling of their personal information.

While a chunk of the world is largely ahead of the US in data protection, solutions are not beyond reach. By expanding the jurisdiction of the FTC or allowing states to create their own data protection statutes, the US can attempt to replicate the level of protection currently provided by the GDPR.

Nevertheless, it is too hopeful to expect uniform regulation akin to the GDPR at the federal level in the US. Data protection is yet to kick off in the majority of the United States fully.

bottom of page