Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The European Union’s (EU’s) General Data Protection Regulation (GDPR) is a consumer
data protection law which covers all companies which do business in the EU or with EU
citizens.1 The law compels those companies which collect information on Europeans to give their
users broader discretion in the kinds of data they can collect and keep. Google ran afoul of the
GDPR by failing to adequately disclose how it uses personal data to send out targeted
A data privacy law similar in scope and breadth to the GDPR is needed in the U.S.
Currently, there is “no single, comprehensive federal law regulating the collection and use of
personal data.”3 There are numerous federal laws that deal with consumer privacy, but there is no
single agency or process established for individuals to raise privacy violation claims like under
the GDPR. Many states have their own privacy laws, only some of which are preempted by
federal laws, which further confound the regulatory space. The U.S. should adopt its own
equivalent to the GDPR because this current mish-mash of regulation is inconsistent and
The first reason why the federal government should adopt a law similar to the GDPR is
because the current consumer data privacy regime, constituted by a mosaic of federal and state
laws, is inconsistent. This inconsistency is a problem for both consumers and businesses. It can
be difficult for consumers to understand and assert their rights because there is no one standard
for data privacy across services and jurisdictions. For example, privacy rights are more stringent
1
Hern, “What is the GDPR and How Will It Affect You?”
2
Satarino, “Google is Fined $57 Million Under Europe’s Data Privacy Law”
3
Ieuan Jolly and Loeb & Loeb, “Data protection in the United States: overview”
Paper 3
in healthcare, where the federal Health Insurance Portability and Accountability Act of 1996
(HIPAA) governs, than in the terms of use for social media websites, in which there is no single
regulatory scheme, even though individuals have a vested privacy interest in both their health
information and their social media use.4 Businesses also suffer from this inconsistency. Just as
the inconsistency in state and federal privacy laws may be confusing to individuals, they can also
prove confusing to businesses who face repercussions for noncompliance.5 Take data privacy
breach laws, for example, which create requirements for how soon companies have to publicly
disclose that they have been hacked and that their customers’ privileged data has been released
as an example.6 States can set their own reporting requirements, creating a race to the bottom as
each state outdoes the others by setting stricter standards. While companies may be in
compliance in one state, that does not assure they will be in compliance in another state.
One might hope that this patchwork of privacy laws, with all their redundancies, creates
strong privacy protections for consumers. But this is not the case. Because there is no single law
which protects consumer privacy, there is also no single enforcement method for making sure
that violations don’t happen in the first place. The federal government’s consumer privacy beat
cop, the Federal Trade Commission (FTC), was never designed with protecting consumer
privacy in mind. The FTC therefore suffers from a lack of jurisdiction and resources to actually
enforce the FTC Act.7 For consumers to be better protected, regulatory enforcement needs to be
more systematic.
Advantages
4
Findlaw, “Social Media Privacy Laws”
5
O’Connor, “Reforming the U.S. Approach to Data Protection and Privacy”
6
Embry, “State Data Breach Notification Laws Just Got Even Crazier”
7
Confessore and Kang, “Facebook Data Scandals Stoke Criticism That a Privacy Watchdog Too Rarely Bites”
Paper 3
State privacy laws provide a great advantage for residents of states that adopt them by
ensuring better and more up-to-date data privacy protections. California, for example, recently
passed its own comprehensive consumer privacy law which is modeled on the GDPR.8 Residents
of that state will benefit by having the rights to opt-out of having their data sold to third-parties
and to request that their personal information be deleted at any time. Allowing states to enact
sweeping consumer privacy laws where the federal government has failed ensures that
Americans who greatly care about their privacy have their interests met. State policy may also
serve as a model for future federal consumer privacy reform, as states often act as the
“laboratories of democracy.”9 Theoretically, states can preview new consumer privacy policies
Disadvantages
However, while the states may make fine laboratories in other policy experiments, they
are not well suited to fill that role for data privacy regulation. As I have already stated, the
patchwork of privacy laws in the U.S. make it harder for companies to remain in compliance.
This lack of a universal standard means that some companies with inevitably take the risk of
being in noncompliance, potential risking user privacy and the consumers’ rights. But the
objection to state consumer privacy regimes is not just practical—it’s fundamentally an issue of
federalism. Interstate consumer protections typically fall under the province of the federal
government. The Commerce Clause exists to allow the federal government to harmonize
interstate trade for the economic benefit of the nation. Indeed, the first draft of the Commerce
Clause presented at the Constitutional Convention read that Congress could “legislate in all
8
McCreary, “The California Consumer Privacy Act: What You Need to Know”
9
Wiseman and Owen, “Federal Laboratories of Democracy”
Paper 3
cases…to which the States are separately incompetent, or in which the harmony of the United
While allowing state legislatures to create their own privacy laws may seem democratic,
it can actually undermine democracy at the national scale. Highly populous states like California
could end up setting national privacy standards as companies rush to ensure compliance with its
laws, effectively preempting the laws passed by other state legislatures. California consumers
may have different concerns and interests than consumers in other states, and the California
legislature can certainly not be said to represent the country as a whole. Consumer privacy
regulation is clearly an area where the federal government, and not the states, must reign
supreme.
GDPR’s Shadow
Formally, GDPR only protects EU citizens, but because the EU makes up a great deal of
the global market share, companies have found it easier to update their privacy policies
worldwide, so Americans have also benefitted from updated privacy policies issued by
international firms. And because nearly all companies have an online presence, even companies
which do not intentionally do business in Europe could have to comply with GDPR if their
websites collect information on the users who visit them.11 Therefore, while the GDPR is a
European law, it is effectively international in scope. That being said, Americans lack access to
the enforcement methods European citizens have in their countries. GDPR requires that member-
states create enforcement regimes domestically to facilitate complaint processes for alleged
violations of the law. Neither the FTC or any other U.S. agency is empowered to do the same in
10
Barnett and Koppelman, “Interpretation: The Commerce Clause”
11
Faitelson, “Yes, the GDPR Will Affect Your U.S.-Based Business”
Paper 3
the U.S. The GDPR may therefore spur international corporations to be more privacy conscious,
Bibliography
Barnett, Randy E., and Andrew Koppelman. "Interpretation: The Commerce Clause." The
https://constitutioncenter.org/interactive-constitution/interpretations/section8-
commerce.
Confessore, Nicholas, and Cecilia Kang. "Facebook Data Scandals Stoke Criticism That a
Privacy Watchdog Too Rarely Bites." The New York Times. Last modified March
ftc.html.
Embry, Stephen. "State Data Breach Notification Laws Just Got Crazier." American Bar
https://www.americanbar.org/news/abanews/publications/youraba/2016/may-
2016/state-data-breach-notification-laws-just-got-crazier/.
Faitelson, Yaki. "Yes, The GDPR Will Affect Your U.S.-Based Business." Forbes. Last
https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-
your-u-s-based-business/#46ef5ccc6ff2.
Findlaw. "Social Media Privacy Laws." Findlaw. Accessed March 15, 2019.
https://consumer.findlaw.com/online-scams/social-media-privacy-laws.html.
Paper 3
Hern, Alex. "What is GDPR and How Will It Affect You?" The Guardian. Last modified
gdpr-and-how-will-it-affect-you.
Ieuan Jolly, and Loeb & Loeb. "Data protection in the United States: overview." Westlaw.
0467?transitionType=Default&contextData=(sc.Default)&firstPage=true&bhcp=1.
McCreary, Mark G. "The California Consumer Privacy Act: What You Need to Know." New
https://www.law.com/njlawjournal/2018/12/01/the-california-consumer-privacy-act-
what-you-need-to-know/.
O'Connor, Nuala. "Reforming the U.S. Approach to Data Protection and Privacy." Council
https://www.cfr.org/report/reforming-us-approach-data-protection.
Satariano, Adam. "Google Is Fined $57 Million Under Europe's Data Privacy Law." The
https://www.nytimes.com/2019/01/21/technology/google-europe-gdpr-fine.html.
Wiseman, Hannah J., and Dave Owen. "Federal Laboratories of Democracy." SSRN