US vs EU Data Privacy Laws
Updated: Aug 28, 2020
Amidst the Facebook ad Boycott and Potential TikTok Ban, brands and advertisers alike are wondering what this means for user privacy, and how US advertising will be affected with fewer targeting metrics in play.
How do the US and EU Compare When it Comes to User Privacy Laws?
Europe: The GDPR
User privacy laws are not equal worldwide. The European Union put in place one of the toughest data privacy laws in the world in 2018, the General Data Protection Regulation (GDPR). The law, among other provisions, gives people in Europe the right to obtain the personal data that companies have on them, and has allowed European users to have a stronger say over how companies use their information -- a sweeping right to data access that Americans don’t have.
The GDPR also meant that non-EU countries, or companies looking to move European users’ data abroad, would have to ensure an equivalent level of protection to the strict European data laws. This becomes a massive burden for multinationals, given how they transfer huge sets of data all over the world.
United States (California): the CCPA
There is no national US privacy law equivalent to the EU’s GDPR. However, California became the first U.S. state with a comprehensive consumer privacy law when it enacted the California Consumer Privacy Act (CCPA). Since then, only 2 other US states have signed user data privacy laws: Maine and Nevada. With growing media attention and public awareness paid to personal data privacy, the CCPA is likely going to be the benchmark the rest of the country reaches towards moving forward, so we will be looking at that.
EU's GDPR vs. California's CCPA: What's the difference?
For simple reference, we've put together this detailed chart comparing the two laws.
There is good news for companies that have complied with the GDPR— 90 percent of their preparations will help them comply with the CCPA.
Who has to adhere to it.
The GDPR requires that all handlers of EU data (ie. data processing centers, data controllers, etc.) must follow the regulations outlined by the law. On the other hand, California's CCPA has certain size organization parameters that, once hit, then require the company to follow its regulations, "that earns $25 million in revenue per year, sells 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information" making the GDPR much more comprehensive in who has to follow the rules it outlines.
The information protected.
Though substantially similar, the CCPA definition also includes information linked at the household or device level.
How Anonymous, De-identified, Pseudonymous, or Aggregated Data is handled.
The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose a consumer information that is de-identified or aggregated. However, the CCPA establishes a high bar for claiming data is de-identified or aggregated. The GDPR determined that pseudonymous data is still considered personal data, and that anonymous data is not considered personal data.
The right to rectify data, object or restrict processing, and opt out of automated decision-making.
The CCPA outlines no regulation on how to handle these request from individuals. However, the GPDA allows individuals to correct their personal information, the ability to object or restrict processing of their own personal data and opt-out of automated decision-making.
The CCPA outlines set fines of $100 - $7,500 per incident depending on severity, while the GDPR states "UR20 million or 4% of annual global revenue, whichever is highest." Though substantially different in scope and measuring fines, civil or private violations may potentially result in significant economic liability with the GDPR holding more severe consequences.
CCPA Compliance: Is the Ad Industry Prepared?
Nearly a third (29 percent) of 1,500 professionals who responded to a recent survey by TrustArc, a compliance and risk management vendor, reported they have just started preparing for the CCPA. The survey found more than 20 percent of respondents said they either did not know or were unlikely to be compliant with the law by July 1. Just 14 percent of respondents said they have completed their CCPA compliance.
Enforcement for the CCPA began on July 1 of 2020, amidst the complications of the coronavirus pandemic. California Attorney General Xavier Becerra has stated the pandemic will not impact enforcement of the law, despite a request by more than 60 business groups to push the enforcement date back to Jan. 1, 2021.
“The safest thing to be is a zebra in a herd of zebras,” said Dan Clarke, president of IntraEdge. “You’ve got to show your company has made an effort to comply. The last thing they want to see is that you’ve done nothing.”
"Big Data users are a likely target", says Shelton Leipzig, a privacy and cybersecurity attorney. "Any company or industry that sorts and analyzes large data subsets could be asked to prove how they protect consumers’ privacy. Areas of interest within Big Data include predictive analysis, business intelligence, Software as a Service (SaaS), and facial recognition, among others."
How Have the Laws Affected Marketers?
Europe: The GDPR
While becoming and remaining compliant with GDPR is a major challenge, there are silver linings. By thinning email lists to only target users who expressed interest through a double opt-in and offered their explicit consent, it was found that email open rates and click-through rates have both increased substantially since 2014, by 19% and 14% respectively, according to Acoustic’s, 2019 Marketing Benchmark Report.
According to eMarketer, the legislation has also |nudged programmatic advertisers to shift spend from open exchange to private marketplace; prodded advertisers to use less third-party data for ad targeting; contributed to an increased adoption of consent management platforms (CMPs); led publishers to hire data protection officers and shut off open exchanges; drove EU publishers to purge ad trackers; drove US publishers to block European traffic and cut off EU ad exchanges; and led marketing tech vendors to pull out of Europe out of concern over being fined.”
United States (California): the CCPA
Less about user consent and focusing more on giving users the ability to request and access the personal data that a company may have on them, California has yet to see any significant CCPA compliance campaigns. Compliance began January of 2020 with enforcement starting in July, so many companies have consequently updated their privacy policies. But there has been a noticeable difference in the explicit user awareness.