Jochen Runnenburg
Governance Consultant
18 October 2023
10 minutes reading time
In the era of big data, companies collect information like never before. Over the past decades, digitalization and information gathering have become a global phenomenon due to the widespread access to technology, the interconnected nature of the internet, and the need for international collaboration and communication in an increasingly interconnected world. However, this also means that as a marketer understanding regulatory differences of data privacy between countries and continents is essential for legal compliance, market entry, consumer protection, risk management, and fostering successful international interactions.
In this article, we are going to break down the two major players in data privacy laws: Europe with its General Data Protection Regulation (GDPR) and the United States with a patchwork of state-specific rules, notably the California Consumer Privacy Act (CCPA) and the recently amended California Privacy Rights Act (CPRA). By dissecting the key differences and similarities between the different legislation you will have a clearer overview of how to apply these to your digital strategy.
Introduced in May 2018, GDPR applies to all EU member states and is designed to safeguard individuals’ privacy rights. It regulates the handling of any data that can identify an EU citizen, irrespective of where the data handler is located. In line with the European Union’s motto, all legal frameworks should strive for the highest possible level of uniformity. And don’t think you’re off the hook just because you’re not based in the EU. If you have EU customers, the GDPR applies to your business.
Compared to the European standard, the US lacks a comprehensive federal data privacy law. Federal laws like HIPAA (healthcare) and GLBA (financial) exist, but they are not all-encompassing like the GDPR. Instead, individual states are filling the void through a patchwork of laws. The most notable among them is California’s CCPA and its recent extension, the CPRA, effective as of January 2023. Other states are also jumping on the bandwagon, with eleven more having some level of data protection, and states like Colorado and Connecticut planning to roll out their own laws this year.
Despite the different structure of each legal framework, there are similarities across the pond between EU and US laws, which can be summarized below:
The biggest difference between the two legal framework lies in the requirements for consent. The GDPR requires businesses to obtain the individual users’ consent before collecting, using, or sharing their personal data. In stark contrast, the CCPA and CPRA only requires consent when users are below 16 years of age. The main diverging differences are:
In conclusion, the EU’s GDPR and the US’s CCPA and CPRA fragmented data privacy regulations have some common ground, but also substantial differences. These can become quite complex and challenging for companies operating in both markets.
For organizations operating in both markets, it’s crucial to understand these regulations deeply, not only to remain compliant but also to harness their potential for competitive advantage. Although, understanding these laws is essential, it doesn’t have to be a headache. Investing in robust data governance tools and consulting with compliance experts can help businesses navigate this complex terrain.
For this, we have provided a short summary of the two legal frameworks.
Criteria | GDPR | CCPA – CPRA |
Scope | Businesses with data of EU/EEA citizens | For-Profit businesses the process personal data of Californians |
Legal Basis for Processing | Explicit consent, Legal obligation, etc. | No specific legal basis |
User Rights | Right to access, delete, correct, etc. | Right to be informed, access, delete, opt-out, etc. |
Opt-In Necessary | Yes | Only applies to individuals below 16 years old |
Age of Consent | 16 years (Parental consent below 16) | 16 years (Parental consent for ages 13-16) |
Data Security | Strong measures; 72-hour breach notification | Reasonable measures; no specific time limit |
Penalties | Up to €20 million or 4% of global turnover | Up to $7500 per intentional violation |
Granting the CCPA and the CPRA were seen as pioneering efforts in US data privacy regulation, there have been discussions and proposals to expand privacy laws to other states. However, the landscape of privacy regulation in the United States is still complex and fragmented. There is also ongoing discussion at federal level about the possibility of enacting a comprehensive federal privacy law that would apply nationwide and potentially pre-empt state laws to create a more consistent regulatory framework. But that is still very much in discussion.
Meanwhile in the EU, the timelines for when the anticipated e-Privacy Regulation will come into force is still uncertain. The original plan to be enforced in conjunction with the General Data Protection Regulation (GDPR), but various factors, including debates over specific provisions and the need for consensus among EU member states, had caused delays. For the GDPR itself, there are potential areas of change that might shift the focus of the legislation in the future. These include recent ongoing discussions about international data transfers, new AI technologies and AI ethics, consent requirements as well as data breach reporting.
But as with all legislative and regulatory process it involves a lengthy process that is subject to negotiation before approval. As a marketer it is therefore important to monitor regulatory sources, legal updates and insights from data privacy experts and organizations.