Data Privacy Regulations: A comparative analysis of EU vs. US – What you need to know as a marketer.

Jochen Runnenburg

Governance Consultant

18 October 2023

10 minutes reading time

In the era of big data, companies collect information like never before. Over the past decades, digitalization and information gathering have become a global phenomenon due to the widespread access to technology, the interconnected nature of the internet, and the need for international collaboration and communication in an increasingly interconnected world. However, this also means that as a marketer understanding regulatory differences of data privacy between countries and continents is essential for legal compliance, market entry, consumer protection, risk management, and fostering successful international interactions.

In this article, we are going to break down the two major players in data privacy laws: Europe with its General Data Protection Regulation (GDPR) and the United States with a patchwork of state-specific rules, notably the California Consumer Privacy Act (CCPA) and the recently amended California Privacy Rights Act (CPRA). By dissecting the key differences and similarities between the different legislation you will have a clearer overview of how to apply these to your digital strategy.


European unification of laws vs. the American patchwork of laws

Introduced in May 2018, GDPR applies to all EU member states and is designed to safeguard individuals’ privacy rights. It regulates the handling of any data that can identify an EU citizen, irrespective of where the data handler is located. In line with the European Union’s motto, all legal frameworks should strive for the highest possible level of uniformity. And don’t think you’re off the hook just because you’re not based in the EU. If you have EU customers, the GDPR applies to your business.

Compared to the European standard, the US lacks a comprehensive federal data privacy law. Federal laws like HIPAA (healthcare) and GLBA (financial) exist, but they are not all-encompassing like the GDPR. Instead, individual states are filling the void through a patchwork of laws. The most notable among them is California’s CCPA and its recent extension, the CPRA, effective as of January 2023. Other states are also jumping on the bandwagon, with eleven more having some level of data protection, and states like Colorado and Connecticut planning to roll out their own laws this year.


Shared Goals but Different Paths

Despite the different structure of each legal framework, there are similarities across the pond between EU and US laws, which can be summarized below:

  • Transparency is king: Both GDPR and state-specific US laws like the CCPA require companies to be transparent about their data usage and inform your users what you are doing with their information.
  • User rights: Both sets of laws give people rights over their data, including the right to access and delete their data.
  • Global reach: Both GDPR and the CCPA apply to organizations outside their jurisdictions. This extraterritoriality feature of both laws means that regardless of where your company is located, if your business process data of EU or California users you need to play by their rules.
  • High price for slip-ups: Breaking these rules is expensive. Violations can result in substantial fines on both sides of the Atlantic. The GDPR can fine you up to 4% of your annual global turnover or up to 20 million euros, whichever is highest. While violating the CCPA/CCPRA can result in 2.500 dollar for each individual user violation and 7.500 dollar for each international violation.


Where They Part Ways

The biggest difference between the two legal framework lies in the requirements for consent. The GDPR requires businesses to obtain the individual users’ consent before collecting, using, or sharing their personal data. In stark contrast, the CCPA and CPRA only requires consent when users are below 16 years of age. The main diverging differences are:

  • Requirements of consent: In Europe, you need explicit consent before you can collect or use someone’s data. In the US, it’s not as stringent. There are only requirements for consent for age governing aspects.
  • Data transfers: The EU has strict rules about transferring data outside of its borders, especially data transfers to US data providers. This legal discrepancy has introduced significant challenges for companies in ensuring adequate data protection for EU citizens’ data when transferring data to the US. The US has no such provisions on EU.
  • Extra national features: Adding additional layer of complexity for businesses. Some EU countries like France and Germany have even stricter rules if you operate across multiple European countries.


What does this mean for you

In conclusion, the EU’s GDPR and the US’s CCPA and CPRA fragmented data privacy regulations have some common ground, but also substantial differences. These can become quite complex and challenging for companies operating in both markets.

For organizations operating in both markets, it’s crucial to understand these regulations deeply, not only to remain compliant but also to harness their potential for competitive advantage. Although, understanding these laws is essential, it doesn’t have to be a headache. Investing in robust data governance tools and consulting with compliance experts can help businesses navigate this complex terrain.

For this, we have provided a short summary of the two legal frameworks.

Criteria  GDPR  CCPA – CPRA 
Scope  Businesses with data of EU/EEA citizens For-Profit businesses the process personal data of Californians 
Legal Basis for Processing  Explicit consent, Legal obligation, etc.  No specific legal basis 
User Rights  Right to access, delete, correct, etc.  Right to be informed, access, delete, opt-out, etc. 
Opt-In Necessary  Yes  Only applies to individuals below 16 years old 
Age of Consent  16 years (Parental consent below 16)  16 years (Parental consent for ages 13-16) 
Data Security  Strong measures; 72-hour breach notification  Reasonable measures; no specific time limit 
Penalties  Up to €20 million or 4% of global turnover  Up to $7500 per intentional violation 


What to expect in the future

Granting the CCPA and the CPRA were seen as pioneering efforts in US data privacy regulation, there have been discussions and proposals to expand privacy laws to other states. However, the landscape of privacy regulation in the United States is still complex and fragmented. There is also ongoing discussion at federal level about the possibility of enacting a comprehensive federal privacy law that would apply nationwide and potentially pre-empt state laws to create a more consistent regulatory framework. But that is still very much in discussion.

Meanwhile in the EU, the timelines for when the anticipated e-Privacy Regulation will come into force is still uncertain. The original plan to be enforced in conjunction with the General Data Protection Regulation (GDPR), but various factors, including debates over specific provisions and the need for consensus among EU member states, had caused delays. For the GDPR itself, there are potential areas of change that might shift the focus of the legislation in the future. These include recent ongoing discussions about international data transfers, new AI technologies and AI ethics, consent requirements as well as data breach reporting.

But as with all legislative and regulatory process it involves a lengthy process that is subject to negotiation before approval. As a marketer it is therefore important to monitor regulatory sources, legal updates and insights from data privacy experts and organizations.


Contact us

Curious about how we could help you? Please feel free to get in touch. We'd love to hear about your data and how you're using it within your organization.