Data Privacy in the United States of America

Data privacy is a big issue across the world, but as of 2022 it is a much larger issue within the United States of America.

The GDPR

For people residing in countries in the European Union, you have the GDPR (General Data Protection Regulation). The GDPR “is the toughest privacy and security law in the world” according to the EU on their website, gdpr.eu. It states that personal data may not be processed unless there is legal reason to do so. At least one of the following conditions must be met:

1. If the user has given consent to the processing of their personal data,
2. To fulfill contractual obligations with the user,
3. To comply with a data controller’s legal obligations,
4. To protect the vital interests of the user or another individual,
5. To perform a task in the public interest or in official authority,
6. For the legitimate interests of a data controller or a third party.

All of the above are legal reasons for a data controller, processor, or the user is in the European Union (even if they are just visiting), unless any of these reasons are overridden by interests of the user or their rights according to the Charter of Fundamental Rights, especially in the case of children.

The CCPA

However, on average, most residents of the United States are not also residents of a country within the European Union (even if they might be eligible for citizenship status), which limits the rights we have to our own data to effectively nothing. Unless you are a resident of California, in which case you have protections under the CCPA (California Consumer Privacy Act), which gives the following rights to residents of California:

1. The right to know about the personal information collected on you,
2. The right to delete the information collected (with exceptions),
3. The right to opt-out of the sale of your personal information,
4. The right to non-discrimination for exercising their CCPA rights.

CCPA vs GDPR

However, not all laws are created equal. There are key differences between the CCPA and the GDPR. The GDPR is a lot more broad in its requirements, so more companies and individuals lie within the law’s scope. The CCPA limits its protections strictly to residents of California and for-profit businesses based in California. These business must also meet either of these three requirements: an annual revenue of at least $25,000,000, handle the personal information of more than 50,000 consumers, or when selling consumer personal information contributes 50% or more of annual revenue.

The Future of Data Privacy Laws

Both the GDPR and CCPA are steps in the right direction for data privacy, so why has the rest of the United States not followed suit with nation-wide privacy protection for their citizens?