Is the US Going to Get a Privacy Law Like GDPR? | FTI Consulting

Ask the Expert: Is the US Going to Get a Privacy Law Like Europe’s GDPR Anytime Soon?


Managing Director Paul Prior of FTI Consulting’s global insurance services practice answers the question multinational corporations are asking in light of recent cyber events.

Several high-profile cyber incidents in 2018 helped drive the ongoing debate over how U.S. corporations can better protect consumer online data. One was the alleged misuse of private data collected by social media networks and tech firms. Another was the sheer volume of personal data stolen by cyber criminals. By one account, the number of consumer records exposed by hackers reached into the billions.

The enactment of the General Data Protection Regulation (GDPR) in the European Union in May raised the issue of creating a similar law in the U.S. However, it’s not likely to happen anytime soon. While consumer outcry in Europe significantly contributed to the passage of the GDPR, Americans are far slower to raise their voices en masse; they view issues of privacy as a constitutional right and are reluctant to cede control of their data to the government.

Still, that doesn’t mean that U.S. corporations should sit back and wait; developments in how Americans' private data is used are on the near horizon.

Changes Coming From the States

In November, Senator Rob Wyden (D-OR) issued a draft bill that expands oversight of the tech industry and imposes harsh penalties on large companies that violate rules related to the proposed regulations. Called the Consumer Data Privacy Act, the bill has features modeled after the GDPR which, among other rules, requires that companies secure permission from consumers before sharing their personal data.

Getting such a bill through Congress in the current anti-regulatory climate is a long shot to say the least. But its essence has support from the likes of Apple, Google, and Amazon, who understand that protecting user data is paramount to retaining trust in their services.

Want more insights from our latest content? Click here to subscribe based on your specific area of interest.

In June, California passed a digital privacy law that has elements similar to the GDPR. (In fact, it is informally referred to as “GDPR lite”.) The California Consumer Data Privacy Act, set to take effect in January 2020, requires companies to secure permission from consumers before sharing private data, allows users to opt out of a company’s terms of service without losing access to its offerings, and requires immediate notification of any data breaches.

States with major tech hubs such as Delaware and Utah are also in various stages of proposing their own consumer privacy acts.

Will Your Company Be Ready?

U.S. multinational corporations with an EU presence and in compliance with the GDPR will theoretically be most ready for these changes. Others will need to adapt. Until then, it’s simply good business for all corporations to work to protect the data they collect from consumers to the best of their ability. One upcoming measure can help in this regard: the 2019 Privacy Maturity benchmark from the International Association of Privacy Professionals (IAPP).

© Copyright 2019. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
More Info

Share this page