A look at how the GDPR model would fit with state laws and the needs of American businesses and consumers
The European Union's General Data Protection Regulation (GDPR) has become the world's gold standard for user privacy and breach disclosure regulation. It affects any business around the world that processes or stores the personal data of individuals resident in any EU country. It specifies standards for protecting that data, punitive penalties for mishandling it, stringent rules for the disclosure of its loss, and assures EU citizens certain rights and protections for their personal data.
Its purpose is to provide a single privacy regulation across the whole of the union, so that international business would no longer face differing regulations in Finland from those in Germany, and different regulations in France from those in the U.K. In this sense, it is a European equivalent of U.S. federal law that encompasses the whole of the United States.
But the United States does not have a federal privacy law, and national businesses are faced with the same European pre-GDPR problem: different rules between different states. It is time to ask whether the U.S. needs an overriding federal privacy law.
U.S. state laws
American states have noted the privacy afforded to citizens by GDPR, and are implementing their own legislation. Texas, Nevada and Washington are among those who have done so, with Rhode Island, Massachusetts and New York considering it.
They are more directly inspired by the California Consumer Privacy Act (CCPA), which in turn is i ..