With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
Data privacy laws are spreading quickly across U.S. states, as over a dozen legislatures have passed comprehensive bills. The first of these was the California Consumer Privacy Act (CCPA), but the law that really got the ball rolling was the European Union’s General Data Protection Regulation (GDPR).
The GDPR is generally considered the most comprehensive data privacy law currently in force, and can easily apply to businesses outside of Europe. Companies that already have a grip on U.S. data privacy laws may be wondering how GDPR compliance is different, or vice versa.
Here are some of the biggest differences between the GDPR and U.S. data privacy laws.
Anyone who has visited a GDPR-compliant website will be familiar with the cookie consent banner, i.e., a pop-up that allows you to accept or reject cookies. It has become such a hallmark of privacy compliance that many people don’t believe that these banners are not required by U.S. privacy laws.
Cookie consent banners are actually required by a separate European law known as the ePrivacy Directive. The ePrivacy Directive requires website operators to gather consumer consent before utilizing cookies and other tracking technologies, unless they are “strictly necessary” for the functioning of the website. The GDPR then provides rules about how that consent must be collected, including prohibiting the use of “dark patterns” designed to influence consumer choice (for example, making the “accept” button more brightly colored).
U.S. privacy laws do not require these consent banners (in most cases). Cookies and trackers are considered personal information, and therefore within the scope of those laws, but U.S. privacy laws generally follow an “opt-out” model rather than an “opt-in” model. That means businesses don’t have to collect prior consent from consumers as long as their data practices are adequately explained in a privacy notice, but they do have to offer an opportunity to opt out of certain practices. There is an important exception, though; many state laws require businesses to collect prior consent before processing “sensitive information,” which includes any personal data from a known child.
International data transfers have emerged as one of the thorniest issues in GDPR compliance. The law prohibits the transfer of personal data to a “third country” (i.e., any country outside of the European Economic Area and UK) unless that country has been deemed by the EU to have adequate privacy protections in place. The United States is not one of those countries, which has caused businesses on both sides of the Atlantic all sorts of problems. (To learn more about this, read our article on the Data Privacy Framework, which promises to streamline transfers to the U.S.)
U.S. privacy laws have no such restrictions. While this may be due at least in part to the fact that these are state laws with limited scope, even proposed federal privacy legislation does not restrict international data transfers. The result is a significantly lower regulatory burden.
The GDPR applies to any processing of personal data of individuals within the EEA/UK, with the limited exception of activity that is purely personal. Everything else is covered, including HR data. That means businesses must treat employees and job applicants as they would website visitors and customers. This includes allowing these individuals to submit privacy requests, such as to access or delete their personal data.
Most U.S. privacy laws take a different approach. They define “consumers” as people acting only in an individual or household capacity, and specifically exclude the employment and commercial contexts. HR data is therefore totally exempted.
The exception to this rule is California. The CCPA had a temporary exemption for B2B and employee data, but that exemption expired at the beginning of 2023. CCPA-compliant businesses with employees in California must make full privacy disclosures to those employees and allow them to exercise their CCPA rights.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.