Is It Time For GDPR-Like Regulation in the U.S.?

How GDPR photo2.png

Recent data breaches have created a backlash from U.S. consumers who are highly concerned about the collection of their personal data and what companies are doing with it.

These cracks in the system, carved by a steady stream of revelations of data sharing or breaches at retailers, credit monitoring companies and social media platforms, have widened the gap of distrust in American brands. It has also marshaled powerful social media campaigns to try and prevent them from happening again.

In 2017 alone, these security weaknesses exposed the data of 179 million people. So, it’s no wonder 41% of respondents in a recent survey said they enter false information when signing up for any service online because they do not trust what it will be used for.

While many American companies already have privacy policies in place, a recent global data privacy report ranked the U.S. behind China and Russia as the least trusted country with regard to respecting the rights its consumers have to privacy. It’s important to note that both China and Russia are communist countries, where citizens naturally expect limited to no privacy. Therefore, ranking this low is a strong signal that we are poised for change.

Given our government’s investigations into recent fiascos like the ones above, it will be only a matter of time before new laws are adopted here in the U.S. and companies face penalties for the mishandling of consumer data.

In the European Union (EU), change is already here as it enacts one of its strictest standards for protecting its citizens’ data, the General Data Protection Regulation, better known as the GDPR. This new standard will go into effect on May 25, 2018, and protects identity data such as name, address, and ID numbers; data from the web such as location, IP addresses, cookie data and RFID tags; health and genetic data; sexual orientation, biometric data; racial or ethnic data; and political opinions. In short, the GDPR will mandate that no matter where they are based, companies marketing to EU citizens will have to make sure that they use authorized data, take powerful measures to protect consumer data, erase consumer data as required, assess risks, implement measures and provide proof that they are complying. Furthermore, they must notify authorities within 72 hours of a data breach. Currently, only 33% of North American companies are GDPR compliant.

Therefore, it would be prudent for U.S. companies to pay close attention to this new law. While businesses may think they won’t be affected by GDPR, they could be mistaken. For example, if a company based anywhere in the world, knowingly or not, has marketing interactions with an EU citizen, this new regulation applies to them. This could be as simple as gathering information from a business card (of an EU resident) at a trade show or having an EU citizen sign up for a newsletter online.

Those businesses found guilty of violations won’t just be met with a small slap on the wrist. The significant fines could have an impact on their ability to stay in business. The EU penalty for non-compliance could be up to 20 million Euros or 4% of their global revenue. Alarmingly, 52% of the companies currently affected by GDPR are not ready and expect to be fined for non-compliance.

So, what can U.S. marketers do now to start getting compliant with GDPR and create transparency with their customers about their data collection and usage practices?

HubSpot published an informative piece about what GDPR means to the marketing industry. The article affirms that “GDPR is going to (forcibly) raise the bar for marketers.” No doubt, it most certainly will redefine data privacy and protection as we know it.

Briefly, here are HubSpot’s recommendations for compliance that can be applied by U.S. companies today to start the process:

  • Be transparent with users about what their information will be used for.
  • Collect only what is suitable, pertinent and needed to carry out specific marketing activities.
  • Use data only for purposes communicated to the user and do not transfer it to other systems without the user’s consent.
  • Secure the data you do collect by encrypting it.
  • Ask consumers often to update their information.
  • Delete personal records from all systems when relationships are terminated, or when users request their information be erased.

Another valuable paper by Treasure Data, the Marketer’s Guide to the GDPR, details how marketers can apply these standards to their outbound and inbound marketing activities. Among other things, this guide counsels marketers on how to structure opt-in features, choose compliant vendors, manage leads, handle social media and run advertising campaigns under new GDPR rules.

On the positive side, GDPR will force brands to communicate often and more clearly to earn back the trust of consumers. They will also have to provide more value in exchange for personal information, which brands have taken for granted since innovative technologies have made data collection easier in recent years. Yet for all the hassle and expense of changing processes and systems in order to comply, these consumer-friendly changes could result in the strengthening of a brand’s relationship with its customers due to its focus on transparency.

Finally, whether you support these changes or not, it’s very likely that GDPR will revolutionize marketing activities on this side of the pond. We cannot stop what is already in motion. GDPR is a direct response to EU consumers’ demands that we respect their right to privacy, and U.S. consumers not only deserve the same rights but are also demanding change. Besides, global companies that implement changes to comply with the EU will most likely adopt similar methods here in the U.S. and set an example for other companies to follow.

Therefore, businesses should get ready now as U.S. lawmakers may be watching to see how changes in EU privacy laws play out before implementing comparable regulations.  Unlike those companies that are unprepared for this month’s adoption of GDPR, American firms have plenty of advance warning, an opportunity to begin implementing changes, and most importantly, a chance to win back consumer confidence.


Chu, R., Lau, D., Moriah, S., & Schallich, A. (n.d.). Communism and Computer Ethics. Retrieved from Stanford University:

Egan, S. (2018, April 11). The GDPR Sprint: Why Marketers Need To Pick Up The Pace And Cross The Compliance Finish Line. Retrieved from Forbes:

Experian. (n.d.). Data breaches are on the rise.Retrieved from Experian:

Hubspot. (2018, February 28). What is the GDPR? And What Does it Mean for the Marketing Industry?Retrieved from Hubspot :

Lambert, L. (2017, December 4). 6 steps for GDPR compliance. Retrieved from CSO Online:

Nadeau, M. (2018, April 23). General Data Protection Regulation (GDPR) requirements, deadlines and facts.Retrieved from CSO Online:

Rodger, A. (2015). Data Privacy Laws: Cutting the Red Tape. Retrieved from IntraLinks:

Treasure Data. (n.d.). Marketer’s Guide to the GDPR.Retrieved from Treasure Data: