GDPR: A Year Later
But at the same time, many see the California legislation as the linchpin for a wider nationwide push. "We are almost certain to get a federal privacy act of some sort eventually," Carvel says.
Vernhout maintains that the U.S. government is already planning this year to put forth a new privacy law that will mirror the GDPR in many ways. "Several hearings to discuss data privacy are already under way," he says.
U.S. Sen. Marco Rubio (R-Fla.) in January introduced the American Data Dissemination (ADD) Act, a national consumer data privacy law that would seek to protect both consumers' and business interests. It, too, is largely a GDPR clone.
"There has been a growing consensus that Congress must take action to address consumer data privacy," Rubio said in a statement.
A national U.S. policy governing data protection also has the backing of the U.S. Government Accountability Office (GAO), which in February recommended that Congress develop internet data privacy legislation similar to the GDPR. "Recent developments regarding internet privacy suggest that this is an appropriate time for Congress to consider comprehensive internet privacy legislation," GAO officials said in their 56-page report.
And such moves are garnering support from unlikely sources. In October, Apple CEO Tim Cook, during a keynote in Brussels at the Conference of Data Protection and Privacy Commissioners, urged U.S. lawmakers to implement a rule that mirrors the GDPR. Cook, who has been especially critical of Google's and Facebook's data policies, warned that the mass collection of private consumer data amounts to surveillance in action and that the huge stockpiles of such bits of information "serve only to enrich the companies that collect them."
Beyond the United States and the other countries already mentioned, most experts predict that an even wider rollout of consumer data protections is inevitable. "There will be lots of movement on the privacy front around the globe in 2019 and 2020," Vernhout says.
GDPR HASN'T BEEN ALL BAD
Experts and insiders concede that the GDPR has been successful in one key area: Consumers now have more of an interest in what happens with their personal information.
Shane Phair, chief marketing officer at U.S. email marketing technology vendor Campaign Monitor, argues that the GDPR "has made it simple for consumers to understand the important details about their data, such as how it is being used, where it is being stored, and more."
FormAssembly’s Davda agrees, noting that because of the GDPR, consumers are asking more questions and reading companies' privacy policies more closely.
"From a consumer perspective, the biggest effect that GDPR has had is the empowerment of consumers over their personally identifiable information (PII)," RedPoint Global's Nash says.
And that will ultimately lead to greater accountability. "From an individual's perspective, the biggest impact from GDPR to date seems to be a renewed interest in personal data and privacy. Having the ability to hold businesses accountable for years of misuse, abuse, or data breaches seems like a fitting balance," Vernhout states.
REDIRECTING THE DIALOGUE
The GDPR has also changed the entire dialogue between companies and customers.
Whether it was a stated goal of the GDPR or an unforeseen consequence, "companies are beginning to self-regulate, knowing that regardless of the form, there is increased need to give consumers greater transparency and control" over their data, Nash says.
"Because of the penalties and other negative ramifications of ignoring GDPR, we have started to see companies take GDPR seriously with internal programs to organize their data better," Gillett observes.