Fundamentally, the General Data Protection Regulation’s right-to-privacy focus — giving people provenance over their data — allows individuals to dictate how companies, including data brokers, use their personally identifiable information.
GDPR — a set of data privacy regulations throughout the European Union — has extra-territorial scope, meaning platforms and websites outside of the EU that traffic in the PII of those inside the EU must also comply with its directives.
The largest consequence of this provision to date in monetary terms was this week’s $1.3 billion fine on Meta and the order to stop processing European Union user data in the U.S.
As consent management platform Cookiebot explains it, GDPR laws stipulate that a website engaging with visitors from inside the EU, and before processing personally identifiable information must:
- Obtain clear and unambiguous consent from its users.
- Specify cookies and other tracking technology present and operating on its pages, in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies.
- Be able to safely and confidentially document each user’s consent and be able to ask for renewed consent regularly.
Experts laud GDPR but say more is needed
Several experts weighed in on the virtues of the GDPR at WithSecure’s Sphere23 event in Helsinki, Finland.
“The European Commission is criticized for many things, but GDPR is the one thing where it can hold its head up high and say, ‘We’ve led the world in this.’ As regulatory milestones go, it’s the equivalent of climbing Everest. And it seems to be working as other jurisdictions are following suit,” said Paul Brucciani, cybersecurity adviser at WithSecure.
He noted that internet fragmentation, driven by the quest for digital power, created complexity that the EU addressed with the GDPR, and which it is also applying to new technologies. “For example, AI is the next big field that will need regulating, and the EU has again made a head start on this with its proposed AI Act, a legal framework that is intended to be innovation-friendly, future-proof and resilient to disruption,” he said.
Sylvain Cortes, the VP of strategy at Hackuity, said it’s a good start, but not enough.
“Compliance is essential, but we urge organizations to take the opportunity to think beyond baseline requirements to develop a culture of continuous cyber improvement,” he said. “It’s important to remember that achieving compliance shouldn’t be treated like ‘exam-cramming’ with last-ditch efforts to achieve annual or quarterly audits. The goal is to achieve more than the minimum requirements and move away from the tick-box mindset. GDPR compliance is necessary, but it is far from sufficient for modern organizations,” he added.
Ripples of influence beyond Europe (in the U.S.)
While the U.S. lacks national data privacy laws, eight states so far have enacted either comprehensive privacy legislation or more limited or tailored legislation giving consumers power over how their personal data is trafficked. Among them are:
- California’s Consumer Privacy Act, effective January 2020, gives citizens the right to halt the sale of their PII to third-party sites and to know (and delete) culled data.
- Nevada’s security and privacy of personal information law, which began in 2019, permits Nevadans to stop their data from being sold to third-party data brokers.
- Virginia’s Consumer Data Protection Act, effective this year, has several requisites giving consumers the right to access their PII to request that it be deleted.
- The Tennessee Information Protection Act, signed into law on May 11, 2023, gives citizens the right to opt out of having their PII sold to third parties.
Maine, Colorado, Utah, Iowa, Indiana and Connecticut are also on the growing list of states with comprehensive or tailored privacy laws. Montana, Texas and Florida also have similar bills awaiting governors’ signatures.
Jeff Reich, executive director at the Identity Defined Security Alliance, said these laws and others coming owe their provenance to the GDPR.
“The rock in the pond that is the GDPR continues to cause ripples that affect everything in the vicinity,” he said. “Seven years after the GDPR was adopted, five years after enforcement began, it is difficult to not see the results of the regulation, to date. Merchants and vendors know what they need to do, even when they do not know how to do it yet. The best behavior change is with consumers.”
He said the biggest long-term benefit may be consumers’ ability to see the value of their identity and the security that protects their personal data.