Companies all over the world spent months preparing for last Friday, when the European Union began to enforce its sweeping data privacy act, the General Data Protection Regulation. During that time, privacy advocates were hoping, were led to believe, that tech companies would grant the rest of the world those same improved protections afforded to European citizens.
That didn't happen. Facebook relocated its servers so it wouldn’t have to give GDPR protections to everyone, and some news sites blocked European access while they sorted out how to follow the new laws and avoid fines.
The federal government hasn’t stepped up to enact any similar protections on this side of the Atlantic — in fact it’s not even clear whether or not net neutrality will return in America. So two states are moving forward with their own new rules. Last week Vermont passed legislation requiring data brokers (companies that collect and sell personal information based on people’s online activity) to register with the government, keep users up to date on where their data is going, give them a chance to opt out, and adopt better cybersecurity practices, as reported by Slate.
California may soon have similar rules in place. According to NPR, so many Californians have backed the citizen-proposed California Consumer Privacy Act of 2018 that it will soon end up on an official ballot for a statewide vote. Should it be ratified into law, Californians could choose to prevent websites from selling any personal information collected on them.
These laws would mean that any large company like Facebook or Google would need to differentiate between visitors from Vermont (and maybe soon California) and anywhere else, and provide different services and levels of individual control over personal information to people based on their location.
That is, unless they chose to apply the protections to all users in the country anyway. And for many, that's the ultimate goal, no matter if it's companies or legislators that make that happen. Because providing different services and granting different levels of privacy on a state-wide versus continental scale is presumably more difficult and annoying, the people behind the California Consumer Privacy Act of 2018 hope that companies would just make things simpler and apply the policy to the entire country.
This would mean the companies would make less money made on the personal data and advertising markets, so it seems unlikely that companies would implement protections nationwide without being legally required to do so.
In the meantime, the next step is to see how Vermont’s new laws stand up if data brokers challenge them in court, or when it comes time to enforce violations. For those of us that care about our digital privacy, it would be nice to see it stick.