by Elias Aidun, Associate Member, University of Cincinnati Law Review Vol. 93
I. Introduction
In an era where personal data is constantly being collected, analyzed, and monetized, data privacy has become one of the most pressing legal and ethical issues of the digital age. Every online interaction—whether on social media, e-commerce platforms, or healthcare portals—creates a digital footprint that governments, corporations, and even cybercriminals can exploit.[1] The rapid expansion of artificial intelligence, cloud computing, and biometric technology has only heightened concerns over how personal data is stored, shared, and protected.[2]
As internet use has dramatically increased over the past two decades, online resources and websites have begun to gather and store users’ personally identifiable information to deliver better services to users.[3] Typical data collected from users can include a person’s name, contact information, age, and address.[4] However, websites and online platforms often collect and use individuals’ data in ways users do not anticipate, diminishing their privacy beyond their awareness.[5] In addition, weak security measures can lead to data breaches that can put individual’s personal information at risk. [6]
Despite the promises of data-driven products and services—such as saving time, reducing costs, and enhancing health—many Americans remain skeptical about the trade-offs of widespread data collection.[7] A 2019 survey from the Pew Research Center revealed that 81% of American adults believe the risks of data collection by companies outweigh the benefits, and 66% say the same about government data collection.[8] However, at the same time, a majority of Americans report being concerned about the way their data is being used by companies (79%) or the government (64%).[9] This suggests that most Americans feel they have little or no control over how their data is used.[10] In response to these challenges and skepticism, governments worldwide have developed legal frameworks aimed at regulating data collection and ensuring individuals’ privacy rights.
This article explores global legal responses to data privacy, focusing on the contrast between European and American regulations. Part II provides an overview of the European Union’s General Data Protection Regulation (“GDPR”) and U.S. data privacy laws. Part III highlights key differences between these frameworks and their legal implications. Finally, Part IV offers a brief conclusion on the future of data privacy regulation and potential solutions to emerging challenges.
II. Background
As digital technologies continue to advance, the regulation of data privacy has become a critical legal and policy concern. The vast collection of personal data by businesses, governments, and third parties raises significant questions about consumer rights, corporate responsibility, and governmental oversight.[11] While data collection has fueled innovation in sectors like healthcare, finance, and artificial intelligence, it has also led to concerns about surveillance, unauthorized access, and data breaches.[12]
For example, in July 2023, the Federal Trade Commission (“FTC”) and U.S. Department of Health and Human Services’ Office for Civil Rights issued a joint warning to hospitals and telehealth providers about the privacy and security risks posed by online tracking technologies used on their websites and mobile applications.[13] These tracking tools, which collect data on users’ browsing behavior, were found to potentially disclose sensitive health information to third parties, such as advertisers, without proper consent.[14] The agencies emphasized that such practices violate the Health Insurance Portability and Accountability Act (“HIPAA”), which mandates strict protections for personal health data.[15] Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated, “When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties.”[16] This incident underscores the growing concern over the misuse of sensitive data and the need for stringent regulation to safeguard privacy.
A. What is the GDPR?
In response to the situations mentioned above, governments around the world have implemented legal frameworks to regulate data privacy and protect their citizens’ privacy. Among these, the European Union’s GDPR stands out as one of the most comprehensive and stringent data privacy laws globally.[17] The GDPR came into effect on May 25, 2018, and establishes a unified legal framework for data protection across all EU member states, ensuring that individuals have greater control over their personal data, while placing strict compliance obligations on organizations that collect, process, or store such information.[18]
Although the GDPR is an EU-based law, it can affect companies and entities worldwide through its extraterritorial scope.[19] This means that even if a company is not located nor operated within the EU but has customers in the EU, it must comply with GDPR requirements.[20] In addition, the GDPR required EU member states to pass national laws that closely mapped to the GDPR’s provisions.[21] While the GDPR’s purpose is to give individuals privacy protection, it also recognizes the value of data to businesses and has introduced new concepts in order to find a balance between privacy protection and business interests.[22]
The GDPR introduced several key terms and concepts that organizations must understand to ensure compliance. One of the most fundamental concepts is personal data, which the GDPR defines broadly to include any information that can directly or indirectly identify an individual such as names, email addresses, ethnicity, zip code, gender, banking details, IP addresses, biometric data, religious and political beliefs, web cookies, and even social media posts.[23] In addition, the regulation emphasizes the principle of lawful processing, meaning organizations must have a legal basis, such as consent, contractual necessity, or legitimate interest for collecting and using personal data.[24] To obtain consent from individuals, an organization must acquire explicit unambiguous permission from individuals, and the organizations must use language that is easy to understand when asking individuals.[25]
Organizations handling personal data are categorized as either data controllers or data processors.[26] A data controller determines the purpose and means of processing personal data, so they decide why, when, and how personal data is processed.[27] A data processor handles data on behalf of the controller, so any third-party organization that engages in processing personal data, including email marketing tools, analytic tools, and cloud vendors, is a processor.[28] In the unfortunate event of a data breach, organizations must notify supervisory authorities and individuals within 72 hours if a data breach affects individuals’ personal information.[29]
The GDPR also grants individuals specific rights to increase transparency and give individuals more control over how their data is used.[30] Specifically, the GDPR gives individuals the following rights: 1) the right to be informed that their personal data is being collected; 2) the right to access personal data and how it’s processed; 3) the right to rectify inaccurate or incomplete personal data; 4) the right to erase data; 5) the right to restrict the processing of personal data; 6) the right to data portability; 7) the right to object to how their information is used for marketing, sales or non-service related purposes; and 8) the right to say no to solely automated decisions being made about their data.[31] These rights collectively empower individuals to take control of their personal data, ensuring greater transparency, accountability, and protection in an increasingly data-driven world.
B. American Privacy Laws
Unlike the European Union’s GDPR, the United States does not have a single, comprehensive federal data privacy law.[32] Instead, data privacy regulations in the U.S. are a combination of sector-specific and state-level laws that govern how personal data is collected, processed, and shared.[33] These regulations vary in scope and enforcement and often focus on specific industries such as healthcare, finance, and education. Key federal laws addressing data privacy include HIPAA, the Gramm-Leach-Bliley Act (“GLBA”), and the Children’s Online Privacy Protection Act (“COPPA”).[34] In addition, the FTC plays a crucial role in enforcing consumer privacy protections through its authority to act against deceptive or unfair business practices.[35]
Due to the absence of a unified federal data privacy framework, there have been increasing efforts at the state-level to implement more comprehensive consumer privacy protections.[36] Currently, a total of twenty states have passed comprehensive data privacy laws to address growing concerns over data security, consumer rights, and corporate accountability.[37] Among these, California’s data privacy laws stand out as the most comprehensive and influential, setting a precedent for other states considering similar legislation.[38]
California has taken a leading role in data privacy regulation through landmark legislation such as the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”).[39] Enacted in 2018 and effective as of January 1, 2020, the CCPA grants California residents extensive rights over their personal information, including the right to know what personal data businesses collect, the right to delete personal information, the right to opt out of data sales, and the right to non-discrimination for exercising these rights. [40] The CCPA applies to businesses that meet specific thresholds, such as having annual gross revenues exceeding $25 million, handling the data of at least 100,000 consumers, or deriving 50% or more of annual revenues from selling consumers’ personal data.[41]
Building upon the CCPA, the CPRA became effective on January 1, 2023, and further strengthens consumer protections by establishing the California Privacy Protection Agency (“CPPA”) to oversee enforcement and compliance.[42] The CPRA also introduced new rights, such as the right to correct inaccurate personal information and the right to limit the use of sensitive personal data, including financial, biometric, and geolocation information.[43] Additionally, the CPRA imposes stricter obligations on businesses, requiring them to conduct risk assessments and limit data retention periods.[44]
California’s data privacy laws have significantly influenced discussions on national data privacy regulation and serve as a model for other states.[45] As more states enact their own privacy laws, the growing complexity of compliance requirements highlights the ongoing need for a unified federal standard to provide consistency and stronger consumer protections across the country.
IV. Discussion
The regulatory landscape of data privacy varies significantly across jurisdictions, with the EU and the U.S. adopting distinct approaches. These regulatory differences not only impact compliance obligations for businesses but also affect the level of privacy protections available to individuals. Understanding these key distinctions between EU and U.S. data privacy laws is essential to evaluating the effectiveness and legal implications of each approach.
A. Key Differences Between GDPR and U.S. Data Privacy Laws
Despite their shared goal of protecting consumer privacy, the GDPR and U.S. data privacy laws differ significantly in their scope, regulatory approach, and enforcement mechanisms.[46] These differences stem from varying legal philosophies, regulatory structures, and societal attitudes toward data protection.[47]
The regulatory approaches to data privacy in the EU and the U.S. diverge considerably, with the EU adopting a comprehensive framework through the GDPR, while the U.S. relies on a patchwork of sector-specific and state-level laws.[48] The GDPR framework applies to all entities processing personal data within the EU and beyond, provided they handle the data of EU citizens.[49] On the other hand, the U.S. lacks a single federal privacy law, and privacy protections are scattered across sector-specific laws such as HIPAA for healthcare, GLBA for financial data, and COPPA for children’s online privacy.[50] In addition, individual states have enacted privacy laws, such as California’s CCPA and CPRA.[51] This fragmented approach by the U.S. results in varying levels of protection depending on the industry and jurisdiction.
Another key distinction between the GDPR and U.S. is the level of control individuals have over their personal information.[52] Under the GDPR, organizations must obtain clear, affirmative consent before collecting or processing personal data.[53] The GDPR also grants individuals extensive rights, including the right to access, rectify, erase, and restrict processing of their personal data.[54] The U.S., however, generally follows an “opt-out” model, meaning that data collection is permissible unless the consumer explicitly objects.[55] While the CCPA and CPRA grant California residents some rights similar to the GDPR, most other states do not offer comparable protections.[56]
Enforcement mechanisms and penalties for data privacy violations differ significantly between the EU and the U.S., with the GDPR imposing strict fines and centralized oversight, while U.S. enforcement is more fragmented and varies across federal and state agencies.[57] The GDPR imposes strict penalties for non-compliance, with fines reaching up to €20 million or 4% of the company’s global annual revenue, whichever is higher.[58] The enforcement of GDPR is overseen by independent data protection authorities in each EU member state, and has broad investigative and corrective powers.[59] In the U.S., enforcement is more decentralized. The FTC is the primary federal agency overseeing consumer privacy, but its authority is limited to cases involving unfair or deceptive practices.[60] State attorney generals also play a role in enforcement, particularly in states with robust privacy laws like California.[61] However, penalties under the U.S. privacy laws are generally less severe than those under GDPR, making compliance less burdensome for businesses.
B. Legal Implications of Differing Privacy Frameworks.
Companies that operate in both the U.S. and EU face complex compliance challenges due to differing legal standards. Many multinational organizations adopt GDPR-level compliance practices as a baseline to ensure they meet the strictest requirements.[62] However, U.S.-based businesses that primarily operate domestically may struggle to navigate the patchwork of state privacy laws, particularly as more states enact their own regulations. The disparity in regulations forces companies to implement varied privacy policies depending on where they operate, leading to increased compliance costs and legal uncertainties.[63]
While the GDPR grants individuals extensive rights over their personal data, American consumers generally have fewer protections unless they reside in states with strong privacy laws, such as California. The lack of a unified national standard means that consumer privacy protections vary significantly across the U.S., leaving many individuals without rights over their data. This inconsistency has fueled ongoing discussions about the need for a comprehensive federal privacy law that aligns more closely with global standards and ensures that all Americans receive uniform protections.[64]
The increasing adoption of state-level privacy laws has intensified calls for a federal privacy framework to reduce regulatory complexity and provide uniform protections nationwide. Proposed legislation, such as the American Privacy Rights Act (“APRA”), aims to harmonize the patchwork of existing U.S. privacy laws by providing new consumer privacy rights, requiring data minimization, and establishing a broad private right of action.[65] The APRA seeks to create uniform national privacy standards, addressing concerns over the current patchwork of state laws that make compliance difficult for businesses and leave many consumers without clear data rights.[66] The proposal includes provisions for consumer rights similar to the GDPR, such as access, correction, and deletion of personal data.[67] If enacted, the APRA could significantly reshape the U.S. privacy landscape by aligning it more closely with global standards like the GDPR. However, the bill still faces legislative hurdles before being enacted.[68]
C. Federal vs. State Privacy Laws: What’s Best for Consumers
The distinction between a federal privacy law and state privacy laws carries significant implications for businesses, consumers, and policymakers. A federal privacy law could establish a single, cohesive framework, reducing compliance burdens for businesses operating across multiple states.[69] However, a federal privacy law could weaken consumer protections by preempting stronger state laws and limiting states’ ability to address emerging privacy concerns.[70] A federal law could strip consumers of essential rights, replacing strong, localized safeguards with a weaker “one size fits all” standard.
State privacy laws provide the necessary flexibility to address evolving risks and emerging technologies. Unlike federal legislation, which can take years to pass and update, states can move quickly to strengthen privacy protections in response to new challenges. If a federal privacy law were to override or preempt state-specific measures, individuals could be left vulnerable to gaps in regulation that fail to keep pace with technological advancements.[71] Allowing states to set their own privacy standards ensures that laws can be continuously refined to reflect new consumer concerns and industry developments.
While businesses may prefer a streamlined regulatory framework, their convenience should not come at the expense of consumer rights. Many corporations across the U.S. already comply with state privacy laws, such as California’s CCPA, demonstrating that adapting to multiple state regulations is feasible. If a federal privacy law were to be enacted, it should serve as a baseline rather than a ceiling, ensuring that states can continue to enact stronger protections where needed. Prioritizing state-led privacy laws not only upholds higher consumer safeguards but also fosters innovation in data protection, allowing regulations to evolve in ways that best serve the public rather than corporate interests.
IV. Conclusion
As digital technologies continue to evolve, the legal landscape surrounding data privacy remains in flux. While the EU’s GDPR provides a comprehensive, rights-based approach to data protection, the U.S. continues to rely on a fragmented framework of sector-specific and state-level laws. These differing regulatory models create compliance challenges for multinational businesses and leave many American consumers with inconsistent privacy protections. The growing number of state-level privacy laws in the U.S. signals increasing recognition of the need for stronger consumer data rights, yet the lack of a unified federal standard continues to create uncertainty.[72] Proposals like the APRA suggest that the U.S. may be moving toward a more cohesive national framework, but legislative obstacles persist.
As governments, businesses, and consumers grapple with the complexities of data privacy, the future of regulation in the U.S. will likely hinge on striking a balance between innovation and individual rights. Stronger legal protections, corporate accountability, and enhanced enforcement mechanisms will be critical to ensuring that individuals maintain control over their personal information in an increasingly data-driven world.[73] Whether through federal legislation or continued state led initiatives, the push for greater privacy rights in the U.S. will remain a key issue in the years to come.
[1] Data Privacy: Understanding Its Importance and Ensuring Compliance, Veritas, https://www.veritas.com/information-center/data-privacy (last visited Feb. 6, 2025).
[2] Katharine Miller, Privacy in an AI Era: How Do We Protect Our Personal Information?, Stanford University Human-Centered Artificial Intelligence (Mar. 18, 2024), https://hai.stanford.edu/news/privacy-ai-era-how-do-we-protect-our-personal-information?.
[3] Data Privacy: Understanding Its Importance and Ensuring Compliance , supra note 1.
[4] Id.
[5] Id.
[6] Id.
[7] Brooke Auxier et al., Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, Pew Research Center (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/?.
[8] Id.
[9] Id.
[10] Id.
[11] Importance of Data Privacy Laws Explained, DataGrail (May 24, 2022), https://www.datagrail.io/blog/data-privacy/importance-of-data-privacy-laws-explained/.
[12] Lin Grensing-Pophal, People Data Collection Risks: What You Need to Know, SHRM (Jan. 30, 2024), https://www.shrm.org/topics-tools/news/technology/people-data-collection-risks.
[13] FTC and HHS Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies, FTC (July 20, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/07/ftc-hhs-warn-hospital-systems-telehealth-providers-about-privacy-security-risks-online-tracking.
[14] Id.
[15] Id.
[16] Id.
[17] The Ultimate Guide to the GDPR, Osano, https://www.osano.com/gdpr (last visited Feb. 6, 2025).
[18] Id.
[19] Id.
[20] Id.
[21] Id.
[22] Id.
[23] Regulation (EU) 2016/679 of the European Parliament of the Council on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) 2016 O.J. (L. 119) Chapter 1, Art. 4 [hereinafter GDPR].
[24] GDPR Chapter 2, Article 7.
[25] Id.
[26] Id.
[27] The Ultimate Guide to the GDPR, supra note 17.
[28] Id.
[29] Id.
[30] Id.
[31] Id.
[32] Id.
[33] Data Privacy Laws: What You Need to Know in 2025, Osano, https://www.osano.com/articles/data-privacy-laws (Jan. 7, 2025).
[34] Paul Kirvan, U.S. data privacy protection laws: 2025 guide, TechTarget (Nov. 21, 2024), https://www.techtarget.com/searchsecurity/tip/State-of-data-privacy-laws?.
[35] Privacy Laws, Policies and Guidance, Office of Privacy and Open Government, https://www.commerce.gov/opog/privacy/privacy-laws-policies-and-guidance? (last visited Feb. 8, 2025).
[36] Data Privacy Laws: What You Need to Know in 2025, supra note 33.
[37] Paul Pittman et al., US Data Privacy Guide, White & Case (Nov. 4, 2025), https://www.whitecase.com/insight-our-thinking/us-data-privacy-guide.
[38] Sam Pfeifle, The Expert’s Guide to California Data Privacy Law CCPA & CPRA, Osano (Dec. 13, 2024), https://www.osano.com/articles/california-privacy-laws-ccpa-cpra.
[39] Id.
[40] Id.
[41] Id.
[42] Id.
[43] Id.
[44] Id.
[45] Josh Nadeau, How the CCPA is shaping other state’s data privacy, Security Intelligence (Dec. 23, 2022), https://securityintelligence.com/articles/how-ccpa-shaping-states-data-privacy/.
[46] Richard Lawne, GDPR vs U.S. state privacy laws: How do they measure up?, fieldfisher (Jan. 3, 2023), https://www.fieldfisher.com/en/insights/gdpr-vs-u-s-state-privacy-laws-how-do-they-measure.
[47] Id.
[48] Id.
[49] The Ultimate Guide to the GDPR, supra note 17.
[50] Kirvan, supra note 34.
[51] Pfeifle, supra note 38.
[52] Lawne, supra note 46.
[53] GDPR, Chapter 2, Article 7.
[54] The Ultimate Guide to the GDPR, supra note 17.
[55] Pittman, supra note 37.
[56] Data Privacy Laws: What You Need to Know in 2025, supra note 33.
[57] Lawne, supra note 46.
[58] The Ultimate Guide to the GDPR, supra note 17.
[59] Id.
[60] Data Privacy Laws: What You Need to Know in 2025, supra note 33.
[61] Lawne, supra note 46.
[62] What is the General Data Protection Regulation (GDPR)? Everything You Need to Know, Digital Guardian (Dec. 1, 2017), https://www.digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection?.
[63] Catherine Stupp, Patchwork of State Privacy Laws Remains After Latest Failed Bid for Federal Law, Wall St. J. (Aug. 27, 2024), https://www.wsj.com/articles/patchwork-of-state-privacy-laws-remains-after-latest-failed-bid-for-federal-law-2a1a020d?.
[64] Jeewon Serrato et al., The United States Moves Toward a Comprehensive Privacy Law (One More Time), Pillsbury Law (Apr. 22, 2024), https://www.pillsburylaw.com/en/news-and-insights/american-privacy-rights-act.html?.
[65] Id.
[66] Id.
[67] Id.
[68] Id.
[69] Tim Barnett, The case for a federal data privacy law, SC Media (Jul. 7, 2023), https://www.scworld.com/perspective/the-case-for-a-federal-data-privacy-law?.
[70] Alan Butler & Hayley Tsukayama, Data Protection Leaders Differ on Powers of New US Privacy Law, Bloomberg Law (Oct. 6, 2023), https://news.bloomberglaw.com/privacy-and-data-security/data-protection-leaders-differ-on-powers-of-new-us-privacy-law?.
[71] Id.
[72] Serrato, supra note 64.
[73] Id.
Cover Photo by Towfiqu Barbhuiya on Unsplash.
