*This is article is a Blog post, it is not an IPTF Journal article.
SAMANTHA TORRE
A recent study revealed that nearly three-quarters of Americans surveyed reported feeling “resigned” to the use of their personal data for marketing purposes.[1] In the study, even consumers indicating they want control over their own data lack understanding about how their data can be gathered and used.[2] That same study showed that only fourteen percent of Americans believed that companies could be trusted to use their data with the consumer’s “best interests in mind.”[3]Consumers express particular concern about what companies do with their data.[4] One example of a company that utilizes consumer data is data brokerage companies, that trade in data with various organizations, including law enforcement.[5] Every time a data broker buys or sells data, there is a new opportunity for a leak, putting millions of consumers’ personal information at risk.[6]
The Federal Trade Commission (FTC) reports that even when companies do ask consumers for consent, or assure users that their data will not be sold, there is a lack of transparency about what the data will be used for.[7] As a result of the high value of the data industry and the catastrophic effects of data leaks, lawmakers across the country have proposed legislation hoping to hold data brokers accountable. [8]
Despite the vast scale of the data industry and high likelihood of data breaches, the United States does not have a centralized data privacy law.[9] Rather, it has a lackluster patchwork of data privacy protections, which highly depend on what state the consumer resides.[10] State protections vary widely, ranging from comprehensive frameworks to none at all.[11] For example California has adopted comprehensive privacy laws in order to protect its residents, while states such as Arizona, Florida, and Kansas have no such laws, leaving their residents vulnerable.[12]
The states require that consumers opt-out of data usage, and inaction means companies can use consumer data.[13]California’s statute, the California Consumer Privacy Act, states that consumers should be informed about the usage of their data and provided notice should the usage of this data change in any way that is not consistent with the original notification.[14] Furthermore, the consumer can rescind consent by having the right to ask businesses to delete the data they have stored on the user.[15] Additionally, California’s common law considers one’s age when considering consent to share information, as Tilting Point Media received an injunction requiring the company to inform consumers under sixteen that their data may be used and to obtain the child’s guardian’s opt-in for this data use.[16] Tilting Pointed asked users about their age in a way which encouraged younger users to be dishonest about their age, preventing underage consumers from being brought to the age-appropriate version, along with improperly collecting children’s data without consent from a parent or guardian.[17]
While the U.S. has a system of data privacy regulations that varies widely based on the consumer’s location, the European Union (EU) has adopted a national privacy legislation that creates uniformity across its respective countries.[18] The EU’s General Data Protection Regulation (GDPR) is the world’s most comprehensive data privacy regulation.[19] The GDPR applies to both companies based in the EU and companies who service EU residents.[20] It limits how much data can be collected, what the data can be used for, how long the data can be stored, and requires accuracy and confidentiality.[21] Ireland’s Data Protection Commission (DPC) is a major enforcer of the GDPR, enforcing half of the fines related to this legislation.[22] For example, one such fine resulted in a payment of over a billion euros—$1.3 billion in U.S. dollars today.[23] Companies including LinkedIn have faced fines for failing to comply with data protection requirements surrounding targeted advertising.[24] LinkedIn subjected itself to the regulations under the GDPR as the company did not obtain consent to process third-party data of account-holders for targeted advertising, did not have a legitimate interest in using third or first-party data in advertising, and did not have a contractual necessity to use this data.[25] The DPC is the main supervisory force for LinkedIn, as the DPC enforces the usage of consumer data within Ireland, and the complaint originated from a French organization.[26]
The GDPR restricts data usage based on the location of the person accessing the site, whereas California bases restrictions on the residency of the consumer.[27] Unlike California, the GDPR requires that consumers opt-in, giving them more power at the outset.[28] The GDPR and California define personal information similarly – data can reasonably be linked to a specific individual or a specific household.[29] However, the GDPR is slightly broader in that it also applies to publicly available information, which is excluded from California’s definitions. [30] Furthermore, the GDPR, and California include heightened protections for “sensitive” information—known as special categories in the GDPR.[31]Additionally, both laws protect genetic data—but California does not protect biometric data, whereas the GDPR does.[32]
On a federal level, the United States should create a uniform data privacy legislation that would provide a foundation and stability for companies and consumers.[33] To create this legislation, the United States should adopt a variety of elements of legislation from the states and the GDPR.[34] For example, the United States could maintain the opt-out structure of the states but couple that with the location-based regulation of the GDPR.[35] Using an opt-out requirement would establish an already-familiar framework for companies and American consumers.[36] A comprehensive framework, that creates uniformity across the United States would benefit both consumers and companies, protecting consumers from harmful privacy practices, and companies from costly lawsuits.[37]
[1] Joseph Turow et al. Americans Can’t Consent to Companies’ Use of Their Data, Annenberg School for Communication, University of Pennsylvania (2023) chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.asc.upenn.edu/sites/default/files/2023-02/Americans_Can%27t_Consent.pdf at 15.
[2] Id. at 13, 17
[3] Id. at 13.
[4] Id. at 16.
[5] Justin Sherman, Data brokers and data breaches, Duke Sanford School of Public policy, (Sept. 27, 2022), https://techpolicy.sanford.duke.edu/blogroll/data-brokers-and-data-breaches/.
[6] Id. A data leak occurs when a source with data accidentally exposes the data to an outside party, whereas a data breach occurs when a party external to the data broker purposefully accesses sensitive information. Microsoft Security, What is a Data Leak?, Microsoft, https://www.microsoft.com/en-us/security/business/security-101/what-is-a-data-leak (last accessed Aug. 13, 2025).
[7] Federal Trade Commission, A look at what ISPS Know About You: Examining the Privacy Practices of Six Major Internet Service Providers, (2021).
[8] Warren, Warner, Cummings, Krishnamoorthi Reintroduce Legislation to Hold Equifax and other Credit Reporting Agencies Accountable for Data Breaches, Elizabeth Warren United States Senator for MASSACHUSETTS, (May 7, 2019). https://www.warren.senate.gov/newsroom/press-releases/warren-warner-cummings-krishnamoorthi-reintroduce-legislation-to-hold-equifax-and-other-credit-reporting-agencies-accountable-for-data-breaches.
[9] See, Warren, supra footnote 8 (stating that data companies “…hold vast amounts of data on millions of Americans but lack adequate safeguards against hackers…” and referencing four instances of hackers obtaining personal data); Which States Have Consumer Data Privacy Laws, Bloomberg Law (Sept. 10, 2024), https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/ (showing the different privacy laws used by various states); Sherman, supra note 5 (explaining that each data transaction presents a chance for data to be compromised).
[10] See Which States Have Consumer Data Privacy Laws, Bloomberg Law (Sept. 10, 2024), https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/ (explaining that only twenty out of fifty states have extensive data privacy protections and that this “patchwork approach” creates risk for companies with a national reach).
[11] Which States Have Consumer Data Privacy Laws, Bloomberg Law (Sept. 10, 2024), https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/ (explaining that only twenty out of fifty states have extensive data privacy protections, some states have narrow regulations, and other states lack regulations entirely).
[12] California’s act is called the California Consumer Privacy Act. Id.; C. Kibby, US State Privacy Legislation Tracker, Int’l Ass’n Priv. Pros., (July 7, 2025), https://iapp.org/media/images/resource_center/State_Comp_Privacy_Law_Map.png.
[13] Comparing U.S. State Data Privacy Laws vs. the EU’s GDPR, Bloomberg Law, (Jul. 11 2023), https://pro.bloomberglaw.com/insights/privacy/privacy-laws-us-vs-eu-gdpr/#the-basics-of-each-law.
[14] Cal Civ. Code § 1798.130. See also Rob Bonta, California Consumer Privacy Act (CCPA), State of California Department of Justice, https://oag.ca.gov/privacy/ccpa (last updated March 13, 2024).
[15] Cal Civ. Code § 1798.130. See also Bonta, supra note 13.
[16] California v. Tilting Point Media, 2:24-cv-05140-FLA, *5, 6 (D. Cent. Cal. 2024) (granting permanent injunction); Rob Bonta, Privacy Enforcement Actions, State of California Department of Justice, https://oag.ca.gov/privacy/privacy-enforcement-actions (last visited Aug. 24, 2025).
[17] Bonta, supra note 16.
[18] The EU’s General Data Protection Regulation (GDPR) (Comparing GDPR with Laws from California, Virginia, and Colorado), Bloomberg Law, (last visited Jul. 31 2025), https://pro.bloomberglaw.com/insights/privacy/the-eus-general-data-protection-regulation-gdpr/#:~:text=On%20May%2025%2C%202018%2C%20the,for%20the%20GDPR%20to%20apply; see Which States Have Consumer Data Privacy Laws, Bloomberg Law (Sept. 10, 2024), https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/ (explaining that data privacy laws vary widely across the United States and create issues for businesses that attempt to comply with multiple laws).
[19] Comparing GDPR with Laws from California, Virginia, and Colorado, supra note 19.
[20] Id.
[21] Id.
[22]Azmia Riaz, Ireland responsible for half of €1.2bn GDPR fines last year, Irish Independent (Jan. 21, 2025). See also, The Data Protection Commission, Data Protection Commission, https://www.dataprotection.ie/en (last visited Aug. 24, 2025) (explaining the Data Protection Commission’s role in enforcing the GDPR).
[23] Riaz, supra note 22.
[24] Ian Curran, Microsoft-owned LinkedIn fined €310m by Irish Data Protection Commission, The Irish Times (Oct. 24, 2024).
[25] Irish Data Protection Commission fines LinkedIn Ireland €310 million, Irish Data Protection Commission, (Oct. 24, 2024).
[26] Id. See also The Data Protection Commission, supra note 22 ) (explaining the Data Protection Commission’s role in enforcing the GDPR).
[27] Irish Data Protection Commission fines LinkedIn Ireland €310 million, supra note 25.
[28] See The EU’s General Data Protection Regulation (GDPR) (Comparing GDPR with Laws from California, Virginia, and Colorado), Bloomberg Law, (last visited Jul. 31 2025), https://pro.bloomberglaw.com/insights/privacy/the-eus-general-data-protection-regulation-gdpr/#:~:text=On%20May%2025%2C%202018%2C%20the,for%20the%20GDPR%20to%20apply.
[29] Id.
[30] Id.
[31] Id.
[32] Id.
[33] See id. (comparing state laws in United States to the umbrella GDPR).
[34] See id.; Consumer Data Privacy: EU’s GDPR vs. China’s PIPL, Bloomberg Law, (May 3, 2023) https://pro.bloomberglaw.com/insights/privacy/consumer-data-privacy-eus-gdpr-vs-chinas-pipl/ (comparing laws from various jurisdictions).
[35] See The EU’s General Data Protection Regulation (GDPR) (Comparing GDPR with Laws from California, Virginia, and Colorado), Bloomberg Law, (last visited Jul. 31 2025), https://pro.bloomberglaw.com/insights/privacy/the-eus-general-data-protection-regulation-gdpr/#:~:text=On%20May%2025%2C%202018%2C%20the,for%20the%20GDPR%20to%20apply (comparing the GDPR to state laws such as the CCPA).
[36] See id. (comparing data privacy laws in the United States with the GDPR); Consumer Data Privacy: EU’s GDPR vs. China’s PIPL, Bloomberg Law, (May 3, 2023) (comparing international data privacy law).
[37] See Which States Have Consumer Data Privacy Laws, Bloomberg Law (Sept. 10, 2024), https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/ (explaining that only twenty out of fifty states have extensive data privacy protections and that this “patchwork approach” creates risk for companies with a national reach); Justin Sherman, Data brokers and data breaches, Duke Sanford School of Public policy, (Sept. 27, 2022), https://techpolicy.sanford.duke.edu/blogroll/data-brokers-and-data-breaches/(stating that as companies buy and sell data, they create the risk of millions of consumers’ private information becoming compromised); [37] SeeThe EU’s General Data Protection Regulation (GDPR) (Comparing GDPR with Laws from California, Virginia, and Colorado), Bloomberg Law, (last visited Jul. 31 2025), https://pro.bloomberglaw.com/insights/privacy/the-eus-general-data-protection-regulation-gdpr/#:~:text=On%20May%2025%2C%202018%2C%20the,for%20the%20GDPR%20to%20apply (comparing the GDPR to state laws such as the CCPA).