No good deed goes unpunished.
At least, that’s been my experience with a lot of charities. They could simply say “thank you” and leave it there. Instead I am subscribed to emails, letters, catalogs, even the occasional evening phone call. According to this article from 2018, charities send spam because “it works” (at least, that’s what the author took from one study on how many people read letters from charities they previously donated to). I do wonder though, if charities offered a “do not spam” option as a benefit for donating more, how well that would work compared to another mug or tote bag.
I’ve found this also happens when buying from small businesses. A year ago, we received a gift subscription to Kiwi Crate. KiwiCo makes well-crafted, STEAM-related activities for kids that were perfect during the pandemic. The boxes were addressed to the person that gave us the subscription, and since then, we’ve received - no exaggeration - well over a hundred catalogs from dozens of companies, all addressed to the person that gifted us the subscription. I’ve been trying to unsubscribe from all of them for 6 months, and while I’ve made progress (especially since paying $4 for a third account on DMAChoice), we’re still receiving at least 1-2 per week.
I don’t like supporting Amazon or Jeff Bezos, but they understand user experience better than any other online retailer. UX isn’t just about how something looks. UX is also “I can trust that when I make this purchase, I’m not going to end up getting spammed by this seller, forever, until I figure out how to make it stop”. I don’t have that confidence when I buy from anywhere else online, and the smaller the company, the less confident I am that they will respect my time and privacy.
And then there’s political spam. I know I’m not the only one that received a massive amount of spam email and phone calls, and text messages leading up to the last mid-term election. Strangely, nothing came in the mail. The quality and quantity of these messages has already been the subject of blistering ridicule elsewhere. I will say I enjoy replying “STOP” to a random number, getting an automated reply back, and thinking “well, it’s finally over. I’ll never get another text from that one single phone number again”.
All of this combines for me into a general feeling of dread. There are hundreds of private companies assembling lists of names, addresses, social security numbers, etc. I and my family are on those lists, and there’s nothing I can do about that. There are companies that track when and where you move. There are websites that collect and publish all publicly available information about you, in an obvious extortion scheme. There is a company that assembles and sells data on students as young as 13. Private data brokers are selling phone geolocation data to state and local law enforcement so they can “see where a person was at any point in time over the past several years”. All of this is legal in the US.
If only there was a better way, something that provided real consumer data and privacy protection for my family and I, meager private American citizens that don’t live in the states of California, Colorado, or Virginia.
Why is there no American GDPR?
To explain why a GDPR-equivalent law doesn’t exist in the US, how a US version might look, and how to advocate for an equivalent law to be enacted here, I turned of course to ChatGPT. It’s not an easy set of questions, yet I found its ice-cold response surprisingly reasonable and informed.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that was enacted in the European Union (EU) in 2018. It provides individuals with strong rights over their personal data, including the right to access, rectify, erase, and restrict the processing of their data. It also imposes strict obligations on organizations that collect and process personal data, requiring them to be transparent, secure, and accountable for their use of personal data.
Despite the widespread recognition of the importance of strong data protection laws, there is currently no equivalent law in the United States. This is due in part to the complex legal and political landscape in the United States, as well as the lack of a comprehensive federal privacy law. In the past, there have been attempts to introduce similar legislation, such as the Privacy Act of 1974 and the Consumer Privacy Bill of Rights Act of 2015, but these efforts have not been successful in passing into law.
At the state level, some states, such as California and Virginia, have enacted their own data protection laws, but these laws vary widely in their scope and requirements. This patchwork of state laws creates confusion and inconsistency for businesses operating across state lines, and does not provide individuals with the same level of protection as the GDPR.
If an American version of the GDPR were to be developed, it is likely that it would take into account the unique legal and cultural context of the United States. This could include considerations such as the First Amendment right to free speech, the constitutional right to privacy, and the role of federalism in regulating personal data. An American GDPR might also incorporate elements of existing federal and state laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA), to create a more comprehensive and cohesive framework for data protection.
As individuals and organizations, we can help make an American GDPR a reality by advocating for strong data protection laws at the federal and state level. This can include contacting our elected representatives, supporting organizations that are working on data protection issues, and staying informed about developments in data protection policy. By raising our voices and taking action, we can help create a future where personal data is treated with the respect and protection it deserves.
Let’s also consider what actual humans have written.
This human-written Wirecutter article from 2021 goes into detail about why consumer data protection laws are such a mess and why they’re needed:
The data collected by the vast majority of products people use every day isn’t regulated. Since there are no federal privacy laws regulating many companies, they’re pretty much free to do what they want with the data, unless a state has its own data privacy law (more on that below).
- In most states, companies can use, share, or sell any data they collect about you without notifying you that they’re doing so.
- No national law standardizes when (or if) a company must notify you if your data is breached or exposed to unauthorized parties.
- If a company shares your data, including sensitive information such as your health or location, with third parties (like data brokers), those third parties can further sell it or share it without notifying you.
“Most people believe they’re protected, until they’re not,” said Ashkan Soltani, an independent researcher and former chief technologist at the Federal Trade Commission. “Sadly, because this ecosystem is primarily hidden from view and not transparent, consumers aren’t able to see and understand the flow of information.”
This human-written Washington Post article from 2018 offers a few reasons why an American GDPR won’t happen any time soon: namely that there is no agency to carry it out, congress won’t pass anything even close to it in terms of complexity, and the public doesn’t care enough about it, although it offers evidence that the public concern is growing.
I’d like to think that public concern is growing, and that there might be something smaller that could be passed at the federal level. It seems like the kind of issue that could enjoy bipartisan support, but then again, I’m quite sure there are rooms, floors, possibly entire buildings of lobbyists working as we speak to make sure that doesn’t happen.
This human-written Wired article from 2020 suggests that a “GDPR-lite” could be passed, but that we have different problems here:
Data-protection rules can also be short-sighted because they ignore how industry’s appetite for data is wrecking our environment, our democracy, our attention spans and our emotional health. Even if GDPR-style data protection were sufficient, the US is too different from Europe to implement and enforce such a framework effectively on those terms. Any US version of GDPR would, in practice, be something of a GDPR-lite.
Perhaps the main reason we can’t have a strong federal data/privacy laws in the US is that too many Americans have been led to believe that the federal government can’t be trusted, that all of their tax dollars are wasted, and that the free market and private industry can solve all problems. Why that’s wrong is maybe a topic for another article.
One things for sure: random cookie banners at the bottom of every website forever is not the answer.