GDPR vs. US Privacy Laws: The Cost of Compliance, Innovation, and the Retainer-Like Approach to Fines

GDPR vs. CCPA vs. CPRA vs. VCDPA vs. CPA – or why I don’t get all the backlash against my commentary on EU charging big tech similarly to a retainer. 👇

Earlier this week, my post discussed the Zuckerberg interview with Joe Rogan about 30 billion in fines by the EU to US big tech. My liberal philosophy here is primarily:

– GDPR affects every single business vs. larger businesses
– Risks/cost caps are simply too high and outright scary
– Legal complexity is a lot to undertake (regulations should be simplified, both in the fine print, and in technical requirements)
– Online software depends on tons of 3rd party data – it’s just how it is, and preventing this would break the web more than the pop-ups cluttering all sites now
– As a result, this suppresses innovation in Europe – which is a common problem with the social policy for workers, shorter work weeks, longer PTO, longer maternity leaves, convoluted accounting for SMBs (especially VAT MOSS for cross-state transitions) and many more, without necessarily seeking a balance that stirs innovation

This faced a lot of backlash, coming almost exclusively from European Union citizens. And I am not a lawyer, so passing along any facts, tools, or scanners I have missed, I’m happy to lean this way (haven’t seen anything convincing so far.)

So I checked a Bloomberg Law report (will link below) comparing 5 of the leading privacy regulations.

1. The other laws apply to California, Virginia, and Colorado. GDPR applies to the EU. Catering to an individual, specific state is easier to map out vs. understanding 27 standalone member states with 450 million users (compared to about 52 million for all three US states combined).

2. GDPR has no revenue or processing threshold❗It applies to individuals and freelancers just as much as it does for 50,000 corporations. In comparison, CCPA/CPRA only apply the acts for annual revenues higher than $25M for the previous calendar year. SMBs are free to operate and grow. And all acts require data of at least 50,000 consumers (users).

3. CCPA/CPRA civil penalties are up to $7,500 per intentional violation or $2,500 per unintentional violation. GDPR defined fines as “up to 20 million Euro or 4% of total worldwide annual turnover, whichever is higher.” ⛔

I know that other considerations apply, including EU citizens living abroad are also subject to the same data privacy policies. For digital product, if blocking entire countries or regions applies, a resident in the US with a European passport is still a liability for that tax above should they “fake” the system and get in.

In terms of who’s who, some countries have simply blocked entire ranges of websites like YouTube. China, Iran, North Korea are few notable examples. I believe LinkedIn is even banned in Russia.

Bottom line, it’s not about burning the midnight oil 24/7. But the Old Continent is old for several reasons… (continues below)