The Privacy Insider: The Basics of Data Privacy Laws in Chapter 5

In The Privacy Insider, Osano CEO Arlo Gilbert lays out the relevant information for you to understand and operationalize data privacy in simple, clear language that focuses on what’s relevant to businesses seeking to do the right thing.  

Unfortunately, one of the biggest barriers to ethical data privacy practices is simply understanding what the law requires. The world has over 160 data privacy laws, each with their own unique language, obligations, and penalties. That’s why Arlo dedicated Chapter 5 of The Privacy Insider to unpacking the basics of global data privacy regulation. Arlo begins this chapter explaining a concept that groups most data privacy laws into three fundamental categories: the tripolar privacy model. Check out the excerpt below to learn more. 

The world of privacy regulations gets complicated fast once we look beyond the GDPR. A core challenge is a lack of consistency across regions and industries. And it’s not just that regulations vary from one area to the next. It’s that three of the world’s biggest regions— the European Union, the United States, and China—each have fundamentally different philosophies about data privacy. Experts have referred to this dilemma as the tripolar privacy model.¹²⁸ The EU is known to have an approach centered on the individual, prioritizing the protection of user data above all else, as we’ve seen in the GDPR. China’s regulations emphasize maintaining the government’s control over its citizen’s data. Although its privacy law, the Personal Information Protection Law (PIPL), shares lots of similarities with the GDPR, a key difference is that it’s enforced by China’s government rather than an independent third party. The United States’ data-privacy landscape has been shaped by a longtime lack of federal regulations, leading some experts to classify the country’s philosophy as consumer-centric. A study out of the University of Brazil referred to the United States’ data-privacy approach as an “innovation-first approach that does not take matters such as privacy into great consideration.”¹²⁹ In other words, lacking a universal law to protect US citizens’ data-privacy rights, the major tech companies that benefit from the data have been free to make up the rules as they go. 

Despite numerous proposals over the years, no one comprehensive federal law governs data privacy in the US as of this writing. This doesn’t mean the US is totally lawless when it comes to data privacy. It actually has a breadth of sectoral data privacy and data-security laws. The US is also experiencing a massive drive toward pushing privacy legislation at the state level. Rather than wait for the federal government to find a consensus on how to legislate broadly, state lawmakers have been nudged by consumers, consumer advocates, and even companies to set their own rules. 

This model serves as a reasonable approach to understand the intention behind most data privacy laws. You can learn a lot about a given law by assessing whether it focuses on protecting individuals, increasing government oversight, or minimizing the impact of compliance on businesses. 

In the remainder of the chapter, Arlo dives into the specifics of major laws like the GDPR, CPRA, and others. Then, Arlo closes the chapter out with an overview of the most important, basic features of a data privacy law, such as consent requirements, fines and penalties, subject rights requests, and so on. In short, if you read Chapter 5 of The Privacy Insider, you’ll walk away understanding the fundamentals of global data privacy laws. And if you read the whole book, you’ll understand data privacy laws, the daily work of compliance, the benefits you’ll reap beyond just avoiding fines and penalties, and how to implement and operationalize a data privacy program that expediates compliance and scales with you.