At first glance, privacy laws in Europe and the United States appear to pursue the same goal: protecting individuals from misuse of their personal data. In reality, they are built on very different legal foundations.
The European Union regulates privacy through the GDPR, a comprehensive framework grounded in the idea that personal data protection is a fundamental right. The United States, by contrast, has developed privacy regulation through a combination of consumer protection rules, sectoral statutes, and state-level legislation, producing a far more fragmented system.
These structural differences have major implications for organisations operating across both markets. Compliance strategies that work in Europe do not always translate easily to the U.S., and vice versa.
Understanding these distinctions is essential for building effective transatlantic privacy programmes. This article explores the philosophical, structural, and enforcement differences between the two systems and explains how organisations can navigate them.
I. A foundational philosophical divide
Privacy law does not mean the same thing on both sides of the Atlantic. The difference is not merely technical or procedural: it is deeply philosophical, rooted in divergent conceptions of the relationship between individuals, corporations, and the state.
The EU: Privacy as a fundamental right
In the European Union, the protection of personal data is enshrined as a fundamental right in Article 8 of the Charter of Fundamental Rights of the European Union, alongside the right to respect for private and family life under Article 7. This constitutional anchoring has profound consequences: it means that data protection cannot simply be traded off against economic efficiency or business interests. It must be actively protected by public authorities.
The GDPR, which entered into force in May 2018, is the primary expression of this philosophy. It is deliberately prescriptive, imposing ex ante obligations on data controllers and processors, and creating a comprehensive architecture of individual rights — including the right of access, erasure, rectification, data portability, and the right to object to automated decision-making. These rights exist independently of any demonstrated harm.
Under the EU model, individuals do not need to prove damage to invoke their rights. The mere processing of personal data without a valid legal basis is itself a violation.
The US: Privacy as a risk-based & consumer protection issue
The United States has no federal constitutional right to data privacy in the modern sense, and no comprehensive federal privacy law equivalent to the GDPR. Instead, US privacy law has developed as a patchwork of sectoral statutes such as HIPAA for health data, COPPA for children's data, GLBA for financial information, layered with state-level legislation and enforced primarily through consumer protection and data security frameworks.
The dominant logic is harm-based and reactive: privacy violations are primarily problematic insofar as they cause tangible harm such as financial loss, identity theft, discriminatory treatment, or reputational damage. Accordingly, the law focuses less on preventing processing and more on ensuring adequate security measures are in place to prevent data misuse or unauthorized access.
In the US model, the question is not 'do you have a legal basis to process this data?' but rather 'are you adequately protecting it and are you transparent about your practices?'
II. Key structural differences at a glance
| Dimension | European Union (GDPR) | United States (State Privacy Laws) |
|---|---|---|
| Regulatory model | Single comprehensive framework (GDPR) applied across all EU member states | Fragmented system of state laws (e.g., California, Colorado, Connecticut, Oregon, New Jersey, etc.) |
| Legal philosophy | Fundamental rights framework based on protection of personal data as a fundamental right | Consumer protection and risk-based approach focused on specific harms and business practices |
| Scope of regulation | Broad and uniform rules governing all personal data processing | Varies by state law with different definitions, thresholds, and obligations |
| Trigger for obligations | Processing generally requires a lawful basis | Transparency with notices & policies |
| Coverage thresholds | Applies broadly to most organizations processing EU personal data | Most state laws apply only when companies meet revenue or data volume thresholds |
| Assessment requirement | Data Protection Impact Assessments (DPIA) required for high-risk processing | Privacy Impact Assessments required for specific high-risk activities explicitly mentioned in laws |
| Regulatory authorities | Independent Data Protection Authorities (DPAs) coordinated by the EDPB | State Attorneys General and, in some cases, specialized agencies (e.g., CPPA in California) |
| Legal interpretation | Extensive guidance from the EDPB and consistent interpretation across the EU | Interpretation often shaped by state & attorney general guidance, public hearings, and enforcement actions |
| Consumer rights | Standardized rights across the EU (access, erasure, portability, restriction, etc.) | Similar rights exist but vary slightly by state (access, deletion, correction, opt-out of sale/targeted advertising) |
| Compliance approach | Principle-based and governance-heavy | Operational triggers and activity-based obligations |
A. Lawful basis vs. opt-out: two opposite regulatory logics
One of the most fundamental structural differences between European and American privacy law concerns the legitimacy of data processing itself.
The EU: processing is prohibited unless justified
Under the GDPR, the processing of personal data is not automatically lawful. Instead, it must be justified by one of the six lawful bases established in Article 6: consent of the data subject, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest or legitimate interests pursued by the controller.
This structure creates what can be described as an ex ante legality framework. Before processing personal data, organisations must determine the legal basis that authorises the activity and document that justification.
The burden is therefore placed on organisations to demonstrate that their processing activities are lawful from the outset. If no valid legal basis exists, the processing itself is unlawful, regardless of whether any concrete harm occurs.
This requirement drives much of the GDPR’s governance architecture: organisations must maintain records of processing activities, map data flows, and ensure that processing remains consistent with the purposes and lawful bases initially identified.
The U.S.: processing is generally permitted unless restricted
Most U.S. privacy laws operate according to a fundamentally different logic. Rather than requiring organisations to justify data processing in advance, the default assumption is that data processing is generally permissible unless specific practices are restricted by law.
U.S. privacy frameworks therefore focus less on legal justification and more on transparency and consumer choice. Organisations are typically required to:
provide clear privacy notices describing data practices
disclose whether personal data is sold, shared, or used for targeted advertising
allow individuals to exercise certain rights, particularly opt-out rights
The most common rights granted under state privacy laws include the right to opt out of the sale of personal data, targeted advertising & certain forms of profiling.
The regulatory model is therefore opt-out driven rather than permission-driven. Instead of asking whether a company is legally allowed to process data, the law asks whether consumers have been adequately informed and given the opportunity to object to certain uses.
B. Accountability vs. transparency: two compliance architectures
Another major distinction between EU and U.S. privacy law lies in how each system conceptualises organisational responsibility.
The EU: accountability as a core principle
The GDPR is built around the accountability principle, which requires controllers to not only comply with the law but also to demonstrate compliance.
This obligation has resulted in a dense architecture of governance requirements, including:
maintaining records of processing activities (ROPA)
conducting Data Protection Impact Assessments (DPIAs) for high-risk processing
appointing a Data Protection Officer in certain circumstances
implementing data protection by design and by default
documenting consent where it is relied upon as a lawful basis
These mechanisms require organisations to maintain continuous internal documentation showing how data protection obligations are embedded into business processes.
Compliance is therefore not limited to outward transparency toward individuals; it also requires internal evidence of governance and oversight.
The U.S.: transparency as the primary regulatory tool
By contrast, most U.S. privacy laws rely more heavily on transparency and disclosure obligations than on extensive internal documentation requirements.
Companies are generally required to:
publish detailed privacy notices
disclose categories of personal data collected and shared
describe consumer rights and how to exercise them
implement mechanisms to respond to rights requests
Although some documentation obligations exist—particularly for data protection assessments under newer state laws, they are typically narrower in scope than the governance structures mandated by the GDPR.
As a result, the U.S. compliance model tends to be externally oriented, focusing on what organisations communicate to consumers, rather than on comprehensive internal accountability frameworks.
C. Divergent enforcement models
The two systems also differ significantly in their approach to regulatory enforcement.
The EU: administrative enforcement through data protection authorities
In the European Union, privacy enforcement is primarily carried out by independent Data Protection Authorities (DPAs) in each Member State. These authorities coordinate their interpretation of the GDPR through the European Data Protection Board (EDPB).
DPAs have extensive investigative and corrective powers, including the ability to conduct audits and investigations, order organisations to change their practices, suspend or prohibit processing activities & impose administrative fines.
The GDPR’s penalty framework is particularly significant. Regulators may impose fines of up to €20 million or 4% of global annual turnover, whichever is higher.
This model reflects a centralised administrative enforcement structure, where public authorities play the dominant role in supervising compliance.
The U.S.: hybrid enforcement through regulators and courts
In the United States, privacy enforcement is more decentralised and hybrid in nature.
Enforcement may involve:
state Attorneys General
specialised regulatory agencies such as the California Privacy Protection Agency
the Federal Trade Commission under its authority to address unfair or deceptive practices
private litigation brought by individuals or classes of plaintiffs
This system produces a more complex enforcement environment, where regulatory actions coexist with civil lawsuits and class action litigation.
While regulatory fines in the U.S. are often lower than GDPR administrative penalties, the aggregate financial exposure from litigation can be substantial, particularly in large-scale consumer lawsuits.
D. Private litigation as a central feature of U.S. privacy enforcement
Closely related to enforcement philosophy is the role of private litigation.
The EU: regulator-driven enforcement
In the EU framework, enforcement is primarily driven by regulators rather than private lawsuits. Individuals may lodge complaints with Data Protection Authorities or seek judicial remedies, but the system relies heavily on administrative supervision.
Although collective actions are increasingly possible under new EU mechanisms, large-scale privacy litigation remains less central to enforcement than in the United States.
The U.S.: litigation risk as a major compliance driver
In contrast, civil litigation plays a central role in the U.S. privacy landscape.
Individuals and consumer groups frequently bring lawsuits related to:
data breaches
deceptive privacy practices
misuse of personal data
The possibility of class action litigation significantly shapes corporate behavior. Even where regulatory enforcement is limited, the risk of large-scale lawsuits can create powerful incentives for organisations to adopt stronger privacy and security practices.n
III. Navigating the US patchwork
The absence of a unified federal framework creates significant compliance complexity for organisations operating in the United States. Understanding this landscape requires careful attention to eligibility thresholds, definitional variations, and enforcement mechanisms that differ materially across jurisdictions.
Applicability thresholds and fragmented scope
To navigate the fragmented patchwork of US privacy laws, understanding eligibility is crucial. Applicability thresholds of state laws vary based on the number of data subjects, company revenue, or the nature of data processed. This creates a compliance environment where a company may be subject to California law but not Virginia's, or subject to both with conflicting obligations.
US legislation also tends to be brief and principles-based, with key operational details clarified through Attorney General guidance, rulemaking, FAQs and enforcement actions rather than prescriptive regulatory templates. This makes compliance assessment inherently more dynamic and judgment-intensive.
The definition of personal or sensitive data also shifts significantly across states. Several jurisdictions exclude employee data or business-to-business data entirely from the scope of their consumer privacy laws — a sharp contrast with the GDPR's uniform and expansive definition of personal data.
Adopting the strictest framework as a baseline
Given this fragmentation, the most operationally effective approach is to identify and adopt the strictest applicable framework as an internal standard. California's CCPA (and its amendment, the CPRA) applies broadly across sectors and is the most mature and developed state framework, with detailed regulations and active enforcement. Massachusetts, while narrower in scope, has particularly robust data security requirements that set a high bar for technical and organisational measures.
Compliance with the strictest state law does not guarantee compliance across all jurisdictions, but it significantly reduces residual risk and creates a defensible baseline position.
IV. Data security as the backbone of US Privacy
If rights are the backbone of European privacy law, security is the backbone of its American counterpart. US privacy law — at both federal and state levels — is fundamentally rooted in data security principles, and this shapes compliance obligations in important ways.
Even companies that fall below the statutory thresholds of state privacy laws, and thus escape the full scope of consumer rights obligations, must comply with baseline safety and risk management duties. These obligations derive from a combination of state data security laws, FTC Act Section 5 unfair practices jurisdiction, and sector-specific requirements.
Many organisations use the NIST Cybersecurity Framework as an internal reference point for structuring their security programmes. Importantly, however, NIST adoption is voluntary, it is a best-practice benchmark, not a legal requirement. Compliance with NIST does not, by itself, establish legal compliance.
In practice, businesses should apply the highest available security standard, rigorously document their risk assessments, and ensure that US data security requirements are embedded in vendor and third-party management processes — not treated as a secondary concern after privacy compliance.
V. Practical synthesis: building a transatlantic programme
For organisations operating across both regimes, the goal is not to build two separate compliance programmes, but to construct a single coherent framework that satisfies the requirements of both. The following principles guide that process:
1. Start with GDPR as the structural backbone
Use GDPR's data mapping, lawfulness of processing, and individual rights framework as the default architecture. It sets the highest bar and creates the most complete documentation trail.
2. Make it US-compliant through a jurisdictional mapping exercise
Overlay GDPR compliance with a systematic review of applicable US state laws. Identify thresholds, definitional differences, and sector-specific rules. Document which laws apply and why.
3. Prioritise security as a universal obligation
Treat data security as non-negotiable regardless of whether statutory thresholds are met. Adopt the highest available standard, maintain documented risk assessments, and embed security requirements in all third-party contracts.
4. Maintain dynamic compliance
US privacy law is evolving rapidly, multiple states have enacted or are enacting comprehensive privacy legislation. A static compliance review is insufficient. Organisations should build ongoing monitoring of regulatory and legislative developments into their compliance function.
For more details, check out our article "Multi-state privacy compliance in the U.S: stop managing privacy by ZIP code"