1. As a regulation, the GDPR does not require national governments to pass any legislation—it's directly binding and applicable.
Jules Polonetsky: Europe has always had a stricter set of privacy rules than the U.S., but what some higher-ed institutions may not appreciate is that this new GDPR really extends the extraterritorial reach of that European legislation. So even if you are not a institution with major programs in Europe, if you accept European students, if you market to European students, if your website engages Europeans in any way, you're subject to this new legislation, and it requires great detail and specificity. You need to explain exactly how you're using data, who you give it to. You've gotta provide access rights, if somebody wants to access what you've got about them, delete it.
2. Potential steep fines for GDPR violation are driving investment in compliance efforts globally.
Polonetsky: If you fail to comply, the penalties can be as high as 4% of your global revenue. Now, unlikely that, you know, a meaning-well higher-ed institution is gonna be asked for 4% of its global revenue, but the penalty's on the books, and the regulators there are promising that they're gonna use their new authority and so, organizations around the world are really investing in the work they need to do to make sure they're ready for this law.
3. The United States is unlike most Western democracies in that it has no general privacy laws.
Polonetsky: Almost every country, every Western democracy around the world now has a general privacy law. Privacy is increasingly recognized as a basic human right. In the U.S., we've had a sector-specific set of rules. Student data is protected in one way, financial data, another way, health data, credit. But most other data isn't protected at all. What we are seeing is states passing laws, cities putting rules into effect, school boards putting K-12 rules into effect, so it's gotten so complex.
4. A general US data privacy law could help address the complexity of the current US digital landscape.
Polonetsky: And I think reasonable people recognize that, look, there's a role for marketing in the world, products and services are cheaper when there's good competition, but there need to be boundaries. You don't want to be intruded on. Maybe I know that, when I browse the web, there are ads targeted to me based on tracking, but I have a smart speaker in my home, and I have a TV, and I have a Echo. Where and how does data about that get used? I have a Fitbit. Where does data about my exercise or other intimate things you can learn about me? We've organized some of the direct-to-consumer genetics companies, right? They've got your DNA. What's more, it's the code that can describe almost everything about your life. Those aren't covered by the health privacy law because it's not data collected in a medical, an insurance example. Clearly, we want commitments that that data's not gonna be misused.