Transatlantic Privacy Gap

Consumer experiences across three global platforms

Privacy in the EU and US

The findings of a new report  by the Transatlantic Consumer Dialogue (TACD) and Heinrich-Böll-Stiftung confirm the urgent need for federal privacy legislation in the U.S. – but they also highlight how companies don’t meet all European data protection legislation requirements in the absence of stronger enforcement.

The research used a mixture of anonymous testers, requests for access to personal data made by volunteers and an analysis of existing European Union and U.S. legislation. It found that the companies:

  • Use default settings that allow third parties to track users on their sites. Amazon was found to be the platform with the most intrusive third-party tracking, and Netflix was the one with the least;
  • Do not obtain valid opt-in consent for cookies, which record the user’s browsing activity, and instead rely on implied consent, which is in contradiction to the requirements of the e-privacy directive. Spotify, for example, installed an automatic advertisement cookie on its website app without obtaining consent;
  • Apply privacy policies that are ambiguous about what data the companies collect and why. For example, the Netflix privacy notice advises that personal information may be processed for “other purposes described in the Use of Information section of this Privacy Statement,” but such purposes are not expressly defined in the statement.
  • Use design features and wording that support privacy intrusive defaults. For example, Spotify advises those who seek to disable cookie tracking that in doing so, it may negatively impact their experience, but does not explain why; and
  • Were found to have increased privacy settings and choices in the EU when compared with the U.S., especially in relation to data access requests through Amazon U.S.

Under the General Data Protection Regulation (GDPR), consumers in the EU enjoy stronger privacy protections, and they have the ability to hold companies to account with the help of independent regulatory authorities. Unlike in the EU, no comprehensive federal privacy legislation currently exists in the U.S. However, in January 2020, California will be implementing the California Consumer Privacy Act, which aims to offer California-based citizens consumer privacy protections similar to those of the GDPR.

“The findings once again confirm that American consumers have fewer rights, fewer protections and less say in comparison to Europeans. We are more vulnerable and more exposed to big tech abuses. The U.S. needs not only strong and comprehensive privacy rules but also effective enforcement of those rules,” said Burcu Kilic, digital rights program director for Public Citizen and U.S. co-chair of the TACD digital policy committee.

The report recommends that in the U.S., there is a need to establish a baseline federal data protection and privacy law that does not preempt stronger state privacy protections and that creates an independent data protection agency. In the EU, regulators should step up enforcement of existing privacy legislation, while consumer and privacy organizations continue to pressure and litigate against noncompliant company practices.

About the Transatlantic Consumer Dialogue

The Transatlantic Consumer Dialogue is a forum of U.S. and EU consumer organizations, which develops and agrees on joint consumer policy recommendations to the U.S. government and European Union to promote the consumer interest in EU and U.S. policy making. TACD champions the consumer perspective in transatlantic decision making. It is our mission to ensure that EU/U.S. policy dialogue promotes consumer welfare on both sides of the Atlantic and is well informed about the implications of policy decisions on consumers.