GDPR and the U.S. Startup Ecosystem

As of today, Europe’s new sweeping Internet privacy rules have gone into effect, and companies of all sizes and all over the world that have Europeans’ data are rethinking how they collect and process user data.

The General Data Protection Regulation (GDPR) sets rules around how organizations can collect, store, use, and share user data, with a focus on ensuring that users have control over who has their data and how it’s used. The rules also dictate how companies must correct and release user data when a user asks for it and notify users within 72 hours if their data has been made vulnerable by a data breach. If companies fail to comply with the rules, they can face fines up to 20 million Euros or 4 percent of global revenue, whichever is higher.

Obviously finding ways to boost consumer privacy, security, and control over their data is a worthy goal. But the boosts to user privacy, security, and control in GDPR come with increased costs and risks for any company that has European users’ data, and the ambiguity in the rules, combined with steep fines could keep companies from trying to reach European markets. That will restrict choices for European users and stifle growth for U.S. companies, especially the startups that don’t have the money or legal resources to navigate complex European rules. We can already see what happens when the hurdles are too high.

Today’s GDPR rollout is happening against the backdrop of a bigger conversation here in the U.S. about the responsibility of Internet companies as conduits of information and stewards of users’ data. This week, a group of Senate Democrats introduced a nonbinding resolution asking tech companies to extend GDPR protections to American users.

“When the European privacy law takes effect, the American people are going to wonder why they are getting second-class privacy protections,” Sen. Ed Markey (D-Mass.) said in a statement. “If companies can afford to protect Europeans’ privacy, they can also afford to do so for their American customers and users.”

The truth is that not all companies can afford to meet the very high bar set by GDPR. Unlike the tech industry giants that often find themselves in hot water with privacy-minded members of Congress, most startups don’t have the budget or the legal team to deal with a mandate like that. Writing a set of privacy rules with the biggest tech companies in mind only ensures that small and new companies can’t afford to compete with those big companies, which is what we can expect to play out in Europe now that GDPR has gone into effect.

Any new U.S. privacy rules should be written in consultation with the startups that are the most likely to be hurt by the unintended consequences of an ambiguous legal regime. Simply importing GDPR wholesale to the U.S. without a nuanced debate about the real implications for user privacy and U.S. innovation isn’t the right answer for the thriving U.S. startup ecosystem and the U.S. users who benefit from the innovation it produces.