Privacy in the EU and US

Data protection and privacy laws are being introduced or reviewed around the world in an effort to keep pace with technologies and strengthen the protection of personal data and privacy online. It is important to look at how these regulations are being implemented and whether they help consumers exercise their privacy and data protection rights. But how consistent are consumers’ experiences across different markets?

This research examines how aspects of privacy and data protection are working for consumers in two major economic areas – the EU and the US. Both have high levels of digital use, and major online providers offer very similar services in both regions. However, their legal approach to data protection and privacy are very different: while the EU has a general data protection law, the US to-date has not enacted such an all-encompassing law at the federal level.

Three major services providers, Amazon, Netflix and Spotify, were selected to examine to what extent their customers based in the US receive a standard of privacy and data protection comparable to that of their EU customers. This was done through a mixture of mystery shopping, requests for access to personal data made by volunteers, and an analysis of existing EU and US legislation including the General Data Protection Regulation (GDPR) and the e-Privacy Directive (ePD) in the EU, and the California Consumer Privacy Act (CCPA) in the US, which at the time of analysis and publication of this report, has not yet entered into force.

Based on the research carried out, the key findings reveal that:

• Users cannot avoid being tracked. All three companies use cookies and other means to track users by default for behavioural targeted advertising purposes. While Amazon EU, Netflix EU and Spotify EU do present cookie notices to visitors on their websites, they rely on implied consent that is contrary to the legal requirement of opt-in consent in the EU. The US counterparts of the three companies do not notify their customers of ‘cookie’ trackers altogether.
• Third parties track users. Each service appears to allow third-party tracking by default on their websites, with Amazon being the most and Netflix being the least intrusive of the three. This results in tracking of user behaviour and targeted ads.
• Privacy policies and other related policies are generally hard to read. They were found to be long, not concise or easy to understand.
• Companies fail to provide proper transparency. Even when operating under GDPR, none of the three companies clearly notify users of the specific purpose and legal basis for processing their data or how long it will be stored (retention).
• Dark patterns appear to be present. The use of design features and wording do not necessarily act in the interest of individuals nor appear to incorporate ‘data protection by design’ into their approach. These companies may set privacy intrusive defaults such as a pre-ticked ‘tailored ads’ option or use in-app tracking [1] for advertising purposes, neither of which are clearly notified to individuals.
• Amazon treats US users differently in terms of rights to access. Unlike Netflix US and Spotify US, the research discovered that Amazon US does not provide the same level of transparency nor gives its customers the ‘right of access’ to their personal data enjoyed by the EU customers of Amazon. Netflix and Spotify do not appear to treat their US customers differently from EU customers in these regards.

The research findings on the specific topics analysed, question whether the companies are fully meeting their obligations on transparency, data protection by design and default, consent and key rights under the GDPR and the ePD. The findings also provide lessons relevant to the implementation and enforcement of the CCPA, as per regulations proposed by the California Attorney General. The proposed CCPA regulations are intended to 'establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply'.

The findings show that key objectives of EU law, to ensure businesses are transparent and clear about their use of peoples’ data and that they meet and make it easy to exercise key rights, requires stronger oversight and enforcement of legal protections. Consumer and privacy organisations can help enforcement by continuing investigations and taking cases to court as necessary. The findings also indicate that in the US, a baseline federal data protection and privacy law should be established that does not pre-empt stronger state law and protections and that creates an independent data protection agency. We give more detailed recommendations under each section of this report.

[1] A review of the Android mobile apps for Amazon US/UK and Spotify US/UK found software code embedded for the purposes of advertising-related tracking and targeting. The Netflix Android app did not appear to contain such code.