When the European Union adopted its General Data Protection Regulation in 2018, the law was heralded as a privacy game changer that would usher in a new era of consent around online data collection and put the right to protect personal information directly in the hands of individuals.

It was also meant to standardize privacy laws across member EU nations. GDPR would eliminate the need for individual countries to write their own regulations — as well as requiring any company, regardless of location, that markets goods or services to EU residents to comply with the law.

But five years later, enforcement challenges dog the watershed law, with complaints that were filed the day GDPR hit — alleging that Facebook, Instagram, WhatsApp, and Google forced users to give up personal information without proper consent — still wending their way through the court system.

Meanwhile, technology continues to evolve at a pace with which the glacial legal system simply cannot keep up (this article about GDPR compliance and AI tools like ChatGPT helps paint a picture of the challenges ahead).

This disconnect, along with rumblings over lax enforcement, particularly in countries where big tech vendors are headquartered, are just a couple of the reasons that EU regulators are now looking to fine-tune the way GDPR is administered.

This piece will take a closer look at those procedural changes – as well as other data privacy regulations in the hopper, go over some of the law’s biggest fines to date, and examine what marketers need to know as we head into the second half of 2023.

Procedural changes on the horizon

Earlier this year, the European Commission announced that it would seek to streamline the way data protection authorities across the EU work together when enforcing GDPR in cross-border cases. “This will support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms,” the Commission noted. The initiative — called Procedural Rules of Enforcement — aims to tackle a host of problems, from how GDPR complaints are handled to the duration of proceedings themselves. And when consensus cannot be reached, the proposed enforcement rules will “clarify” the procedural aspects of dispute resolution.

Critics have said the new enforcement rules are light on specifics, but with close to 800 cases pending under GDPR, procedural reform is critical. As the NOYB, or European Center for Digital Rights, a non-profit based in Vienna, Austria, puts it, GDPR is enforced in theory only, with the tech companies finding ways to stall proceedings, appeal rulings, and circumvent fines. (“NOYB” is short for “none of your business.”)

GDPR’s stateside influence

In the U.S., new or amended data privacy laws are on the books in Virginia, California, Colorado, Connecticut, and Utah, with enforcement dates ranging from January 1 of this year (Virginia) to December 31 (Utah), with California, Colorado, and Connecticut effective as of July 1 (in California, the California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA)).

In addition, nine other states have proposed laws that are still pending, but marketers should anticipate eventual enactment.

These laws are notable in the present context because — with the exception of California — they all “adapt terminology” from GDPR, yet diverge in how they are enforced, with district attorneys, attorneys general, and, in the case of California, the California Privacy Protection Agency, all in the enforcement mix.

For marketers, cookie management will be of paramount importance as brands/websites continue to understand how consumer rights around sensitive data are protected under the state laws.

At the federal level, there’s a bipartisan effort to establish a new privacy law — called the American Data Privacy and Protection Act (ADPPA) — that would create a national standard around individual rights. And on March 1, the House Committee on Energy and Commerce held a hearing on the proposed law.

While no vote was held, privacy groups and other stakeholders note that the desire for federal privacy legislation exists and may ultimately result in action.

Dig deeper: Only 11% of US businesses fully comply with CCPA privacy law

GDPR lobs hefty f