Even if you do not have to comply with GDPR, 12 States have passed data privacy regulations to date. You may still need to comply with data protection law regardless if you qualify for various State laws.
Even if State law doesn't apply - you have have HIPAA, GLBA, SOX etc.
The U.S. and the EU signed the Data Privacy Framework over this past summer. https://www.dataprivacyframework.gov/s/ This offers methods for EU residents to exercise claims against U.S. businesses.
Among other requirements, a participating organization must provide you:
Information on the types of personal data collected
Information on the purposes of collection and use
Information on the type or identity of third parties to which your personal data is disclosed
Choices for limiting use and disclosure of your personal data
Access to your personal data
Notification of the organization’s liability if it transfers your personal data
Notification of the requirement to disclose your personal data in response to lawful requests by public authorities
Reasonable and appropriate security for your personal data
A response to your complaint within 45 days
Cost-free independent dispute resolution to address your data protection concerns
The ability to invoke binding arbitration to address any complaint that the organization has violated its obligations under the DPF Principles to you and that has not been resolved by other means
While you asked about GDPR, the banners are actually required for many use cases by the EU ePrivacy Directive[1]. This use case is both more broad, and different than those afford by GDPR. However it's possible both can overlap and you can be sanctioned for both items at once.
Not every website is subject to GDPR - applicability is determined by GDPR Article 3[2]. When a site is subject to GDPR - you need a legal basis to process personal data[3] subject to Article 6[4]. Sites which use the 'consent' legal basis, thus get consent with a banner.
If you do not have a valid legal basis (such as consent) to process data, but are found to be - complaints with the relevant Data Protection Authority may be lodged and investigations may be carried out subject to Article 77[5]. In the event of an adverse decision corrective action, including fines may be levied. There are two fine structures in the GDPR, and those can be found in Article 83.[6]
Now, a site can use geofencing, to determine if you are in the EU (or other relevant location) and selectively show you a banner or not based on your believed location as is determined by a reverse IP Address lookup.
You may be re-prompted between visits depending on if the persistence mechanic you select is maintained. Some browsers delete cookies aggressively[7], and if the preference cookie is removed by the browser you will likely be issued a banner on the next visit to re-establish your preferences.
Data Privacy efforts are heavily slated to impact Analytics quality / volume in the next several years.
On the technical side we have things like Apple's Intelligent Tracking Prevention, App Tracking Transparency, Mail Tracking Transparency and Link Tracking Protection, Chrome is finally about to phase out 3rd party cookies and browsers like Firefox and Edge lock down or block common web tracking technologies. - just to name a few. All of this combines to add noise, or a reduction in volume which impacts analysis efforts.
On the regulation side, we have global laws such as Europe's GDPR, 4 US States with current data privacy laws in effect, and a total of 12 US slated to take effect before 2026 - all of which are slightly different in impact scope. This results in scenarios that even if you technically can collect data, you may not be legally allowed to, or, alternatively prevented from using it in specific ways.
This will force companies to switch back to Media Mix Models for attribution and adopt new privacy focused solutions for existing use cases to some extent.
Data analytics is getting more complex, not less. However that results in a massive amount of needed learning on a continued basis - which may not be for everyone.
Write a blog (history is valuable here, speak on Podcasts, Present at Conferences, be active on social media.
This can lead to people offering you positions that aren't publicly posted, because via your engagement they feel they understand you enough that you should be able to fill the role they have in mind.
For example - I write 20 blog posts going in depth on some topic - there's a decent chance I may actually know that topic. When that skill set becomes critical to someone - the odds are higher they'll contact me for that skill set because chances are, I'll be top of mind through sheer volume or quality of information I have written about that skill.
The author does gloss over the fact that Twitter has FTC Consent & GDPR requirements to meet, which means it does have to slow down during feature development at the risk of fines.
Once your request is verified by Lexis-Nexus, they should have kicked off multiple work streams (disclosure, limited purpose, deletion) which may resolve in different orders, but must resolve in 'x' days, where 'x' is related to the duration defined by law, plus any extra extensions they may have notified you of, this may mean that the entire request could reasonably take upwards of 90 days, depending on the specific scenario. Note that some data may qualify as exempt from deletion requests, when they are required by other laws (such as gun sale records) the specifics are very context dependent.
If, after that time you believe that Lexus-Nexus did not comply with the request, then they may be in violation. Currently, for California residents, that means you can file a formal complaint with the CA Attorney General (https://oag.ca.gov/contact/consumer-complaint-against-busine...).
Note that this process will change on January 1st 2023 when the amendments of the CPRA will go into effect and enforcement authority shifts to the California Privacy Protection Agency (https://cppa.ca.gov/). This will also subject Lexis-Nexus to additional requirements and more strict definitions of terms such as 'sale'.
That case is not about accessing first party resources. It was about a German website which (effectively) shared data with a third party provider from a country with no adequate privacy protection.
The last two data exchange agreements between US/EU were overturned. I think it's unlikely at this point unless the USA adjusts some of its surveillance laws.
That gets to the heart of it. Europeans are increasingly uncomfortable using US based services due to how the data is used. It is not inconceivable that there will be multiple Internets based on legal jurisdiction, we already see this with China.
Do you imagine the EU blocking EU citizens from accessing US services? I find that hard to believe. "We're blocking your access to the outside world for your protection" must ring pretty hollow to the people who vote. It works in China because nobody gets a vote.
Extra-territorial laws are one way of achieving the same effect. A logical next-step would be blocking websites from jurisdictions where such extra-territorial laws are unenforceable.
"This website is in a territory not subject to EU regulations governing privacy, security, and content. Do you wish to proceed?"
> Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping-cart history or to count the number of website visitors.
My website has no banner, and is completely legal. I just use cookies for what they were meant for: As login cookie and to store preferences such as dark mode.
It’s not the EU law that’s broken. It’s intentional that if you want to sell someone’s firstborn you need actual approval and not a clause hidden in the ToS
It is already a reality that you can't access certain US websites as a European. They block you out because they don't want/don't know if they comply with GDPR. Same effect.
I remember when the Great Firewall was considered the manifestation of evil by old-time internet users.
It'll be hilarious if European nations decide pursuing GDPR cases is intractable when so many services Europeans use are fully outside the country (and beyond EU enforcement of jurisdiction) and they decide a firewall is necessary to protect their citizens from American surveillance. It would prove China was just ahead of the curve.
Even if State law doesn't apply - you have have HIPAA, GLBA, SOX etc.