Data privacy law has gone mainstream in the United States thanks to the Cambridge Analytica and Facebook scandal.

Not only mainstream, new data privacy legislation is “inevitable” according to Facebook CEO Mark Zuckerberg, who went through a gauntlet of questioning before U.S. Congress last month. While it is true that it is inevitable, the newest bit of data privacy legislation won't be coming from the U.S. -  it will be through the European Union with the upcoming General Data Protection Regulation (GDPR).

Zuckerberg got into the hot seat because an app developer sold user information to Cambridge Analytica in a clear violation of Facebook’s terms of service. Facebook didn’t inform users at the time that their data had been sold without consent because the social media company believed Cambridge Analytica had deleted that data. Consequently, Facebook is now the least-trusted major tech company in America and Zuckerberg is open to greater legislation, a point he repeated often throughout his testimony although without much detail. Likely, he’s waiting to see how the GDPR will pan out before he commits further.

When asked about the GDPR, Zuckerberg first stated his support “in principle” for an opt-in standard for users, and answered whether Americans will enjoy “all the same controls” and same protections extended to Europeans under the GDPR with a clear yes. Later, however, he had trouble answering another GDPR query, and it was revealed that his crib sheet says “GDPR (Don’t say we already do what the GDPR requires).” Facebook Business has a page about the GDPR, but it appears we are still left with questions as to whether the social media platform is fully compliant.

Under the GDPR, Facebook and other organizations can no longer assume users want their data accessed, stored, or shared with third parties. Instead, users get to “opt-in” rather than “opt-out.” The new laws also require companies to provide clear and concise terms of service and notify authorities of data breaches within 72 hours of discovery.

With no serious widespread data privacy regulation in the works, the EU's GDPR will likely take the lead in data privacy legislation in the U.S. Wisely, the laws affect every company around the world that processes and handles the sensitive information of EU citizens—including Facebook. Zuckerberg and the rest of the U.S. will have no choice but to catch up.

If you want to get more helpful information on the upcoming GDPR legislation and learn how to reduce the scope and stress of meeting data compliance requirements, sign up for this free eperi E-Book: What The C-Suite Should Know About Compliance Regulations When Moving To Cloud Services