Researchers at the Beacom College of Computer and Cyber Sciences at Dakota State University conducted a 35-year review of privacy law and the harms those laws aim to prevent, focusing on breaches, algorithmic discrimination, surveillance, manipulative targeting and dignitary harms. Their analysis is published in a study.
The review documents rapid growth in privacy rules since the introduction of the GDPR and identifies follow-up laws such as Brazil’s LGPD, China’s PIPL, Africa’s POPIA and NDPR, reforms across Asia, and strengthened frameworks in Canada, Japan and Australia. In the United States privacy remains largely sectoral at the federal level while nineteen states have enacted consumer privacy statutes. New rules expanded rights like erasure, portability, consent and profiling and increased obligations for governance, impact assessment and record keeping, but outcomes vary by geography and sector.
Enforcement outcomes are uneven, the authors report. Since 2018 GDPR fines have reached about 6.72 billion euros, with roughly 3 billion euros tied to an invalid legal basis for processing. CCPA and CPRA fines from 2020 to 2025 total about 2.75 million dollars, and HIPAA penalties from 2003 to October 2024 total about 144 million dollars. Estimated compliance rates are around 28 percent for organizations in the scope of the GDPR and about 11 percent under the CCPA and CPRA; the study cites complex rules, limited regulator resources and inconsistent guidance as factors. Typical case timelines cited range from three to six months for many GDPR cases, four to eight months for CCPA/CPRA cases and up to twelve months for HIPAA cases.
The report warns that artificial intelligence, machine learning and internet-connected devices produce inferences and telemetry that strain long-standing notice-and-consent models and principles such as data minimization, purpose limitation and transparency. It links those pressures to growing concerns about algorithmic discrimination and notes that audits under the EU AI Act may help, although current evidence does not show broad regional improvement.
Cross-border data transfers remain a source of uncertainty, particularly where European privacy rules intersect with U.S. surveillance law. After the Schrems II decision companies relied on Standard Contractual Clauses and transfer impact assessments, and some firms now use the Data Privacy Framework; shifting guidance and inconsistent enforcement among supervisory authorities increase the compliance burden for organizations that manage global data flows.
The researchers examined privacy-enhancing technologies such as differential privacy, homomorphic encryption, trusted execution environments, federated learning, zero-knowledge proofs and tokenization, but cautioned that technical measures have limits without strong governance. They conclude that while laws have strengthened rights and duties, the link between compliance and reduced harm is weak and call for measurable metrics to assess progress against breaches, discrimination, manipulation and wrongful sharing of sensitive information.