Back in June of this year, we wrote about the continuing frustration that lawmakers on Capitol Hill were still debating what form a federal privacy bill should take. Since then, matters have continued to drag on. So it’s really no surprise that a growing number of states have chosen to make their own arrangements for consumer privacy.
But not everyone is in favor of state-level privacy laws.
According to Michael Beckerman, president and CEO of Internet Association, Americans will pay a price for state privacy laws.
Opinion: Michael Beckerman
The federal government has yet to act, and states are rushing to pass their own data privacy legislation, creating a patchwork of laws from coast to coast. Many of these laws are well-meaning, but their proliferation creates a real risk and a real cost.
The risk is that Americans have a false sense of security that their privacy is consistently protected. The cost is that online and offline businesses large and small pay a steep price to comply with a vast array of privacy rules.
A patchwork of state laws means that a California woman who orders an item from a Missouri business that manufactures in Florida could have her data regulated by three separate laws, or by no applicable law. Despite California’s Consumer Privacy Protection Act the state’s residents cannot be assured that the protections that apply when they deal with a business covered by the law will apply when they shop at their corner store, travel across the country or engage in online transactions with companies that are not subject to California’s privacy law.
Not only will this add to consumer confusion around how data is handled, it will also undoubtedly lead to inconsistent treatment of data depending on a variety of factors, including the residency of the consumer and the type of businesses with whom they interact.
Personal Privacy Debatable
Americans cannot be confident that their data remains protected as they travel from state to state.
State-level data privacy laws also create a challenging environment for businesses to navigate and drive up costs for legal compliance. For example, Nevada and California share a border and billions in economic activity, and both states have recently updated their own data privacy laws. Yet they fail to agree on basic elements of those laws, like when and how a person can opt out of having his or her data sold. Companies looking to operate on both sides of that border must navigate two separate laws that regulate the sale of data, but do so in two very different ways.
Ironically, in order to comply with state laws based on where an individual lives, online services that collect minimal information, including geolocation information, must choose between applying one state’s standard to all individuals nationwide or collecting more personal information. For instance, if a company doesn’t have enough information to know whether someone is a California resident, the company has to either treat everyone as a California resident or collect location information to make a decision. If only one state has a privacy law, that may be OK. However, if there are differing obligations under state laws, then the company really would have to collect more information.
Internet Association, which represents social media companies, sharing economy platforms, e-commerce businesses and commercial cloud providers, released privacy principles last year that outline the essential elements of an American approach to national data privacy legislation. [Its] principles prioritize increasing transparency around data collection and providing control over the data that individuals share with businesses, including the ability to access, correct, delete and download that data. These principles would guide us toward a law that is consistent nationwide while providing proportionality and flexibility that would be impossible to achieve with a state-by-state regulatory scheme.
Other parts of the world have struggled with, and overcome, similar issues. The 2016 passage of the European Union’s General Data Protection Regulation was preceded by numerous individual laws governing data privacy in individual countries.
As a 2019 report from the European Commission put it:
One key objective of [G.D.P.R.] was to do away with a fragmented landscape of 28 different national laws that existed … and to provide legal certainty for individuals and businesses throughout the E.U. That objective has been largely met.
In the United States, 29 states have passed laws related to data privacy. The hastily passed California law, which goes into effect next year, applies to any company that both does business in California and collects information from any individual who lives in the state. Vermont has a narrowly focused law that only addresses data brokers. Maine doesn’t regulate data brokers but does regulate internet service providers. Illinois has a law on biometric data that most other states don’t.
The patchwork of state laws is only getting more convoluted. Fourteen states have considered legislation on internet service providers. Twenty-five states and Puerto Rico have considered legislation focused on various aspects of consumer data. All 50 states, the District of Columbia., Guam, Puerto Rico, the Virgin Islands and even some municipalities have their own laws about how to respond to data breaches.
All of those laws are subject to change. In 2019, states considered at least 21 measures to amend data breach laws. Over 150 pieces of legislation on consumer data have been considered, and five states passed bills mandating privacy studies to inform future legislation.
This complex and inconsistent regulatory environment risks the country ceding our position as a leader in technology. The patchwork benefits only lawyers and the multimillion-dollar data compliance industry, which helps wealthier, better resourced companies navigate the landscape of state data regulations for a fee. It is unfair to expect small business owners and entrepreneurs to become legal experts and navigate the complex data laws of their state and any other state in which they want to do business.
The best solution is a federal law that provides a consistent set of standards for both online and offline companies regardless of where their customers are. These standards would help provide Americans with the protections they deserve and businesses with the certainty they need. Congress needs to pass comprehensive, economywide legislation to ensure this happens.
A national privacy law would be stronger with unified, well-funded enforcement through the Federal Trade Commission. Federal oversight would allow all Americans to benefit from multiple privacy protections, including the option to delete their data, transparency in data collection and the ability to move data among services.
Failure to pass national standards will harm the American economy. Businesses will see costs of complying with regulations rise and consumers will see the direct effects. A recent study by IBM Security and the Ponemon Institute found that the average total cost of a data breach worldwide is $3.92 million. The United States had the highest rates in the world, with an average cost of $8 million, and California’s attorney general, who is in charge of enforcing the state’s privacy law, says compliance costs for California businesses could cost billions.
Those high costs depend on many factors, but complying with complex regulations is a major contributor. It would be one thing if those extra costs were providing consumers with meaningful safeguards or additional security. But a patchwork of state laws often replaces consistent protections for consumers with complexity and confusion for everyone.
Mr Beckerman says, Americans in every state interacting with companies across all sectors of the economy deserve to have their personal data protected. A patchwork of state laws won’t cut it.
Sources & further reading: Internet Association, NCSL, European Commission