Federal privacy legislation will be a top issue for Congress in 2018, and entrepreneurs need to be at the table with “big tech” as the rules and regs are crafted.
Small Business Insider
Federal privacy regulation appears to be on the way
By Karen Kerrigan-
Technology companies are preparing for action by Congress on comprehensive privacy legislation in 2019. Legislation already enacted by some states (with more in the queue) combined with momentum in Washington, D.C. following congressional hearings and recent activity by the National Telecommunications and Information Administration (NTIA) are fueling movement on the issue. In addition, the business community is keenly interested in developing a federal framework for privacy regulation. A uniform federal set of rules certainly beats the nightmare of having to comply with a patchwork of fifty separate regulatory regimes.
The European Union’s (EU’s) General Data Protection Regulation (GDPR) implemented in May 2018 provides a model of what to do and include, and more importantly what not to do and include for privacy regulation in the U.S. As most of us know by now, GDPR requires U.S.-based companies doing business in the EU to comply with their rules. Among other provisions, the regulations require an “opt-in” system where consumers have to agree to every occurrence of data collection.
California’s new law – the California Consumer Privacy Act (CCPA) signed this past summer – is not as harsh as GDPR but is definitely generous with the rules and red tape. The CCPA, which takes effect in 2020, gives consumers new rights regarding their data. Companies are required to: provide an opt-out to data sharing, inform consumers about what data is being collected on them or shared with third parties, and allow consumers to delete data about themselves. There are big fines and ambiguous language in CCPA, which sets the stage for a lot of confusion and costly litigation
The “good” news? Businesses with less than $25 million in revenue are exempt from the CCPA. So, lawmakers were thinking about smaller businesses in terms of regulatory burden. But if you are a firm that buys, receives, sells, shares the personal information of 50,000 or more consumers, or derives 50 percent or more of your revenues from the sale of consumer’s personal information on an annual basis, CCPA applies to your business. According to Upside, businesses will reach that 50,000 consumer-threshold very quickly if they accept credit cards because of how this data will be counted.
For businesses over the $25 million threshold or that meet the other tests, upfront and ongoing compliance costs could get rather hefty. Businesses need to begin preparing now in order to be fully compliant in 2020. That means, according to Upside: “To comply with the 12-month look-back for consumer requests as of the law’s effective date, businesses will need to begin mapping data and keeping records of personal information (PI) on January 1, 2019. Data inventorying and management vendors are scrambling to update their platforms to enable businesses to do so, and the cost of such solutions is projected to be significant — $50,000 to $100,000 a year.”
Beyond direct costs for these “larger” or data-rich small businesses, there is no doubt there will be costs to the Internet ecosystem with regard to innovation. This will prove harmful for all firms and consumers, not to mention the overall economy. And as we’ve seen with intrusive regulation in general, it tends to produce unintended consequences.
Yes, a uniform set of federal rules is desirable. But Congress must approach privacy legislation with humility and caution.
Our data-driven economy offers many benefits, and regulation should only occur where there is harm or great risks for the consumer. From the entrepreneur’s perspective, a new privacy framework must continue to encourage private-sector innovation. It needs to address the real (not perceived) problems in the marketplace. Regulation must be industry neutral and adaptable to the rapidly-changing marketplace and economy. Meaning, it needs to be flexible.
The “big tech backlash” should not lead to over-regulation of all businesses because of the misdeeds (or fallen reputations) of a few. When this happens, entrepreneurs and small businesses are harmed, and investment and innovation are diminished. Our economy, which is now getting back on track because of healthy investment, high small business optimism and stronger business creation can ill afford this type of regulatory setback.