A patchwork of 50 discrete sets of privacy laws would not only cause confusion for businesses and consumers alike, but also hit small businesses and small government agencies like a ton of bricks.
In early July, the U.S. Chamber of Commerce hosted #DataDoneRight, a one-day event in Washington, D.C., to discuss policy and regulatory issues related to the protection of consumer data. Of the many topics addressed during the summit, one key theme ran throughout: any entity, public or private, that leverages data to provide services and make strategic decisions needs to prepare for legislation pertaining to the storage of that data.
As a member of the Chamber’s Technology Engagement Center (C_TEC), I’ve assisted with the development of the USCC’s proposed federal legislation for a national data privacy framework. Members of C_TEC appreciated the need for rules that adequately protect consumer data while allowing sufficient room to innovate. The proposed framework offers practical and effective protections while preventing a patchwork of conflicting state laws that make consistency and compliance nearly impossible.
With the passage of the California Consumer Privacy Act (CCPA) in 2018, the state became the first in the union to pass sweeping data privacy laws. As of February 2019, 11 more states have followed suit and introduced their own privacy legislation measures. With little hope for a unified plan coming from the federal level, more and more state legislatures will be forced to address data privacy on their own.
A patchwork of 50 discrete sets of laws would not only cause confusion for businesses and consumers alike, but also hit small businesses and small government agencies like a ton of bricks. Managing compliance in one jurisdiction can itself be a chore, but staying compliant across 50 will be extremely difficult and expensive.
This new legal minefield could produce a chilling effect that prevents businesses and governments from working effectively across borders. Earlier this month, fearing the impact of state privacy laws on global business, a coalition of corporate CEOs sent a letter to D.C. lawmakers asking for a federal privacy law that would trump state rules.
Set to go into effect in 2020, the California Consumer Privacy Act (CCPA) was conceived as a David vs. Goliath effort to protect consumers from Big Tech data abuses and, largely, as a rebuke of several social media tech giants. According to Californians for Consumer Privacy Board Chair Alastair Mactaggart, those giants have earned their nine-figure yearly revenues “on the backs of others’ data and information.”
Unfortunately, lawmakers weren’t inclined to seek much input from service providers, and the CCPA was developed without a full understanding of how customer data is used in helpful and impactful ways.
For example, #DataDoneRight attendees learned how Thomson Reuters has utilized data to help law enforcement solve violent crimes, target sex trafficking, and detect Medicare fraud. Granted, not all data use cases are this dramatic, but businesses can use data in a variety of ways to create a more personalized and convenient experience for customers and serve the broader public.
A lack of third-party input during the legislative process also resulted in an untenable timeline of nine months to prepare compliance. This means comprehensive privacy programs must be developed and implemented in extremely short order. Forthcoming amendments may help strike the right balance between consumer and business interests, but the results remain to be seen.
In April 2016, the European Union enacted the General Data Protection Regulation (GDPR). Developed over a span of several years, GDPR is based on in-depth research and wide-ranging input from the public. The regulation addresses both data privacy and data security, requiring customer consent regarding use of data as well as security measures that protect data.
Unlike the CCPA, the GDPR granted businesses a period of two years to prepare compliance. GDPR is comprehensive, methodical, and inclusive because it was more patiently developed — a process our legislators here would do well to emulate.
The rush by states to enact data privacy legislation is driven in part by a common misconception among consumers that data privacy and data security are largely the same. In reality, privacy (preventing unauthorized or undisclosed data sharing by a business) and security (preventing data theft by outsiders) are largely separate issues.
According to a recently released data privacy report from the C_TEC group, fraud losses have dropped from $35 billion to less than $15 billion since 2005, despite a dramatic increase in data breach incidents in that same timeframe. It’s reasonable to infer that consumers are far more affected by cybersecurity and fraud prevention measures than they are by having their data exposed.
Don’t get me wrong: consumers have every right to be concerned about data privacy. But a hasty and heavy-handed approach on the part of legislators in an attempt to ease constituents’ concerns may bring about significant and unintended harm to businesses, state and local governments, consumers, citizens, and the economy.
Data privacy legislation is inevitable, and it’s a mission-critical issue. Businesses and government agencies have a lot of decisions to make to ensure they are investing as needed to prepare for new regulations. I recommend you learn all you can about proposed data privacy regulations endorsed by the Government Accountability Office and an FTC commissioner. You’ll also want to begin training employees who regularly interact with protected information on the ins and outs of current regulations and data best practices. No matter where the data privacy debate leads, your company’s readiness and standards should be top concerns.