Leaving consumers and businesses behind without the protections they need to thrive
It’s no secret that Congress has been slow to act on data privacy.
Though there have been recent encouraging signs that show it’s a continued priority for some – including Rep. Jan Schakowsky (D-Illinois), chair of the Consumer Protection subcommittee of the Energy and Commerce Committee, announcing that the Committee will host a series of bipartisan roundtable discussions on major privacy legislative proposals this summer – failure to act has created significant gaps in protection for consumers across the country.
In the absence of congressional action, several states have taken matters into their own hands. Privacy legislation has been either considered or enacted in at least 20 states since 2018, including just this week when Colorado joined Virginia and California in passing a data privacy bill that is inconsistent with those laws.
Most of these state efforts were spurred by the California Consumer Privacy Act (CCPA), which was passed in 2018. It provides consumers with “more control over the personal information that businesses collect about them” by providing the right to know about the personal information a business collects, how it’s used and how it’s shared. CCPA also provides consumers the right to delete personal information collected and the right to opt out of the sale of personal information. The Act was expanded even further last November when California voters approved a ballot measure that created the California Privacy Rights Act (CPRA), which modifies and extends many of the measures included in CCPA.
Though well-intentioned, a patchwork of state laws has significant negative potential consequences for consumers and businesses alike. First and foremost, a patchwork of state regulation provides uneven protection for consumers online, since protection largely depends on where a consumer lives. Disparate laws will undoubtedly leave tens of millions of Americans’ data vulnerable and exposed and will confuse consumers even more as they navigate an already complex system to protect their own data.
And finally, a piecemeal approach to regulation would place a huge compliance burden on businesses. A regulatory impact analysis of CCPA found that initial compliance costs alone would total approximately $55 billion, equivalent to 1.8% of California Gross Domestic Product in 2018. The analysis also estimated $16.5 billion of additional direct compliance costs over the next decade. If compliance costs for just one state’s privacy bill are this high, the potential costs from additional state efforts would be astronomical. These costs would disproportionately affect small businesses: the analysis estimates that small businesses with fewer than 20 employees “will incur $50,000 in initial costs,” while medium businesses with between 20 and 100 employees could “incur an initial cost of $100,000.”
The goal for privacy legislation should be a strong federal law that ensures that all Americans’ privacy is protected – no matter the state they choose to live in – and that bad actors are punished. It should also be a simpler experience for consumers and businesses – not an increasingly difficult one.
Privacy for America’s approach would create a single, strong federal law that provides clear, broad-based privacy rules for the entire U.S. marketplace and ensures consumers are protected. It would also make privacy simpler for consumers by prohibiting outright a range of practices that could put personal information at risk for misuse by bad actors online, rather than asking consumers for consent. To ensure compliance with these rules, our proposal would significantly expand federal and state oversight of data practices, including providing civil penalty authority to both the FTC and State Attorneys General. And by preempting certain state laws, our proposal would ensure the protections that consumers deserve while avoiding the pitfalls of competing and uneven efforts to regulate data privacy and security.
This summer, lawmakers will consider the issue of privacy during a set of roundtable discussions. And we urge them to consider our federal privacy proposal to offer protections to all Americans before the current and growing patchwork of state laws creates even more confusion for everyone who uses the internet.
Learn more about our federal proposal here: https://www.privacyforamerica.com/overview/principles-for-privacy-legislation/