This is a guest blog post by Steve Boms, President of Allon Advocacy. Boms, a featured speaker and panelist at FinovateFall 2019 last month, takes a look at the current regulatory landscape in the United States when it comes to data privacy, and why he thinks we’re a long way off from having a one-size-fits-all approach.
Data breaches have dominated the headlines recently, but a federal standard is still a pipe dream in the current political environment.
Why? The answer is as old as the country itself: the tension between state and federal power.
In the current context, it is Republicans, typically strident defenders of states’ rights, who want a national system. House Energy and Commerce Committee Ranking Member Greg Walden (R-Ore.) has said, “Your privacy and security should not change depending on where you live in the United States.” Industry advocates agree with the GOP, arguing for a national standard because they worry compliance across 50 different state frameworks would be impossible.
Though several bills outlining national standards have been introduced in Congress, including some with Democratic support, the two parties still cannot agree. That’s because Democrats, along with consumer groups and privacy advocates, repeatedly have said they will not support federal legislation that supplants current and future state laws that may be stronger than a federal privacy regime.
Given this ideological argument, federal action could still be years away.
If you want progress fast, better to look to the states.
Data privacy legislation has been introduced or filed in at least 25 states. Maine and Nevada enacted significant legislation this year. Colorado and Massachusetts also did, and proponents of data privacy legislation are active in New York. Connecticut lawmakers failed to consider several data privacy bills, but did pass legislation to establish a task force to examine what businesses operating in the state should have to tell consumers about the data they collect.
This trend – studying the issue – is evident in several states, and while such “study bills” are sometimes viewed as bureaucratic inertia against more powerful legislation, these mandates are quite often precursors to more meaningful statutory changes. That certainly could be the case over the next year.
The gold standard for state legislation is, of course, the California Consumer Privacy Act (CCPA) that is set to go into effect on January 1, 2020. In arguing against a uniform federal standard, it is the CCPA that Democrats are hoping to preserve.
Even though it will take several months, even years, to reach consensus, it is difficult to envision an eventual federal mandate that doesn’t look a lot like the CCPA. The CCPA addresses numerous measures that empower consumers to protect their data privacy, a common theme lawmakers, industry, and consumer advocates all embrace.
Specifically, the CCPA allows consumers to opt out of the sale of their information while embracing their right to know, access, and delete what companies know about them. The law also includes a 45-day grace period for businesses to comply with consumers’ requests and imposes penalties on companies for privacy violations, including the ability for consumers to exercise private rights of action for a security breach.
California lawmakers have introduced numerous bills since CCPA passage to clarify the law’s prior to implementation. Amendments include the removal of certain categories of data – namely employee and contractor information –and the need to protect businesses’ preferred treatment of consumers who are part of loyalty programs.
These changes might not be enacted, but they present debates federal lawmakers should watch.
Even with the CCPA as a guide, federal legislation must strike an appropriate balance between supporting consumer empowerment and supporting strong protection standards for consumers and businesses alike. Additionally, a major question still lingers in Washington over who should have authority over data privacy issues, and whether they should have the authority to establish rules or enforce current practices. A Government Accountability Office (GAO) report points to the Federal Trade Commission (FTC) as the most reasonable choice. Many in the industry agree, citing the agency’s authority to weed out “unfair or deceptive” consumer practices and the FTC’s existing authority to issue and enforce regulations on the collection of data on children under 13 years old.
In its report, however, the GAO does question whether the FTC has the bandwidth to oversee such an enormous issue, or if a new governing arm, similar to the European Union’s European Data Protection Supervisor, should be established.
The most important issue facing federal lawmakers, though, is the need to protect innovation. The GAO urges Congress to consider how to “balance consumers’ need for internet privacy with the industry’s ability to provide services and innovate.” Strict privacy regulations may result in compliance costs that are too cumbersome for businesses, and consumer skepticism increases when privacy protections are too lax. Europe is starting to feel the effects of the General Data Privacy Regulation’s (GDPR) inability to balance the two (many U.S. businesses are not able to comply with the regulation’s excessively high bar or cannot pay the large fees and thus cannot offer their services).
Data privacy is front and center on the global stage. The United States will fall farther behind unless lawmakers focus on the common tenets of data privacy – supporting consumer control, ensuring proper regulatory authority, and embracing innovation – and pass a bipartisan bill.