On July 11 in Washington, D.C., the U.S. Chamber of Commerce hosted #DataDoneRight, a one-day summit highlighting the policy issues surrounding businesses’ use of consumer data. It was an engaging, eye-opening event that drew together a variety of stakeholders and speakers.
The day’s presentations offered many important takeaways, but the bottom line was clear. If your business or customers rely on consumer data to provide good service, make strategic decisions, and ultimately make a profit, you should be focused on preparing for data privacy legislation that’s heading your way.
As a member of the Chamber’s Technology Engagement Center (C_TEC) and on behalf of Ontario Systems, I’ve had the distinct privilege of helping develop the Chamber’s proposed federal legislation addressing the need for a national data privacy framework. We at Ontario Systems understand that the businesses in the industries we serve are passionate about protecting consumer data, while at the same time are dedicated to providing data-driven innovation. Working toward establishing appropriate rules, as well as sufficient time to implement those rules is of utmost importance, thus we jumped at the chance to represent our industries to ensure their voice is heard in the hopes of preventing a far more painful scenario: a tsunami of conflicting state laws that could overwhelm businesses and upend our digital economy.
Why Is a National Regulatory Framework in Businesses’ Best Interest?
In 2018, California was the first state to pass sweeping data privacy laws (the California Consumer Privacy Act, or CCPA). As of February 2019, 11 more states had introduced their own data privacy legislation. In the absence of comprehensive federal law (and with no promising signs that Congress will act soon), more and more state legislatures will be forced to address this issue.
A patchwork of 50 state laws will not only create mass confusion among consumers and businesses, but also hit small and midsize businesses particularly hard. Staying compliant and fighting red tape across state lines will be complex, costly endeavors requiring significant resources. This new legal minefield could simultaneously create a chilling effect and open the door to countless lawsuits, thus hampering or endangering small to medium-sized enterprises’ (SME) ability to conduct business.
The CCPA and the EU’s General Data Protection Regulation (GDPR) are contrasting studies in data privacy legislation. In terms of how they were developed and how they’re impacting businesses, both of these models offer lessons we hope lawmakers will take to heart.
The California Consumer Privacy Act (CCPA): A Blueprint for State Action?
The California Consumer Privacy Act (CCPA), which will go into effect next year, was conceived as a David vs. Goliath effort to protect consumers from Big Tech data abuses. The CCPA was developed over a short period of time and without enough business input. According to #DataDoneRight presenter and Californians for Consumer Privacy Board Chair Alastair Mactaggart, the law is largely a rebuke of two leading tech giants—whose combined 2018 revenues of $192 billion were earned, he says, “on the backs of others’ data and information.”
But most businesses are not tech giants, and many use customer data in helpful, important ways.
For example, #DataDoneRight attendees learned that Thompson Reuters, through responsible data sharing, has helped solve crimes such as shootings, sex trafficking, and Medicare Fraud. There are many more businesses, both B2C and B2B, who use customer data every day to make the customer experience more personalized, convenient, and valuable.
By introducing private rights of action, the CCPA has made it possible for consumers with privacy claims to sue any of these companies at will. Individual lawsuits favor lawyers over consumers, as they tie up businesses without effecting meaningful change.
Developed without input from California’s diverse business community, the CCPA may have severe unintended consequences for SMEs. In addition, companies will have less than six months to update their compliance programs for the new sweeping comprehensive privacy regime. Whether forthcoming amendments will help achieve the right balance between consumer and business interests remains to be seen.
EU’s General Data Protection Regulation (GDPR): A Blueprint for Federal Action?
The EU’s GDPR, adopted in April 2016, reflects the distinct philosophies and needs of European businesses and consumers. It was developed over a longer period of time based on in-depth research and wide-ranging input. The GDPR addresses both data privacy and data security, requiring customer consent regarding use of data and security measures that protect data. Unlike the CCPA, the GDPR granted businesses a period of two years to prepare compliance.
The GDPR is a comprehensive legislative framework, albeit substantially different from what U.S. legislators might come up with to drive innovation and economic growth here at home. The process that led to the GDPR was methodical, inclusive, and patient, and our legislators would do well to emulate it.
Yet even without the added complexity of patchwork laws, smaller companies with business interests in the EU bear an inordinate burden.
Larger U.S.-based firms have spent nearly $150 billion to ensure compliance with the GDPR, and Microsoft alone has assigned 1,600 engineers to the task. Unable or unwilling to bear the costs of ensuring compliance, many businesses have simply pulled out of the European market.
State and Federal Lawmakers Should Proceed with Caution
States’ rush to enact data privacy legislation is driven in part by a common perception among consumers that data privacy and data security are largely the same. But privacy (preventing unauthorized or undisclosed data sharing by a business) and security (preventing data theft by outsiders) are largely separate issues.
According to a recently released data privacy report from the C_TEC group, despite a dramatic increase in data breach incidents and volumes since 2005, fraud losses have dropped from $35 billion to under $15 billion during the same period. This suggests consumers are far more affected by cybersecurity and fraud prevention measures than they are by having their data exposed.
Don’t get me wrong: consumers have every reason and every right to be concerned about data privacy. But too hasty or heavy-handed an approach on the part of legislators in an attempt to ease constituents’ concerns may bring significant harm to businesses, consumers, and the economy.
If Congress is to act on this issue, any legislative proposals must reflect a thorough understanding and careful consideration of all stakeholders’ interests.
A Call to Action for Business Leaders: Get Ready, Get Involved
Data privacy legislation is inevitable. It’s also a mission-critical issue for businesses of all sizes. Small and midsize businesses in particular have a lot of decisions to make and work to do to ensure compliance using the resources they have (or with investments they’ll need to make).
I encourage you to educate yourself on the issues involved in the data privacy debate. Follow legislative developments. Go a step further, and become an influencer. Let your congressional representatives know where you stand. Remind them the General Accounting Office endorses a national data privacy law; even the FTC commissioner has publicly expressed support. This is a bipartisan issue, and federal legislation is a solution both parties can get behind.
We joined to U.S. Chamber to advocate for our clients, vendor partners, and similar businesses whose concerns need to be heard on Capitol Hill. By speaking out on behalf of a national data privacy law that benefits and protects both businesses and consumers, you can make a lasting impact. To learn more about what C_TEC is doing on data privacy and technology issues, visit www.americaninnovators.com.
Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.
© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.
Over the last several days, the private sector has been inundated with dozens of blogs about the U.S. Supreme Court’s 9-0 holding in Facebook, Inc. v. Duguid, 19-511 Facebook, Inc. v. Duguid (04/01/2021) (supremecourt.gov). In this case, the U.S. Supreme...
Unless you completely disconnected from the internet this week, you’ve likely been inundated with dozens of blogs about the U.S. Supreme Court’s 9-0 holding in Facebook, Inc. v. Duguid, 19-511 Facebook, Inc. v. Duguid (04/01/2021) (supremecourt.gov). In...
The Fair Debt Collection Practices Act (FDCPA) has been in place since 1977, but the new CFPB debt collection rules mark a major turning point. This is the first time in the history of debt collection in the U.S. that we’ve had a regulatory body create...