Editor's Note: This article originally appeared on the Ontario Systems Blog, which also includes other ARM-related content, and is republished here with permission.
On July 11 in Washington, D.C., the U.S. Chamber of Commerce hosted #DataDoneRight, a one-day summit highlighting the policy issues surrounding businesses’ use of consumer data. It was an engaging, eye-opening event that drew together a variety of stakeholders and speakers.
The day’s presentations offered many important takeaways, but the bottom line was clear. If your business or customers rely on consumer data to provide good service, make strategic decisions, and ultimately make a profit, you should be focused on preparing for data privacy legislation that’s heading your way.
As a member of the Chamber’s Technology Engagement Center (C_TEC) and on behalf of Ontario Systems, I’ve had the distinct privilege of helping develop the Chamber’s proposed federal legislation addressing the need for a national data privacy framework. We at Ontario Systems understand that the businesses in the industries we serve are passionate about protecting consumer data, while at the same time are dedicated to providing data-driven innovation. Working toward establishing appropriate rules, as well as sufficient time to implement those rules is of utmost importance, thus we jumped at the chance to represent our industries to ensure their voice is heard in the hopes of preventing a far more painful scenario: a tsunami of conflicting state laws that could overwhelm businesses and upend our digital economy.
Why Is a National Regulatory Framework in Businesses’ Best Interest?
In 2018, California was the first state to pass sweeping data privacy laws (the California Consumer Privacy Act, or CCPA). As of February 2019, 11 more states had introduced their own data privacy legislation. In the absence of comprehensive federal law (and with no promising signs that Congress will act soon), more and more state legislatures will be forced to address this issue.
A patchwork of 50 state laws will not only create mass confusion among consumers and businesses, but also hit small and midsize businesses particularly hard. Staying compliant and fighting red tape across state lines will be complex, costly endeavors requiring significant resources. This new legal minefield could simultaneously create a chilling effect and open the door to countless lawsuits, thus hampering or endangering small to medium-sized enterprises’ (SME) ability to conduct business.
The CCPA and the EU’s General Data Protection Regulation (GDPR) are contrasting studies in data privacy legislation. In terms of how they were developed and how they’re impacting businesses, both of these models offer lessons we hope lawmakers will take to heart.
The California Consumer Privacy Act (CCPA): A Blueprint for State Action?
The California Consumer Privacy Act (CCPA), which will go into effect next year, was conceived as a David vs. Goliath effort to protect consumers from Big Tech data abuses. The CCPA was developed over a short period of time and without enough business input. According to #DataDoneRight presenter and Californians for Consumer Privacy Board Chair Alastair Mactaggart, the law is largely a rebuke of two leading tech giants—whose combined 2018 revenues of $192 billion were earned, he says, “on the backs of others’ data and information.”
But most businesses are not tech giants, and many use customer data in helpful, important ways.
For example, #DataDoneRight attendees learned that Thompson Reuters, through responsible data sharing, has helped solve crimes such as shootings, sex trafficking, and Medicare Fraud. There are many more businesses, both B2C and B2B, who use customer data every day to make the customer experience more personalized, convenient, and valuable.
By introducing private rights of action, the CCPA has made it possible for consumers with privacy claims to sue any of these companies at will. Individual lawsuits favor lawyers over consumers, as they tie up businesses without effecting meaningful change.
Developed without input from California’s diverse business community, the CCPA may have severe unintended consequences for SMEs. In addition, companies will have less than six months to update their compliance programs for the new sweeping comprehensive privacy regime. Whether forthcoming amendments will help achieve the right balance between consumer and business interests remains to be seen.
EU’s General Data Protection Regulation (GDPR): A Blueprint for Federal Action?
The EU’s GDPR, adopted in April 2016, reflects the distinct philosophies and needs of European businesses and consumers. It was developed over a longer period of time-based on in-depth research and wide-ranging input. The GDPR addresses both data privacy and data security, requiring customer consent regarding use of data and security measures that protect data. Unlike the CCPA, the GDPR granted businesses a period of two years to prepare compliance.
The GDPR is a comprehensive legislative framework, albeit substantially different from what U.S. legislators might come up with to drive innovation and economic growth here at home. The process that led to the GDPR was methodical, inclusive, and patient, and our legislators would do well to emulate it.
Yet even without the added complexity of patchwork laws, smaller companies with business interests in the EU bear an inordinate burden.
Larger U.S.-based firms have spent nearly $150 billion to ensure compliance with the GDPR, and Microsoft alone has assigned 1,600 engineers to the task. Unable or unwilling to bear the costs of ensuring compliance, many businesses have simply pulled out of the European market.
State and Federal Lawmakers Should Proceed with Caution
States’ rush to enact data privacy legislation is driven in part by a common perception among consumers that data privacy and data security are largely the same. But privacy (preventing unauthorized or undisclosed data sharing by a business) and security (preventing data theft by outsiders) are largely separate issues.
According to a recently released data privacy report from the C_TEC group, despite a dramatic increase in data breach incidents and volumes since 2005, fraud losses have dropped from $35 billion to under $15 billion during the same period. This suggests consumers are far more affected by cybersecurity and fraud prevention measures than they are by having their data exposed.
Don’t get me wrong: consumers have every reason and every right to be concerned about data privacy. But too hasty or heavy-handed an approach on the part of legislators in an attempt to ease constituents’ concerns may bring significant harm to businesses, consumers, and the economy.
If Congress is to act on this issue, any legislative proposals must reflect a thorough understanding and careful consideration of all stakeholders’ interests.
A Call to Action for Business Leaders: Get Ready, Get Involved
Data privacy legislation is inevitable. It’s also a mission-critical issue for businesses of all sizes. Small and midsize businesses in particular have a lot of decisions to make and work to do to ensure compliance using the resources they have (or with investments they’ll need to make).
I encourage you to educate yourself on the issues involved in the data privacy debate. Follow legislative developments. Go a step further, and become an influencer. Let your congressional representatives know where you stand. Remind them the General Accounting Office endorses a national data privacy law; even the FTC commissioner has publicly expressed support. This is a bipartisan issue, and federal legislation is a solution both parties can get behind.
We joined to U.S. Chamber to advocate for our clients, vendor partners, and similar businesses whose concerns need to be heard on Capitol Hill. By speaking out on behalf of a national data privacy law that benefits and protects both businesses and consumers, you can make a lasting impact. To learn more about what C_TEC is doing on data privacy and technology issues, visit www.americaninnovators.com.