Have we gone from not enough regulation into overdrive too fast, creating new problems in our attempts to fix existing ones? 

A patchwork of state data privacy laws

There is no sweeping federal US consumer data privacy law, and so far, all of the action has been at the state level. For example, let’s look at what’s happening in California. The California Consumer Protection Act (CCPA), which goes live in January 2020, is similar to the EU’s General Data Protection Regulation (GDPR) in regards to increasing consumer access to and control over personal information. But it goes further, enabling consumers to find out what information a company collects about them, and to sue companies if they believe the law has been violated, even if there is no data breach.  [Read: It’s 2020 and we still have a data privacy problem] Also unlike GDPR, CCPA mainly affects large companies that “control” data; that is, collect data and decide what it will be used for, or sell data as a core part of their business. Therefore, the emphasis of CCPA is giving consumers the option to delete or opt out of the sale of their data, as well as explicit requirements for clear “Do not sell my personal information” links on websites and apps. Companies still, with explicit permission, can share personal information with third parties, and are allowed to offer financial incentives to consumers to obtain permission to collect or use their personal information for specific purposes.  Although California, Maine, and Nevada are the only states to have passed privacy laws so far, approximately nine other states currently have proposed data protection laws on the table. 

The cost of compliance

To comply and be able to verify and respond to consumer requests, most businesses will have to invest in new data management systems, implement new processes and standards, and hire additional employees — at significant cost. In fact, the state of California’s estimate of the total cost of initial compliance with CCPA is $55 billion — which will unfortunately disproportionately be shouldered by smaller businesses that don’t have sophisticated data management and reporting systems already in place. The cost for ongoing compliance, including potential fines, is estimated to come in at $467 million to $16 billion over the next 10 years. In my opinion, leaving it to each individual state to draft its own data protection regulation serves to compound all of these costs, as it will require much more effort for businesses to comply with multiple regulations versus a single federal policy.  Additionally, beyond the financial implications for companies, what’s the cost of more regulation to the consumer? On one hand, there will be people who say, “Great, all of these regulations will force companies to slow down their marketing and send me less stuff.” On the other hand, while we all probably would like to receive fewer marketing emails, a better solution would be for businesses to make their marketing more personalized, relevant, and useful to the recipient — which requires good data.  Surveys show that nearly three-quarters of consumers expect that companies will anticipate their needs and make recommendations for better customer experiences. Instead, reconciling the differences between state laws for national marketing efforts will make it more difficult for companies to collect and use data, and may have the adverse effect of making marketing less personalized — and more annoying.  Furthermore, does more regulation even result in smarter consumer decision-making? What we’re already seeing with GDPR is user fatigue instead of greater transparency — i.e. the human impulse to simply click “I accept these terms” without reading the pages of required legalese that explain what is being accepted. Another good example of this is the millions of US consumers who readily accept the terms of TV manufacturers when setting up a new television — allowing manufacturers to track what’s being watched. 

Finding a balance

How much data privacy and security regulation should we have? Some experts say that too much regulation hurts US businesses, particularly startups, and their ability to access data to support innovation. However, others say that too little regulation allows companies to take advantage of consumers’ data and profit (e.g. data brokers, advertisers, etc.). Insufficient regulation can also result in data breaches, so it’s important to figure in the costs of the fines companies must pay, as well as money spent by consumers to clean up fraud perpetrated using stolen personal information.   The federal versus state privacy law debate also has two sides. Some argue that a federal law would be watered down by compromise and offer little recourse for consumers who would have to wait for Congress to act. However, it would be wise to side with the “federalists” because a multitude of different state regulations will be an unnecessary burden to businesses.  We need to take a step back and truly weigh the pros and cons – and incorporate learnings from GDPR outcomes – before moving forward to ratify more separate state laws. A federal law is necessary as a consistent foundation that will reduce confusion and litigation and benefit consumers as well as businesses. A past example of this approach is the Federal Trade Commission’s CAN-SPAM Act, which created a good foundation to curb spam emails. Further, a federal law that standardized acceptance forms and language for consumers would make implementation vastly easier for companies, as well as more transparent for consumers who would understand what they’re agreeing to. Then, as we put federal regulations into practice and we see evidence of their efficacy, perhaps states could enact additional measures as needed to further strengthen the law as they saw fit.