In The News

All news

Businesses See New Threat from State Data Privacy Laws

Published: August 09, 2019

Businesses that retain customer data have become well-acquainted with the threat of data security breaches, with most taking prudent measures to secure data and protect their customers. But many are less aware of, and prepared for, the emerging challenge posed by expansive state-level data privacy policy initiatives.

Regular, though not necessarily frequent, media coverage of data mismanagement has caused an increase in interest from policymakers. Even while financial firms work to meet their obligations under Gramm Leach Bliley and the Federal Trade Commission’s (FTC) Privacy Consumer Data Rule, new players have emerged that pose a significant innovation and competition risk for firms. California is the first state to pass a data privacy act that goes beyond the simple obligation of requiring that companies protect consumer data and it is set to take effect in 2020. The measure will force companies to disclose what information they collect, comply with consumer requests to delete the data, disallow companies from charging extra for consumers to opt out, and empower state regulators to issue fines. Other states have shown an interest expanding data privacy protection and even the city of Chicago considered a data privacy ordinance in 2018.

Beyond simply limiting a company’s ability to collect and sell data, businesses have to worry about changing standards as to what constitutes an injury to a consumer as the result of a data breach. Recently, the FTC focused on defining the various types of injuries that can occur because of data mismanagement. This lack of clarity of what defines an injury is problematic at the federal level. At the state level, the lack of consensus on injury is likely to cause a patchwork of compliance issues. Each state is likely to identify different injuries and prescribe various protections, with the possibility of different protections for the same injury in different states. Given the rapid nature of changing technology and innovation and the fact that states will pass these potential bills over several years, it is unlikely that a single state-standard will emerge.

All businesses are already aware of the danger that this type of patchwork will create with compliance, but other problems will arise from these potential bills. If the bills are too restrictive, they will negatively impact innovation and competition. They will likely also raise significant compliance questions even for firms that diligently attempt to comply. For example, if a transaction is facilitated by a business between two customers in different states, which rules apply to each customers’ data?

Smaller firms will likely be disproportionately impacted by these bills. The cost of compliance may simply overwhelm them; though some bills will likely have carve-outs for the smallest firms. Still, while these carve-outs may be welcomed when a bill initially passes, they may only act as a barrier for future investment. Smaller firms will likely struggle as they increase in size and find themselves unable to carry the burden of additional compliance requirements, possibly across several states simultaneously.

The best possible solution for regulating an issue that features rapid innovation is a single regulatory authority. In the best-case scenario, the regulatory authority would have a high level of issue expertise. With the passage of California’s data privacy bill, it is now much more likely that firms will be facing a fractured, state-by-state regulatory landscape. Firms have to engage quickly on this issue with a well-defined strategy. Small and medium firms, in particular, need to engage to protect their interests. They cannot simply allow the larger firms to fight this on their own and protect their own interests, possibly at the expense of smaller firms.

Jackson Vaughn Public Strategies (JVPS) can help small and mid-sized firms develop those strategies and help policymakers strike the appropriate balance between compliance, innovation, and competition against consumer privacy protections. With the help of JVPS, a business can tailor a program from a single locale or state all the way up to a robust fifty-state and federal plan.


Facebook Twitter DZone It! Digg It! StumbleUpon Technorati NewsVine Reddit Blinklist Add diigo bookmark