More than two dozen states are considering data privacy laws that, if adopted, would create a costly and confusing “regulatory nightmare” for businesses that do commerce across state lines, business advocates said.
“We will be very soon into a situation where we’re going to have 20 to 30 different regulations and that will have a very negative impact on the country; where we can’t create jobs,” said Tim Day, senior vice president of the Chamber Technology Engagement Center (C_TEC) at the U.S. Chamber of Commerce.
California is the first state to pass a comprehensive data privacy law. The legislation went into effect January 1 and is already causing confusion and anxiety, particularly for small businesses, Day said.
California law impacts businesses across state lines
Called the California Consumer Privacy Act, it is one of the broadest online privacy laws in the U.S., affecting companies across the nation that do business with California residents.
Under the new regulations, California residents will be able to demand companies to disclose what information is collected on them and request a copy of that information.
“A lot of times, people hear ‘“California’” and they don’t think it applies to anybody outside of the state of California. That’s not true. This applies to any company that has California-based customers and has at least $25 million in gross annual revenue and, in addition, has personal information on at least 50,000 people,” Day said.
“When you break that down, that gets at the heart of small business. If you are a florist or a winery or a database business that has California customers, that brings you into the law.”
Cost to California: $55 billion
A report from the state’s Attorney General estimates the cost of compliance under the new regulation will be $55 billion alone for California.
“That us about 2 percent of their GDP. That is more than environmental compliance. That is staggering and that is something that people need to be aware of,” said Day, whose organization is advocating for a single federal law that would apply to all states.
For a small business, California’s new law could result in up front costs of up to $50,000 for a small business with fewer than 25 employees to comply with it, Day said.
Law sprouting a new industry for compliance
News reports in publications like the Los Angeles Times indicate that the law is already spurring a new industry: hundreds of new start-ups, law firms and consultants ready to help companies comply with the new law.
Bart Willemsen, an analyst at global technology and advising firm Gartner, recently told the Times that he has identified over 200 companies pitching products to help companies adhere to privacy rules. None of them actually offers a comprehensive solution, he stated.
The new law also limits the sharing of data, which is another concern for consumers and business, Day said, especially when it comes to issues like healthcare, public safety and transportation.
To solve an impending crisis, the U.S. Chamber is leading an intense effort to call on chambers and local, state and federal officials to press Congress to act.
Arizona first state to call for national data privacy standards
Arizona, meanwhile, is the first state to introduce a resolution to do just that.
Rep. Shawnna Bolick, (R-Phoenix,) is the prime sponsor of the bipartisan resolution, HCR 2013, that calls for a single federal standard for comprehensive consumer data privacy regulation.
Bolick said a federal approach is needed to protect “budding businesses” as well as consumers.
“If I were a business, I would not want to navigate 50 different states’ consumer and data privacy protection laws to conduct interstate commerce,” Bolick said. “If every business had to hire a compliance privacy protection officer to conduct business in every state, it might bring our growing economy to a grinding halt.
“On the consumer protection side, it would be nice to know exactly what sensitive consumer data a corporate entity stores in its databases and whether or not it sells our data with the consumer’s permission, especially when well-known companies including Amazon, Capital One, Creative Cloud, Equifax, Facebook, Instagram, Marriott, and Target have all experienced data breaches in recent years.”
Model legislation similar to EU proposed
With the help of 200 businesses of all sizes, the U.S. Chamber has put together model privacy legislation to get the ball rolling. The legislation includes pieces from California’s new law as well as Europe’s General Data Protection Regulation (GDPR) that took effect in May 2018. Any global business that sells to or has EU customers is subject to the GDPR, regardless of where that business is based.
The Chamber’s model legislation’s main purpose is to “put consumers in control and ensure businesses can innovate while operating with certainty and providing transparency,” Day said.
“Technology has changed the way consumers and businesses share and use data, and voluntary standards are no longer enough. New rules of the road are necessary and it is time for Congress to pass a federal privacy law.”
For more information and a closer look at the patchwork of regulations under consideration, go to: Data privacy state-by-state.
This story was originally published at Chamber Business News.