[Editor’s note: This story originally was published by Real Clear Markets.]
By Andrew Wilford
Real Clear Markets
In June of 2018, California made waves by passing the California Consumer Privacy Act (CCPA), legislation that aimed to regulate business collection and dissemination of consumer data. Because of the size of California’s economy, the reach of the CCPA extended far beyond the Golden State’s borders. On November 3, Californians voted to expand the scope of the law even further, potentially kicking off another wave of burdensome consumer privacy regulations among other states.
While protecting consumer privacy is a laudable goal, the CCPA places significant compliance burdens on businesses, many of which are located outside of California or don’t fit the traditional notion of a big tech company. In today’s information-driven economy, businesses that collect consumer data aren’t necessarily big social media companies or even shady online advertising firms. That’s why some California steakhouse diners were surprised to find a printed CCPA notice along with their meals; restaurants that collect email addresses for reservations or promotions could run afoul of the law.
For many businesses operating in California, complying with the CCPA was far more costly than printing out a notice, however. California legislators can’t plead ignorance of this fact — prior to the law’s implementation, the California Attorney General’s office prepared a report warning of staggering compliance costs for businesses.
The report warned that compliance with the law would cost California businesses $55 billion upfront, and another $16.5 billion over the next decade. The report also found that businesses with under 20 employees would have to spend $50,000 on compliance on average, while businesses with 20-100 employees would be forced to spend double that.
And that’s just for California-based businesses. Companies that do any significant business in California arelikely to get tied up in the need to comply with the law, meaning that the CCPA effectively applies to most businesses with a national footprint.
This Election Day, California voters decided that the solution to this problem would be to expand the CCPA even further. A ballot measure that California voters approved would create even stricter protections for a subcategory of personal information known as “sensitive personal information.”
Even prior to November 3, two states — Maine and Nevada — had passed consumer privacy laws of their own. Between 2018 and the election, 24 states had seen legislation introduced that would enact similar consumer privacy protection regulations. And around the country, state legislatures are beginning to look beyond the pandemic and turn their attention back to the legislative priorities that had been building steam prior to February.
Should California’s expansion of the CCPA prove to be the harbinger of a second wave of state consumer privacy legislation, it could be an unfortunate lesson on why states regulating outside their borders is a problem. Already struggling to navigate a few states’ privacy laws, businesses could find themselves forced to navigate a patchwork of competing, and possibly conflicting, state privacy laws. Already, Massachusetts’s requirements regarding confidentiality on data breaches is in direct conflict with other states’ requirements that consumers must be notified of such a breach.
This is why Congress should consider a single, uniform standard that reduces the compliance burden of protecting consumers from privacy breaches as much as possible. As the national legislative body tasked with maintaining the free flow of commerce between the states, it is Congress’s duty to smooth out growing rifts between states that could harm innovation and economic growth. After all, the last thing businesses getting back on their feet for the first time after a pandemic need is to be knocked on their backs by new regulatory burdens.