Startups need a uniform federal privacy law
TLDR: California lawmakers have run out of time to fix problems in the state’s sweeping privacy law before it goes into effect next year, leaving startups hoping that Congress will step in and create a strong, uniform federal privacy law that protects consumers without creating unnecessary and costly burdens. If other states move forward with privacy legislation mirroring California's law, it will create a patchwork of requirements that will have an outsized impact on smaller companies hoping to operate across state lines.
What’s happening this week: On the heels of California’s legislative session ending last week without significant changes to the state’s privacy law being sent to the governor’s desk, the debate over consumer privacy is shifting to conversations in D.C. The law, the California Consumer Privacy Act (CCPA), will go into effect in January of next year, and enforcement of the law will begin later in the year.
The California legislature passed the CCPA in a rush last year as a part of a compromise to avoid having an unalterable version of the law enacted as a ballot initiative in the 2018 election. The law has the laudable goal of giving consumers more control over how their data is used and shared, but some of the broad definitions, vague obligations, and apparent contradictions in the language will create problems for businesses—including startups—that rely on consumer data to provide and improve their services. Recognizing these issues, California lawmakers pledged to address these issues before the bill was enacted, but several of the substantive, key changes were left to perish when the California legislature wrapped last week.
At the same time, the tech community is waiting to see whether and how Congress will address the issue. Since the privacy debate kicked off in earnest with the implementation of the General Data Protection Regulation in Europe, followed by the hasty passage of CCPA, lawmakers have conducted hearings, held roundtables, and introduced and debated legislation aimed at bolstering consumer privacy in the U.S.
Why it matters to startups: As Engine has long argued, startups stand the most to lose in the policy debate over consumer privacy. It’s startups whose services are abandoned when consumers lose trust in the Internet ecosystem due, in part, to the absence of strong online privacy protections. At the same time, startups are least equipped to deal with costly and burdensome privacy rules, especially if those rules and requirements vary from state to state.
With the CCPA poised to go into effect as written, much of the tech community’s attention around privacy has focused on that specific law. As Engine has said in the past, the law’s obligations and responsibilities will have a disproportionate impact on startups.
For instance, the law allows consumers to opt-out of the sale of their data, but the definition of the word “sale” is so broad—and the law’s exceptions are so narrow—that it will sweep in certain everyday data-sharing practices that startups rely on to conduct business using external vendors for things like data processing and analytics. Whereas the largest Internet companies can afford to build in-house or bring in-house through acquisitions these kinds of capabilities, startups and other small businesses often rely on a network of dozens of external vendors to provide all kinds of innocuous and routine services. In this one aspect alone, privacy legislation has the chance to severely distort competition in the technology space by making it easier for the biggest Internet companies to navigate the regulatory landscape.
But CCPA is just the beginning, and those issues will multiply as more states join California in passing a state-specific law. Even bills that have been proposed in other states and claim to largely mirror CCPA’s obligations will contain at least administrative, if not substantive, differences, creating huge expenses for any small companies that want to operate across state lines. This is one of the several issues we explored in “The Nuts and Bolts of User Privacy,” our recent series of events and report with the Charles Koch Institute.
California lawmakers have failed to make the necessary improvements to this law before next year. Other states are considering their own versions of a consumer privacy law, which will only complicate and add to startups’ compliance burden. Startups need a uniform, federal set of privacy rules that give consumers strong protections while creating certainty for the companies and their investors. Congress has a chance to fix this by passing a strong federal consumer privacy law.
On the Horizon.
Engine and the Charles Koch Institute will be holding the first panel in our three-part series on the nuts and bolts of encryption this Friday at noon. We'll be discussing what encryption is, how it works, and the various ways that it's used every day. Learn more and RSVP here.
The Senate Judiciary antitrust subcommittee is holding an oversight hearing at 2:30 pm this afternoon with FTC Chairman Joseph Simons and DOJ antitrust chief Makan Delrahim. The antitrust panel is also holding a Sept. 24 hearing to examine “acquisitions of nascent or potential competitors by digital platforms.”
The Senate Commerce Committee is holding a hearing at 10 am tomorrow to “examine the proliferation of extremism online and explore the effectiveness of industry efforts to remove violent content from online platforms.”