Connecting state and local government leaders
COMMENTARY | The president of the Consumer Technology Association says California's privacy law—along with proposed legislation in Washington state and Massachusetts—will create a tangle of rules that "stifle competition and choke small businesses."
Alastair Mactaggart is a real estate developer—not an elected policymaker or hired staff member—who spearheaded the passage of California's Consumer Privacy Act (CCPA) in the Golden State. He recently held a series of meetings in D.C. to urge lawmakers not to override his state’s rules in favor of federal privacy legislation.
But encouraging each state to develop its own privacy rules will lead to a complicated patchwork of laws, forcing many businesses—especially small businesses and startups—to withdraw from those states.
The law Mactaggart is defending has been called a “domestic GDPR,” referring to the EU’s General Data Protection Regulation which went into effect last year. Both aim to protect the data privacy of consumers, including the right to know what information is being collected about them and the right to override the sale of that information.
Similar to GDPR, CCPA and other state-specific rules threaten to stifle innovation and restrict access to internet websites. GDPR, for example, forced more than 1,000 U.S. news sites to reject European visitors for months due to compliance issues. Even more concerning, CCPA’s overly-broad definition of personal information goes beyond any other rule—including GDPR.
CCPA defines personal information as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This means a business handling basic data that doesn’t specifically identify a consumer—such as browsing history and IP addresses—may trigger a violation. The vague and overly broad rules are especially confusing for small businesses and startups.
Complying with state-specific laws such as CCPA will significantly increase costs for most companies—not just data companies. Businesses will need to create new plans to handle consumer requests and alter their websites. The real burden will fall on startups and small companies that lack massive compliance and legal budgets. While many large businesses may be able to shoulder these costs, it will stifle competition and choke small businesses.
But California could just be the beginning—draft legislation in Washington state and Massachusetts also threatens to impose complex, state-specific privacy rules. This would compound compliance costs, exponentially increasing the expense for companies to do business in these states.
Rules such as CCPA could also have negative consequences for consumers who rely on the free services many tech companies provide such as news and information sites or communication services—driving up costs and lowering consumer choice. Ads are one way companies keep their costs down. By limiting or disabling ad services, many companies may have no choice but to raise the prices of their products and services.
Privacy is important. Medical records should be protected; Americans should be able to join a “do not call” list; the criminal records of minors should be expunged; and companies should be required to inform customers of any data breach involving private information. These rules exist because they are incredibly important. But if we take privacy to an extreme, it can actually hurt us. Here’s an example: If the cars on the highway in front of you collide in fog and that information can be sent to your car to avoid a crash, is it a privacy violation?
Rules such as CCPA threaten to limit services available to consumers and inhibit innovation. As the internet continues to grow and provide more services, we must ensure a patchwork of laws doesn’t limit consumer choice, choke small businesses—and stifle innovation.
Gary Shapiro is president of the Consumer Technology Association.