- - Thursday, January 9, 2020

After the California Consumer Privacy Act (CCPA) took effect on New Year’s Day, businesses around the country began scrambling to work out how to comply with its strict rules and regulations. These days, more and more states are buying into the idea that they’ve got a role in regulating online privacy. Washington and Massachusetts, for instance, already attempted to pass their own state-based privacy laws in 2019, and many other states will likely follow suit this year.

This is bad news for online businesses, which now need to decide whether to comply with different state standards on digital privacy or to suspend service to particular states altogether. It’s also bad for consumers, who might see their options for certain services severely reduced, like they did in Europe after the EU enacted burdensome digital privacy regulations of its own in 2018.

If the current trajectory continues and each state chooses its own path, the state-level privacy patchwork will only get more burdensome and complex, with differing rules on what data businesses are allowed to collect, what power consumers have over collected data and how consumers should be given access to their data.

While the requirements may sound simple, even small differences in the language of the law could mean big changes for how businesses must comply.

Businesses and consumers alike will find it increasingly hard to navigate the growing morass of rules that could differ in every state. Do businesses have to serve customers that refuse to let their data be monetized? If a customer wants data about them deleted, how quickly and in what way should that data be removed?



The Internet relies on users being able to interact with each other regardless of where they are; it’s inherently interstate. As a result, within the United States, it’s the role of the federal government, not state governments, to decide how and whether to regulate what Americans can do online. To prevent the damage done by CCPA, the federal government must intervene.

In true California form, CCPA is broad and burdensome to both businesses and consumers. It has led to restaurants in the state to litter customer tables with privacy notices and virtually ruined grocery store loyalty programs in the state, for no real benefit to consumers. Yet, can we really say that consumers will benefit substantially from draconian privacy regulations in the face of all these costs?

Time may tell, but so far it’s not looking good. California itself has estimated CCPA’s cost to the state’s firms will be $55 billion in initial compliance costs, followed by $16.5 billion over the next 10 years — and that’s just for the Golden State alone. If businesses across the country try to comply with CCPA, it’s likely U.S. compliance costs will be nearly half a trillion.

Not everyone is losing out, however; lawyers will make out just fine. Compliance with complex privacy legislation will push businesses to spend less on employees and innovation and more on legal costs.

California has also already broken the constitutional limits of its authority by trying to regulate the Internet. We can see this in effect with CCPA, where businesses that have no physical presence in California are now forced to work out how to comply with its complex legislation. That’s why the federal government should decide how the industry is regulated, like it does with telecom providers.

The implementation of CCPA is the beginning, rather than the end, of data privacy headaches for businesses and consumers. Progressive states like New York, Massachusetts and Washington are likely to compete with California over which can be the most aggressive on digital privacy.

While some claim the public desires greater online privacy protections, there’s no evidence that these protections need to be as burdensome as those in CCPA and proposed legislation in Washington, Massachusetts and New York. Indeed, these regulations are likely to curtail the online experience of consumers rather than enhance it by undermining businesses that prioritize user experience and innovative products over digital privacy.

Both of these problems combined could really harm investment in American online businesses. In Europe, GDPR has already been charged with sinking venture capital and advertising investment. As a global leader in tech and online services, the United States should be careful not to push tech investment away as we face growing competition from Chinese tech services.

It’s clear the federal government needs to take the lead to protect federalism, tech investment and small businesses around the country. Without it, this problem will fester. Instead of allowing a confusing patchwork of state digital privacy laws, Congress should create a national standard that can be easily navigated by consumers and businesses. This standard should get rid of the overly burdensome parts of CCPA and carve out a common sense American approach to privacy.

• Robert Winterton is a Young Voices tech fellow and the director of communications for NetChoice.

Sign up for Daily Opinion Newsletter

Manage Newsletters

Copyright © 2020 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.

 

Click to Read More and View Comments

Click to Hide