August 30, 2018 - In June, California implemented the nation's toughest privacy law. It is modeled after the European Union's GDPR regulations; a law that has force many online businesses to make dramatic changes to their business models. The new California law is having a similar impact on American businesses and it looks like the battle may turn ugly.
Because 10% of the US population resides in California, it is virtually impossible for businesses simply to say "we won't do business there." That's why so many businesses have been forced to conform to what California's state government deems appropriate.
California was the first state to implement a data breach notification law; a law which remains among the most stringent of any state. Almost immediately after that law was put in place, companies tried to comply by notifying Californians of data breaches while telling customers in other states that only California residents were impacted.
That tactic quickly went down in flames. The companies that attempted this approach received massive amounts of negative publicity, lost customers and ultimately faced lawsuits from consumers and stock-holders alike. It became very apparent that corporations couldn't implement one set of rules for operating in California and another set for the other 48 states. In the end, not only did companies comply with California law, every other state in the country also enacted its own data breach notification law.
But the new privacy law that is now in effect may prove to be a bridge too far for the rest of the United States. It regulates data sharing to such a degree that companies that rely on advertising revenue for their support may not be able to continue in their current business model. And those companies are now calling on Congress to act and usurp the California law by imposing a national standard for privacy.
At the same time California's Attorney General is saying that he doesn't think the new law goes far enough. He wants the state legislature to expand the law by giving private citizens the right to sue companies that violate it. And he wants the law to be changed so that his office no longer has to give companies advice about how to remain in compliance with the law. At some point, something has to give.
The idea that Congress would impose a national privacy standard on all of the states isn't something we can support. The vast majority of data breach and privacy proposals that have come out of DC have been very unfavorable to consumers. At the same time, implementing laws that don't take into account the economic impact to business is naive. In this case, it's probably foolish because the law is impacting some of the country's biggest and most cash-rich companies. Those companies are likely to start spending some of that cash to lobby in Washington.
It would be particularly unfortunate if California's zeal to protect consumers at the expense of business became the impetus to drive forward national standards on privacy and data breaches. That would undoubtedly hurt the individual privacy rights of all Americans. But if California persists, it's a more than plausible scenario. Let's hope that cooler heads prevail… and soon.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
|