As Congress wraps up for the 2021 legislative year, attention is beginning to turn to next year’s priorities. One issue that seems likely to dominate lawmakers’ time next session will be the issue of data privacy and cybersecurity and the possible creation of a federal data protection standard. The issue currently enjoys broad bipartisan support, with Democrats and Republicans expressing a desire to pass new data protection measures. Much of the bipartisan consensus is due to the fact that the voting public also regularly expresses concern over how private companies and the government protect their data.
With deep bipartisan and public support for enhanced data protection measures, the question invariably becomes, what form a federal data standard takes. While lawmakers might seem inclined to pass regulations akin to Europe’s General Data Protection Regulation or California’s Consumer Privacy Act (CCPA), Congress must balance protecting consumers’ data with ensuring rules are not overly burdensome for small businesses and the innovation ecosystem.
Failing to strike this balance could ultimately see consumers losing out in the long run through higher prices and depressed innovation.
Onerous data protection regulations are not an abstract concern for businesses but a genuine threat. For example, when California passed its data protection bill, CCPA, in 2018, it imposed substantial compliance costs on all companies.
The California Attorney General’s Office estimated the initial cost of complying with CCPA would be $55 billion. On top of the initial $55 billion, internal estimates suggested long-term compliance costs could reach $16 billion annually. The same report estimated that small firms “will incur $50,000 in initial costs,” while medium-sized firms employing between twenty and one hundred people can expect to “incur an initial cost of $100,000.” While large companies can absorb increased compliance costs, small and medium-sized businesses don’t have the capital resources, causing higher prices for consumers and less innovation.
One central component of any federal data standard and cybersecurity law should be a consumer notification requirement for companies who have been victims of a data breach or cyberattack. Outside of healthcare and banking that have their own data standards, companies are not required to inform consumers that their information has been compromised. The lack of notification rules means that between “60% and 89% of security incidents go unreported.” Without proper notification, cybercriminals have a large window to use stolen credit card information and steal consumers identities
A consumer notification requirement would mean consumers are alerted that their data has been compromised promptly, allowing them to take appropriate steps to secure their sensitive information before too much damage has been inflicted.
Another critical component of any federal data standard or cybersecurity law should be a federal preemption that would supersede any state-based laws. The United States is currently a zip-code lottery for data rules whereby individual states afford consumers varying degrees of protection. Unfortunately, this zip-code lottery also makes it difficult for companies seeking to do business across state lines as they must comply with fifty different rules and regulations.
A federal standard that preempts state rules would not only eliminate the zip-code lottery for consumers, but it would also only require companies to comply with one standard, not fifty. This preemption would inevitably see compliance costs reduced, potentially allowing businesses to pass the savings onto consumers in the form of lower prices.
Failing to include a preemption would mean the fifty-state patchwork remains in effect, with differing levels of protection for consumers and high and unnecessary compliance costs for businesses.
Finally, any federal data privacy and cybersecurity law should not include the private right of action that empowers citizens to sue companies for breaching the national data standard. Instead, lawsuits against companies should remain the exclusive jurisdiction of the attorney’s general.
Allowing consumers to bring individual suits against companies is problematic for two reasons. First, a private right of action could see companies fighting multiple lawsuits over alleged violations. While big businesses with large legal teams would easily swat away these suits, smaller companies with fewer resources would be less able to do so. Second, Attorney’s General have greater legal resources at their disposal, making them better placed to protect consumers and hold big business to account.
While federal lawmakers might be tempted to follow Europe and California’s lead in imposing a rigorous data standard, they must resist the urge and find a balance between protecting consumers’ data and not inflicting substantial costs onto small businesses. While that should be the principal concern, lawmakers must also ensure that a notification requirement and preemption are central pillars of any proposal.