Published on April 15, 2020

After the California Consumer Privacy Act (CCPA) passed, lobbyists from both sides of the aisle descended on Capitol Hill. The Information Technology Industry Council (ITI), a DC-based lobbying group, has called for a federally mandated consumer data privacy law, as have some of the biggest players in tech, including Google, Facebook, Intel, Microsoft, and Apple.

Industry players believe they’ll have to deal with a patchwork of state regulation if Congress doesn’t intervene and issue a federal law. Pro-business groups, such as the Council on Foreign Relations, have been particularly vocal in their assertion that it’s up to Congress to protect consumer privacy.

Pro-business concerns: It will stifle innovation and force out smaller players

As Mercatus Center research fellow Jennifer Huddleston argues in a policy brief, “With states like California now enacting their own data privacy policies, federal action may be necessary to prevent an individual state from unfairly disrupting markets and the framework initially established for the internet.” Huddleston suggests that the absence of federal action will cause more states to place overly stringent legislation into practice, which could stifle innovation.

The Mercatus Center is a center-right think tank, so it’s no surprise that Huddleston is an advocate of soft laws and industry self-governance; however, she does make a rather convincing argument when she suggests that laws like the CCPA and GDPR have the potential to prevent new, innovative companies from going to market. It’s Huddleston’s contention that the hefty fines imposed by the CCPA will allow the bigger players to increase their market share, while smaller tech companies will be forced to exit the market due to burdensome compliance costs.

Privacy advocates: In states we trust

Pro-regulatory analysts fear that the tech industry doesn’t have consumers’ best interests at heart. As an example, Neema Singh Guliani, senior legislative counsel at the ACLU, is skeptical of any law that would wipe out consumer data protections at the state level. In an op-ed piece, Guliani posits that preemptive legislation from Congress would likely be a boon to the tech industry at the expense of consumers. Although Congress could certainly pass legislation that effectively protects consumers, Guiliani notes that consumer privacy protections have historically originated at the state level.

Requisite features: Consumer control, transparency, and accountability

Regardless of whether consumer data privacy is handled at the state or federal level, it’s clear that any laws need to contain the following three elements: (1) Consumers should be able to control what data is collected from them, either via opt-in or opt-out mechanisms. With an opt-in rule, companies can’t collect user data unless the users have granted them permission. With an opt-out policy, users must figure out how to opt-out of data collection, either through the app’s preferences or elsewhere. (2) Companies must be transparent about exactly what they’re collecting. (3) There must be adequate enforcement of the rules by the FTC to ensure companies are held accountable.

What does the future hold?

It’s quite interesting to see consumer data privacy protection at the forefront of public policy considerations. Former Democratic presidential candidate Pete Buttigieg made “right to be forgotten” a key part of his campaign. Similarly, Apple CEO Tim Cook has called for a “data-broker clearinghouse,” which would not only require all data brokers to join a registry, but would also allow consumers to track and delete their data.

Although many believe it’s only a matter of time before the US sees a federal data privacy law, it may be difficult for Congress to preempt the CCPA in the short term, especially given that California has 53 members of Congress. Nevertheless, the fact remains that Big Tech lobbyists are extremely active on the Hill these days, and federal consumer data privacy bills have already been drafted. As a recent example, Intel has met with several congressmen and written several drafts of a bill tentatively titled “Ethical Data Use Act of 2019.”

“As leery as I am about government regulation in general, it is now clear that we have reached a tipping point, where companies controlling a large portion of the world’s personal information have failed to protect it. In fact, we have a fox in the henhouse situation in that many of these companies’ business models are predicated on exploiting personal information,” said Raj Sabhlok, president of Zoho Corp. “As such, there is a need for regulation that would protect consumers’ personal data. Such regulations should not be overly burdensome on business or constraining free enterprise, which suggests that one overarching federal data privacy regulation should be enacted—as opposed to fifty state regulations.”

If a federal law does emerge, let’s hope it benefits businesses, innovation, and consumers’ privacy.

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan