After the California Consumer Privacy Act (CCPA) passed, lobbyists from both sides of the aisle descended on Capitol Hill. The Information Technology Industry Council (ITI), a DC-based lobbying group, has called for a federally mandated consumer data privacy law, as have some of the biggest players in tech, including Google, Facebook, Intel, Microsoft, and Apple.

Industry players believe they’ll have to deal with a patchwork of state regulation if Congress doesn’t intervene and issue a federal law. Pro-business groups, such as the Council on Foreign Relations, have been particularly vocal in their assertion that it’s up to Congress to protect consumer privacy.

Pro-business concerns: It will stifle innovation and force out smaller players

As Mercatus Center research fellow Jennifer Huddleston argues in a policy brief, “With states like California now enacting their own data privacy policies, federal action may be necessary to prevent an individual state from unfairly disrupting markets and the framework initially established for the internet.” Huddleston suggests that the absence of federal action will cause more states to place overly stringent legislation into practice, which could stifle innovation.

The Mercatus Center is a center-right think tank, so it’s no surprise that Huddleston is an advocate of soft laws and industry self-governance; however, she does make a rather convincing argument when she suggests that laws like the CCPA and GDPR have the potential to prevent new, innovative companies from going to market. It’s Huddleston’s contention that the hefty fines imposed by the CCPA will allow the bigger players to increase their market share, while smaller tech companies will be forced to exit the market due to burdensome compliance costs.

Privacy advocates: In states we trust

Pro-regulatory analysts fear that the tech industry doesn’t have consumers’ best interests at heart. As an example, Neema Singh Guliani, senior legislative counsel at the ACLU, is skeptical of any law that would wipe out consumer data protections at the state level. In an op-ed piece, Guliani posits that preemptive legislation from Congress would likely be a boon to the tech industry at the expense of consumers. Although Congress could certainly pass legislation that effectively protects consumers, Guiliani notes that consumer privacy protections have historically originated at the state level.

Requisite features: Consumer control, transparency, and accountability

Regardless of whether consumer data privacy is handled at the state or federal level, it’s clear that any laws need to contain the following three elements: (1) Consumers should be able to control what data is collected from them, either via opt-in or opt-out mechanisms. With an opt-in rule, companies can’t collect user data unless the users have granted them permission. With an opt-out policy, users must figure out how to opt-out of data collection, either through the app’s preferences or elsewhere. (2) Companies must be transparent about exactly what they’re collecting. (3) There must be adequate enforcement of the rules by the FTC to ensure companies are held accountable.

What does the future hold?

It’s quite interesting to see consumer data privacy protection at the forefront of public policy considerations. Former Democratic presidential candidate Pete Buttigieg made “right to be forgotten” a key part of his campaign. Similarly, Apple CEO Tim Cook has called for a “data-broker clearinghouse,” which would not only require all data brokers to join a registry, but would also allow consumers to track and delete their data.

Although many believe it’s only a matter of time before the US sees a federal data privacy law, it may be difficult for Congress to preempt the CCPA in the short term, especially given that California has 53 members of Congress. Nevertheless, the fact remains that Big Tech lobbyists are extremely active on the Hill these days, and federal consumer data privacy bills have already been drafted. As a recent example, Intel has met with several congressmen and written several drafts of a bill tentatively titled “Ethical Data Use Act of 2019.”

“As leery as I am about government regulation in general, it is now clear that we have reached a tipping point, where companies controlling a large portion of the world’s personal information have failed to protect it. In fact, we have a fox in the henhouse situation in that many of these companies’ business models are predicated on exploiting personal information,” said Raj Sabhlok, president of Zoho Corp. “As such, there is a need for regulation that would protect consumers’ personal data. Such regulations should not be overly burdensome on business or constraining free enterprise, which suggests that one overarching federal data privacy regulation should be enacted—as opposed to fifty state regulations.”

If a federal law does emerge, let’s hope it benefits businesses, innovation, and consumers’ privacy.