Small Business Needs Data Privacy Legislation Simplification
Updated: Oct 11, 2019
(Views expressed here are my own, not those of Campbell Tech Solutions, LLC.)
A year ago, the EU implemented a new privacy law called GDPR. This is a law that fundamentally has changed the privacy terrain for EU citizens and is still having reverberations with companies world wide. In my opinion, the General Data Protection Regulation (GDPR) , codifies the idea that EU citizens own the information that a company collects about them, and that these EU citizens have rights regarding what companies and internet operations can do with that information.
The California Consumer Privacy Act (CCPA) comes online in January 2020. It changes how companies handle data for California residents. For privacy advocates CCPA is an advance, but for businesses just another privacy regulation in an already confusing patchwork of state and federal compliance rules.
While the GDPR sets one data-breach notification law for all member states, the United States has at least 50 different data breach notification laws at state level. (Source).
Complying with this increasingly complex American legal terrain is a massive challenge for small businesses. Unlike large enterprises, most small businesses do not have on-staff counsel and dedicated specialists available.
Even if they have counsel or easy free access to counsel, privacy law, with it’s patchwork nature and how tightly it is intertwined with technology and business operations still requires a significant legal and technical skill set. Often not readily available to small businesses.
The regulation patchwork leads to policy complications and expense for American small businesses that are increasingly hard to ignore. One lawsuit resulting from a breach of just the right regulation pulled from the patchwork could result in an existential threat for a small business.
In response many small businesses game the system, relying on size, scope, and their small size, as a way to address the risk.
What’s the solution? Simplification.
Get one set of rules across the US that small businesses can implement.
Eliminate confusion, complexity, and uncertainty.
Make it easier for small business to establish one set of procedures, systems, and controls to secure all consumer data.
Just as Britain has aligned its own Data Protection Act of 2018 with the GDPR, perhaps the time has come for the US to have one comprehensive, GDPR-like, data privacy and protection law at the Federal Level.
In the same way that the federal Can-Spam Act of 2013, the Children’s Online Privacy Protection Act of 2000, the Telephone Consumer Protection Act of 1991, and the Health Insurance Portability and Accountability Act of 1996, set Federal regulations to protect consumer privacy and data, a single, comprehensive Federal law can simplify so much for so many - and improve consumer security at the same time.
Several Congress members have introduced bills designed to address data privacy at the Federal level. We need ONE comprehensive set of rules that are sensible, affordable, and actionable for small businesses while still protecting consumer and customer privacy.
Let’s hope that over the next few years we see massive progress in this area. Simplification will help everyone know what the rules are, which ones apply to them, contain expenses, set expectations, and overall improve compliance by small businesses.
After, can't we with one Federal Government, do what the EU's 28 different governments, languages, cultures, and attitudes toward privacy did with GDPR?