In late February, various committees in Congress held hearings about the possibility of drafting a federal law governing internet privacy.
It’s about damned time.
This country’s been long overdue in developing some sort of coherent policy framework related to privacy. Doubtless, Congress’s actions were inspired by some of the more recent scandals related to Facebook and other social media behemoths. But the reality is that a federal privacy law is far more important for the millions of businesses in this country not named Facebook.
If there is no federal law in place governing privacy, then American businesses that do business online (which is to say, almost all American businesses), must navigate through as many 50 states’ different privacy laws. This is an untenable reality for most businesses.
Facebook has billions of dollars to throw at compliance if they must; few other businesses do. By failing to provide a single, simple, coherent set of rules related to privacy, Congress has left a gaping privacy-law vacuum. Because of that vacuum, businesses are left with a nigh-impossible task of trying to keep up with 50 states’ privacy laws, plus the overarching, overreaching, sprawling extraterritorial mess that is the European Union’s GDPR.
To cite just one example, at present, forty-seven different states have data breach notification laws. Imagine an online business with a half a million dollars in annual revenue that suffers a data breach. Complying with all forty-seven laws would be practically impossible.
Many businesses correctly fear that they are likely not complying with at least some of these laws, but they aren’t sure how much it matters, or what enforcement might come from non-compliance. And as a perfectly competent lawyer and perhaps one of the few humans who has actually read the GDPR, I can say that with confidence that I understand their concerns.
The only way to resolve this mess is to pass a federal privacy law, one that pre-empts state laws.
The last bit is somewhat controversial, but if American businesses—particularly smaller businesses—are going to have any hope of complying with their obligations related to users and customer privacy, one law is plenty—50 is way too many.
California has already passed a privacy law that’s due to go into effect in 2020, and Feinstein, Pelosi, Harris, et al are probably not going to be ok with a law that undoes what has already been done. That’s all well and good.
The cleanest thing to do here, given the current path that we’re on, would be to pass a federal law that mirrors the California one, but that pre-empts all future privacy laws that might create additional obstacles and obligations. That way American businesses can know what their obligations are now and will be in the future. The good actors can then adjust their practices and move on with their lives. The bad actors can be punished according to the laws.
Let’s see if we can get this right.