One Set of Privacy Rules for Everyone: Vital to the Growth of the Digital Economy and Small Business

By at 10 December, 2018, 3:03 pm

By Karen Kerrigan-

On December 4, SBE Council hosted an event with the Small Business Roundtable (SBR) and the Connected Commerce Council (3C) on the importance of advancing a national privacy framework.  California enacted a complex and cumbersome state privacy law this past October, and twenty-six states are looking to adopt their own privacy and data protection regimes. During our discussion, I described this as a potential “nightmare for small businesses.”

Data currently flows seamlessly across state lines and, for the most part, country borders as part of the internet ecosystem. Treating it differently in terms of state-specific rules for consumer privacy and data security would be unworkable for all businesses, particularly small businesses, as well as for consumers. The good news is that California’s legislation (AB 375) and the European Union’s General Data Protection Regulation (GDPR) are providing federal policymakers and lawmakers with models of what not to do, along with insight about how small businesses are being impacted by these misguided laws.

As noted by Jake Ward, President of Connected Commerce Council, during the discussion, there has been “a significant and immediate drop in investment and access to data for small businesses” following adoption of GDPR. He added that the big guys – like Facebook and Google – which GDPR was supposed to target, have been unaffected.

In terms of the California legislation, it created an exemption for businesses with less than $25 million in revenue, but as I noted during the discussion: “California’s small business exemption is essentially meaningless.”

In the end, the law will apply to most businesses. The legislation applies to all firms that buy, receive, sell, or share the personal information of 50,000 or more consumers, or that derive 50 percent or more of revenues from the sale of consumers’ personal information on an annual basis. That 50,000 consumer-threshold will be reached rather quickly if businesses accept credit cards because of how the data will be counted. (Read more about the California law and GDPR here.)

Imagine 50 states with 50 different laws regarding privacy and data security requirements.  Imagine, as a small business owner, trying to comply with 50 state laws that mandate different rules about opting-in and opting-out, or for example, the various requirements for consumer notifications. Imagine dealing with all these different rules as a consumer!

Imagine, fines of up to $7,500 (per breach), California’s hefty amount, as well as the possibility of litigation. In addition, California has granted the state AG broad rule-making authority, which means the rules may easily change from year-to-year, or become more complex.

That is why the business community is rallying behind a national framework that would provide a unified regulatory regime on privacy, data security and breach notification. It is the core topic we discussed from a small business perspective at our forum on December 4.

Here are some key points made by panelists during the discussion, which underscore why the engagement and input of small businesses are critical:

Compliance is more difficult for small businesses:  SBR Senior Advisor DeVere Kutscher observed that small businesses do not have compliance teams like larger businesses do, which is why a consistent set of rules at the federal level make sense. The burden of having to “navigate through multiple different state laws” will disproportionately harm small businesses.

As I noted in my opening remarks, “a uniform national framework is important for small businesses both as consumers and innovators.”

Government lawmakers and policy makers need to understand the issue. Ward commented that “California rushed the process,” without understanding the three components that comprise privacy: “transparency, intentionality, and security.” He said that California tried to make small businesses feel better by granting them a carve-out, “but small business exemptions to bad bills do not make the bills better.”

Ward said that it is critical that lawmakers fully comprehend the issue and what they are trying to achieve: “We need to start with a clearly defined problem in order to move toward a solution.”

One regulator at the federal level. Panelists agreed that the Federal Trade Commission (FTC) has the expertise and experience to be the regulator-in-charge. The FTC has twenty years of experience under its belt, and has dealt with more than 500 cases involving the privacy and security of consumer information.

“They have the tech expertise to deal with most of this. They need to be given more money, time, and resources to dig into a private-public partnership that enables a higher level of confidence,” said Ward.

I added that the FTC’s current regulatory framework also “provides flexibility for emerging technologies,” which is critical to innovation and investment.

Kutscher said that the FTC as one arbiter makes sense “as long as the rules are clear.” He noted that small businesses need to be included in the conversation on privacy, and that there was no representation at a recent FTC roundtable on privacy: “It is imperative that we be a part of this conversation in the future.”

The digital economy and consumers need certainty. The growth of the digital economy and innovation across platforms and sectors offer all businesses, particularly small businesses, extraordinary opportunities.  A consistent set of privacy and data security rules is not only important for small business growth, it is critical for consumer confidence in utilizing digital platforms and their devices.

All panelists agreed that educating Congress and determined engagement are critical to getting a good package done on a timely basis. Minus federal action, the states will continue to move on their own regulations and laws, which will undermine innovation and become quite costly for the entrepreneurial sector of the economy.

Karen Kerrigan is president & CEO of the Small Business & Entrepreneurship Council.   

News and Media Releases