Early in 2019, Republicans and Democrats in Congress and the White House all agreed that the United States needed new federal privacy legislation—but progress has been slow. Various draft bills exist, but none have moved through the legislative process. Stumbling blocks include enforcement methods and the degree to which states should have freedom to implement their own rules.

A new federal privacy law by the end of 2019 now seems highly unlikely, and so, from the start of 2020, organizations operating in California must start complying with the requirements of the California Consumer Privacy Act (CCPA). Many companies, notably large tech firms, had lobbied for federal legislation, in part, to harmonize rules across states (for example, federal law could have overruled state law). For companies that make money from data, fragmented legislation in the United States adds complexity and expense.

The CCPA differs from Europe's General Data Protection Regulation (GDPR) but shares the same basic principles that consumers should know what data companies collect about them and should be able to control the sharing and use of their data. For example, the CCPA gives consumers the right to request that companies delete their personal data and the right to opt out of having their information sold to a third party. Notably, however, the fines for CCPA violations are far less than those for GDPR violations.

Implications

The shape of future federal legislation in the United States is uncertain, but—of likely concern to data companies—the legislation could plausibly step up, rather than water down, CCPA rules (tech-industry lobbyists hope for the latter). Senator Ron Wyden's "Mind Your Own Business" draft federal bill proposes fines of up to 4% of annual sales and jail time for executives who lie about data policies. The bill has no cosponsors so is unlikely to progress in its current form, but it does indicate the strength of opinion among some legislators.

Impacts/Disruptions

"Data-Privacy Start-Ups" in the October 2019 Viewpoints describes companies—including BigID and OneTrust—that help companies manage the complexity of complying with privacy legislation that varies by market. The Viewpoints argues that automated privacy solutions should lower the cost of regulatory compliance and reduce risk. Even so, a fragmented market in the United States creates problems for vendors and will undoubtedly increase costs. If the results of GDPR are any measure to go by, both large and small data firms will see an impact on revenues, though large firms will find it easier to devote resources to ensuring their compliance (see "The Impact of Regulatory Change" in the March 2019 Viewpoints).