Let’s face it: There has been a lot of lamenting the California Consumer Privacy Act of 2018's existence. But rather than lament, let’s think about the ways it can have a positive impact. Many people have ridiculed its potential effect on startups, but the CCPA can actually help such companies.
The CCPA's legislative effect
We are already seeing the national effect of the CCPA: Only a year ago did federal omnibus privacy legislation seem like a non-starter. Now, it seems like a surety. This development has led to at least one industry leader, Intuit Chief Privacy Officer Scott Shipman, CIPP/US, to praise the CCPA as “the best thing to happen to U.S. privacy law — full stop.”
For startups, hopefully, the eventual federal legislation would be explicit in its preemption of state omnibus privacy laws such as the CCPA. And if so, we must learn from the CCPA's mistakes regarding its effect on startups.
We must ensure innovation is not stifled
First, let’s think about to whom the CCPA applies.
Is it not possible that there is a corporation of 10 employees that annually receives or shares for commercial purposes the personal information of 50,000 or more California consumers, households, or devices? Of course that is possible — almost 40 million people live in California. Now, that 10-employee company must implement onerous measures, such as responding to access requests, responding to a consumer’s right to deletion, and ensuring their vendor contracts are CCPA-compliant.
These are merely examples of the burdens placed on them, and yet, even if it was limited to those burdens, it may be sufficient to put an innovative company out of business or worse yet, prevent that business from even starting due to fears of excessive compliance overhead. Innovation and protecting consumers through privacy regulations need not be mutually exclusive, but onerous pieces of legislation such as the CCPA will ensure the world is only big enough for the latter.
How do we ensure innovation is not stifled in future legislation?
In order to ensure the federal bill does not stifle innovation in such a manner, it must be carefully crafted to ensure consumers’ rights are protected and startups’ interests are taken into account. This can be done via narrowly drafted definitions with regard to whom the law applies such as companies with 10 or fewer employees. While companies with 8 employees could potentially have a global customer base, this definition is a relatively accurate predictor of which companies can bear the financial burden of compliance.
Of course, this requires a trade-off: Fewer businesses will be legally required to comply with the federal legislation, but startups — presumably, ones that provide something of use to consumers — will not be forced out of business or deterred from even starting due to the legislation.
It must be made clear to lawmakers the impact the CCPA and a federal equivalent would have on startups.
Due to recent privacy controversies, it is easy for consumers and legislators to think sweeping privacy legislation affecting the technology industry is a no-brainer. And maybe it is. But it is important for consumers and legislators to understand which companies will be most affected. For example, if industry representatives are able to fully inform legislators about the impacts of legislation, not on large companies, but on nascent-stage startups, such legislators will hopefully understand the ramifications of legislation such as the CCPA and apply that knowledge to future legislation.
Why is this proposal not heresy?
Before you shriek at the thought of allowing fewer companies to comply with the legislation, I offer two points.
First, exempting smaller companies from compliance with federal law is not new. For example, the Americans with Disabilities Act only applies to employers with 15 or more employees. An understandable retort to that argument would be that these startups have a much larger reach than a brick-and-mortar small business that is exempt from the ADA. That point is well-taken, but regardless of the differences in reach of a small business and an online startup, are the same interests not at play?
It’s all relative. The ADA-exempt small business is exempt because complying with the ADA is too onerous for it. Similarly, online startups should also be exempt from federal privacy legislation because it is just as onerous for them to comply with CCPA-style obligations as it is for Joe’s Burgers to comply with the ADA’s obligations.
Second, simply because such startups would be exempt from federal privacy legislation does not mean they will become reckless with their users’ data (at least, hopefully not). There are still market forces at play which should force companies to be good stewards of their users’ data. The exemption for which I am lobbying merely allows startups to incorporate that business decision in their business model, rather than legislators forcing a significant amount of the startups’ VC funding to be allocated to privacy compliance.
If the CCPA is not preempted by a piece of federal privacy legislation, startups will feel the brunt of its obligations. But those same startups should be looking at the CCPA as a positive because they (or somebody on behalf of current and future startups) now have a chance to make their case to Congress to exempt them from federal privacy legislation. It is possible to ensure consumers’ interests are protected while not stifling innovation by placing unduly burdensome obligations on startups.
And luckily for such startups, the CCPA has created an example of what not to do. The question remains whether that message will be conveyed to and accepted by Congress.
If you want to comment on this post, you need to login.