New State-Wide Privacy Laws Could Have Unintended Consequences for Consumers and Businesses

Written by

Earlier this year, President Biden called on lawmakers from both parties to come together to pass legislation that holds technology and social media companies accountable for how they use Americans’ personal data and information. The President’s challenge is only the latest in a line of efforts to protect user privacy at the federal level, yet lawmakers have failed to make any serious headway. 

 The federal government failed to address the problem in 2022. Instead, state governments stepped in to fill the void with new regulations that apply only at the state level. While these are well-meaning efforts, the result is a nightmare for any company that works with consumer data. Instead of having to meet the standards of one federal privacy law, companies must navigate a patchwork of regulations dictating how they collect, store and use data.

 Most tech executives (myself included) would agree that stronger privacy laws are needed to protect consumers and boost public confidence in the nation’s tech industry. However, regulations that aren’t carefully thought out can have unintended consequences. Complicated compliance laws will create an uneven playing field for large and small tech companies, slowing innovation overall.

 The world’s largest tech companies will always have the resources to keep pace with state regulations, even as they become more complex. However, smaller competitors and early-stage companies may never get out from underneath the challenge of tailoring a new product to the specific requirements of each law.

The Problem with State-Wide Privacy Laws

When California introduced the California Consumer Privacy Act (CCPA), it was a groundbreaking moment with significant implications for tech companies not just in the Golden State but worldwide. The CCPA and the European Union’s GDPR were transformative for businesses working with customer data – making the necessary changes allowed companies to continue doing business with the tens of millions of customers in California and hundreds of millions in the EU.

But in early 2022, Virginia established its own privacy law, the Virginia Consumer Data Protection Act (CDPA). Connecticut will follow close behind this year with its own rules, while Utah’s privacy regulations will go into effect on December 31, 2023. State privacy laws differ in their scope, penalties and method of enforcement. For example, California’s CCPA allows residents to sue companies for data collection violations, while other states empower their attorney general to impose fines for violations. 

Inconsistent state privacy laws burden businesses, requiring them to establish separate, highly-specific protocols for relatively small collections of users in different states. For small companies trying to bootstrap growth with a limited number of employees, these regulations will serve as an impenetrable barrier to success. State-level regulations also create roadblocks for companies that have embraced remote work, making it difficult to maintain employees in different states nationwide.

No Time to Wait for Federal Privacy Regulations

American startups and other small enterprises simply cannot keep pace with a growing patchwork of state-level regulations. As statehouses begin their 2023 sessions – many with newly elected majorities – we can expect an increasing number of legislatures to follow the examples set by California and Virginia. Each new state regulation represents another headache for businesses trying to scale nationally or globally. 

To preserve American businesses’ innovation and competitive positioning, Congress must simplify data privacy regulations with a federal compliance policy. Common-sense privacy legislation will establish a single, unified set of expectations for data collection and management.

The federal government has an opportunity to make a true difference for American citizens and business leaders alike. New legislation could close loopholes, stamping out unscrupulous data practices and creating an environment where consumers can trust companies with their personal information. And by cutting bureaucracy at the state level, Congress can clear a path for all companies – not just the digital giants – to create a wide range of new, innovative technologies.

What’s hot on Infosecurity Magazine?