from the don't-forget-the-innovation dept
It may be the tech giants that dominate the headlines when it comes to privacy, but it’s startups that stand the most to lose in the ongoing debate about consumer privacy.
With every major misstep from the industry’s biggest companies, consumers lose trust in the Internet ecosystem. It’s the new startups that don’t have long standing reputations and relationships with users that consumers that abandon first. At the same time, startups don’t have the seemingly endless resources of their big tech counterparts to navigate the resulting legal and regulatory landscape if privacy laws are written with only the biggest tech companies in mind.
We’ve already seen this happen in Europe and California. Without necessarily meaning to, those sets of privacy rules create obligations and requirements that larger companies can navigate while small companies simply cannot. One of the biggest reasons behind this disparate impact is the fact that startups almost always have to rely on a wide network of vendors to do everyday business activities, from data processing, to analytics, to cybersecurity management. Whereas the largest companies can often build these capabilities in house, startups and medium-sized companies need these third parties to keep their companies running.
In Europe, two years after its General Data Protection Regulation (GDPR) went into effect, startups have had to either leave or forgo European markets or shoulder the high cost of ensuring compliance. According to Google, the company spent “hundreds of years of human time” on GDPR compliance, something a startup with a small staff and bootstrap budget can hardly afford. And the burden of GDPR compliance can fall disproportionately on smaller companies. The law distinguishes between “processors” and “controllers” and carries different responsibilities and obligations around consumer data first-party controllers and third-party processors. To comply with GDPR, companies that rely on third-party service providers, or processors, have to negotiate their contracts with those providers and put in place data protection agreements that ensure compliance as user data travels from the controller to the processor. For a small startup relying on dozens of third-party service providers for everyday business needs, that renegotiation process is incredibly costly and time consuming.
And in California, the California Consumer Protection Act—which went into effect in January and will be enforced next month, even though the state’s Attorney General recently submitted final rules, which might not be finalized before the July 1 enforcement deadline—is expected to cost businesses $55 billion in total, with small businesses spending up to $50,000 each on compliance. As the cost estimate report commissioned by the California’s Department of Justice notes, “Small firms are likely to face a disproportionately higher share of compliance costs relative to larger enterprises.” The report cites apparently “overstated” concerns about the impact of GDPR on large companies “while many smaller firms have struggled to meet compliance costs.”
One of the biggest open questions about complexity in CCPA compliance, and therefore increased compliance costs, is the law’s overly broad definition of “sale,” which some are worried could include benign and necessary data sharing. The law defines a sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Coupled with limitations on service providers and how they can use consumer data, the broad definition of “sale” in the law could make it more complicated for a startup to work with its many third-party vendors.
These complexities get even worse for startups when the rules vary across state lines. Thanks to the Internet, a startup in one state can launch and grow in all fifty states and even abroad without having a large reserve of legal resources. That could leave, for instance, a two person startup in North Dakota on the hook for complying with different privacy laws in every state where they have users.
Ideally, the varying state laws would be similar enough or build upon each other such that complying with the most stringent law for all users also satisfies a company’s obligations in each state where it has users. Unfortunately, this is not the case, and even slight differences in state privacy laws can lead to huge compliance costs, which will fall disproportionately on startups. For instance, some privacy rules considered by state governments cabin the standard consumer rights to access, correct, and delete data to data held by a company that is easily identified. On the other hand, some proposed laws would allow consumers to request to access, correct, and delete any data a company has on them, sparking concerns that companies that follow good data hygiene practices by stripping users’ data of identifying information will be forced to re-identify users’ data to comply with their requests.
And even if a small startup were able to comply with the varying state laws as they’re passed, the goal of privacy compliance has moving goalposts. The number of states considering enacting privacy laws is constantly growing, and even California—a state that already has a comprehensive consumer privacy law on the books—is just now figuring out what exactly compliance with the CCPA looks like less than a month before the state starts enforcement and as voters consider adding a second privacy law in the state later this year.
With a lack of federal action, it makes sense that state governments and the concerned consumers they represent want to see meaningful privacy protections, but the resulting landscape will be one that small and medium sized companies have trouble navigating. Instead, Congress should pass a federal privacy law that builds off of the goals of the efforts already in place and harmonizes obligations for companies.
One set of strong, sensible, and straightforward privacy protections can protect consumers and promote competition instead of rushed, uninformed rules that will hamper competition without providing consumers with meaningful protections.
Kate Tummarello is the Policy Director at Engine, an advocacy organization representing the startup community