Why Can’t Congress Pass Federal Data Privacy Legislation? Blame California

Daniel Castro Ashley Johnson December 13, 2019
December 13, 2019

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

For the past year, members of Congress have vowed to pursue federal data privacy legislation. While congressional staff have diligently worked on drafting legislation, they have repeatedly missed their deadlines to produce a bipartisan bill. Some observers might think this failure is just another casualty in the partisan divide that shapes many issues in Washington, but the real reason is that privacy activists have tasted victory with their no-compromise approach to data privacy in California. They refuse to settle for anything less at the federal level.

Unfortunately, California’s recently enacted data privacy law is an ill-advised model for the rest of the country. Therefore, it is critical that Congress move forward with bipartisan federal legislation to create a single national standard for data privacy that balances consumer welfare and innovation.

California enacted its new privacy law, the California Consumer Privacy Act (CCPA), in June 2018, to give consumers rights to access the personal data collected on them in the last year; to refuse to allow companies to sell their personal data; to know why this data was collected and what third parties it is shared with; to erase personal data collected on them; and to sue companies that have collected information on them in the event of a data breach.

California’s new law comes with high costs for businesses in every sector. First, companies will have to sink considerable resources into ensuring they are compliant. The state Attorney General’s office estimates that these initial compliance costs will reach $55 billion (the equivalent to $1,375 for every California resident). Tech giants like Google and Facebook may be able to absorb these costs, but for many smaller businesses they present an enormous burden. And, of course, the costs will be passed on to consumers.

That’s just the beginning. Non-compliance costs—including the cost of consumer lawsuits and fines of up to $2,500 per violation—pose an even greater risk. There are different ways businesses can choose to mitigate this risk, but at least for some, the easiest solution will be to simply collect and use less data. While that sounds straightforward, it carries unintended consequences for innovation. Data—and lots of it—is necessary for businesses to use many of the most valuable new technologies like artificial intelligence and the Internet of Things, and companies that limit their use of these technologies are going to be less competitive compared to peers that do.

But the unintended consequences of the CCPA go beyond business: The law is also a major obstacle to Congress passing federal data privacy legislation. Most American businesses just want a reasonable, uniform privacy law that applies everywhere and doesn’t impose such high costs. But with a stringent state law like the CCPA already set to go into effect, many privacy activists see little reason to compromise on federal legislation. If a federal bill isn’t as severe as California’s, then they would rather keep adding on more state laws, even if it ultimately hurts consumers by raising costs for businesses and limiting innovation. Privacy lawyers in particular are salivating at the potential business opportunity not only to ensure that corporations comply with new laws, but also to sue and defend against potential private rights of action. Indeed, ITIF has estimated that poorly drafted federal privacy legislation—which would be scant improvement over a patchwork of state laws—could cost companies $122 billion per year, compared to $6 billion for a more narrowly crafted law that addresses the most important consumer privacy needs.

The CCPA is often compared to the European Union’s General Data Protection Regulation (GDPR)—another broad, sweeping law that advocates claim is the gold standard of privacy legislation. But one of the main goals of the GDPR was to create a uniform privacy law for the entire EU. The CCPA, on the other hand, replicates the worst of the GDPR’s costly provisions while ignoring how it was designed to streamline regulation, instead threatening a future in which U.S. companies must comply with 50 different state privacy laws.

With the CCPA scheduled to go into effect on January 1, most of the attention is on how this law will impose massive new costs on businesses and disrupt innovation. But the law’s true legacy could be that it dooms the prospects of reasonable, bipartisan federal data privacy legislation. Hopefully, members of Congress from both sides of the aisle will refuse to allow California to set the rules for the rest of the nation and move forward with a balanced privacy proposal.