State Adds Further Complexity to the Privacy Hodgepodge
By Krisztina Pusok and Edward Longe, American Consumer Institute
This week, lawmakers in Olympia, WA will, for the fourth time, attempt to pass a comprehensive data protection bill styled on the 2018 California Consumer Privacy Act (CCPA).
The proposed Washington Foundational Data Privacy Act (WFDPA) seeking to provide 7.7 million Washingtonians with greater data privacy rights, fails to strike an important balance between consumers’ data privacy rights and creating a regulatory environment that allows small and medium-sized enterprises to operate and flourish in the state of Washington.
Passing WFDPA would also further entrench the mismatch of data protection rules, creating further uncertainty and complexity for small and medium-sized businesses that operate across state borders.
What would make more sense for safeguarding consumer data privacy and security is for Congress to enact a federal data legislation that provides those protections to all Americans, no matter in what state they reside.
WFDPA would specifically apply to any company that conducts business in the state of Washington and has access to “personal data of 100,000 consumers or more” or derives “over 25 percent of gross revenue from the sharing of personal data” or controls “or processes personal data of 25,000 consumers or more.” Once these benchmarks are met, a company must provide consumers with the right to know what information they hold on them, allow them to have their data deleted, and allow them to correct inaccurate data.
Companies subjected to WFDPA have 15 days to reply to any request and cannot charge a fee unless the request is “manifestly unfounded or excessive, in particular, because of their repetitive nature.” Failure to comply with WFDPA would result in a $2,500 fine or a $7,500 fine for intentional violations.
Similar to the CCPA, the bill would also create the Washington State Data Privacy commission, which would function in the same capacity as the California Privacy Protection Agency and be “vested with full administrative power, authority, and jurisdiction to implement and enforce” data protection rules. Finally, the WFDPA text also carries a private right of action provision.
Given that the Washington bill carries a lot of similarities to the CCPA, it’s important to understand the implications. For example, when CCPA became law, the California Attorney General’s office estimated the initial cost of complying with the CCPA stands at $55 billion. On top of the initial $55 billion, estimates suggest the cost of long-term compliance could reach $16 billion annually.
In the impact assessment of CCPA, the state estimated firms with fewer than twenty employees “will incur $50,000 in initial costs,” while medium-sized firms employing between twenty and one hundred people can expect to “incur an initial cost of $100,000.”
Onerous data privacy provisions for small and medium-sized companies will not spare consumers. For consumers, the costs of compliance could translate into more expensive goods as higher operating costs are passed through to consumers. For small businesses, increased compliance costs mean fewer capital resources to invest in research and development, preventing them from growing and focusing their resources on developing new products and services.
The onerous data privacy provisions will undoubtedly create further uncertainty for businesses that want to operate in Washington state. Currently, the United States is a mismatch of data protection laws, regulations, and principles, with 50 different laws ranging from robust protections in California to almost no protections in states like Alabama or North Carolina.
With a new bill on the table in the state of Washington, companies will need to expand valuable financial resources on understanding and complying with the new rules while also complying with all the legislation and regulation in the 49 other states. As the Washington Legal foundation noted, “these laws create operational inefficiencies and distort interstate markets for data, products, and services.” As a result of these inefficiencies, consumers end up paying more for goods and services, a trend that WFDPA will only intensify.
While Washington’s data protection bill is a step in the right direction, it should be readily apparent that the CCPA-styled bills are set to fail balancing consumer data protection rights and creating a regulatory environment that enables small and medium-sized companies to operate. The only way these negative consequences could be mitigated is if Congress passes a federal data legislation that offers consumers the protections they demand and businesses the certainty to operate across state lines.
Krisztina Pusok is the Director of Policy and Research and Edward Longe is a Policy Manager at the American Consumer Institute, a nonprofit educational and research organization. You can follow them on Twitter at @KrisPusok and @EdwardLonge. For more information about the Institute, visitwww.TheAmericanConsumer.org.