Crazy quilt of state privacy laws could cost businesses $1 trillion

A new study shows that state privacy laws could create significant compliance costs for both in- and out-of-state businesses.

Privacy: An eye looks through peephole.
Jolygon / Getty Images

Allowing the states to regulate data privacy could cost businesses more than $1 trillion in the next 10 years, according to a new study by the Information Technology & Innovation Foundation.

So far, the report noted, only a handful of states have enacted privacy laws, including California, Colorado, and Virginia, but more states are likely to pass laws in the coming years. Since 2018, 34 states have passed or introduced 72 privacy bills regulating the commercial collection and use of personal data. However, as more laws are passed, they will create significant compliance costs for both in- and out-of-state businesses and confusion for consumers.

The ITIF estimates that, without a federal law governing data privacy, a patchwork of laws in 50 states could impose out-of-state costs of between $98 billion and $112 billion annually, with small businesses picking up from $20 billion to $23 billion of that tab annually.

"Our hope is that putting this policy model out there helps policymakers understand and pay attention to why we need to get privacy legislation right in this country," ITIF Vice President Daniel Castro said at an online forum held January 27.

Legislation should minimize compliance costs and restrictions on data use

The report calls for Congress to pass legislation to create a national privacy framework that streamlines regulation, establishes basic consumer data rights, and minimizes the impact on innovation.

Ideally, it continued, such legislation should protect and promote innovation by minimizing compliance costs and restrictions on data use, such as by allowing consumers to generally opt-out of data collection—rather than requiring them to opt-in—and avoiding data-minimization requirements, purpose-specification requirements, limitations on data retention, and privacy-by-design requirements.

Whatever legislation Congress passes, the report identified two critical provisions of any federal measure on data privacy: pre-emption of state laws and a ban on a private right-of-action for violations of the law.

"We feel that it's really necessary that we pass a federal privacy law, pre-emptive, that allows one standard for all businesses and consumers so they can understand their responsibilities and innovate using one standard," Carl Holshouser, senior vice president for operations and strategic initiatives and corporate secretary at TechNet, a provider of tools and resources for users of Microsoft products, said at the ITIF forum.

Federal right-to-action would “open floodgate” to privacy lawsuits

He maintained that a single standard is also important for businesses, especially small- and medium-sized businesses, trying to protect their data from bad actors. "It's a lot harder for a small- or medium-sized business to be sure that they're doing the right thing to comply with a regime that will protect them from litigation but also help them control their systems and protect the data within them," Holshouser said.

According to the report, there's no need for any federal law to establish a private right-to-action because it would open a floodgate of expensive, and unnecessary, lawsuits against organizations subject to the new law.

"We do not want to see a private right-to-action with no guardrails," declared Caleb Williamson, state public policy associate at ACT | The App Association, an advocacy group for small tech companies, also speaking at the forum. "We recognize and have seen on the state level how a private right-to-action can be used to harass businesses and create financial damages to small businesses, forcing them to fold.”

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.