We live in an increasingly data-driven world. Collecting and analyzing data influences everything in our society, from the ads we see on TV to the products our favorite brands sell. However, despite data being at the core of the 21st century economy and the U.S. leading the world in technology and innovation, we lack a clear national regulatory framework for protecting data and consumer privacy.
Instead of a national privacy law, America has a confusing mix of state laws, half-baked legislative proposals that should terrify small businesses, and industry-specific policies that at best don’t help consumers and at worst actually compound problems. California already passed privacy legislation that goes into effect in 2020, and 26 states are currently considering privacy legislation.
Small businesses cannot afford to navigate a unique privacy regulation for each state, and their ability to grow and compete is undermined by the morass of state laws that require armies of compliance lawyers. Even America’s biggest companies will be overwhelmed if 26 states pass new privacy laws.
It’s time for Congress to act. They must provide one privacy law that protects all Americans, including those who operate businesses that utilize data. But lawmakers should not be too hasty; they must legislate carefully and learn from recent missteps in the European Union and in California — especially about the unintended consequences that have disproportionately harmed small businesses.
In Europe, the General Data Protection Regulation (GDPR) has devastated small online advertising networks. In six months since a law intended to police the largest data-driven advertising companies became effective, the smallest companies have lost about 25 percent of their market share. In addition, GDPR has burdened small businesses with substantial new regulatory costs, and investor confidence in tech startups may be fraying as evidenced by markedly declining investment in tech startups.
In California, the Consumer Privacy Act demonized data collection and data science and tried to emulate the heavy-handed GDPR. This law will also harm small data-driven businesses, and it is no surprise that California’s tech industry and investors are already clamoring for the law’s reconsideration and amendments.
America needs a national privacy law that’s simple but strong, with one set of rules that every company must follow and every consumer can understand. Our privacy law should punish bad actors while allowing innovative small businesses and startups to grow, and penalties should recognize the difference between a billion-dollar tech giant with customized and proprietary software, and mom-and-pop businesses that work with out-of-the-box solutions and third-party providers.
Small businesses compose 99.9 percent of all American businesses and employ 47.5 percent of our workforce. A privacy bill that ignores the impact on small business is bound to harm hardworking families and innovators looking to make their mark in the digital age. Privacy legislation that does not preempt inconsistent state laws could slow the growth of online commerce and chill innovation and our digital economy.
America’s small businesses can’t afford any more delay. The data driven age is here to stay, and it’s time for Congress to act. Privacy should be one of the top priorities for the 116th Congress, both to protect American consumers and to promote the success of digital small businesses.
Karen Kerrigan is President and CEO of Small Business and Entrepreneurship Council, Rhett Buttle is Co-Executive Director of Small Business Roundtable, and Jake Ward is President of Connected Commerce Council.