Protecting Privacy While Promoting Innovation And Competition
from the don't-forget-the-innovation dept
It may be the tech giants that dominate the headlines when it comes to privacy, but it's startups that stand the most to lose in the ongoing debate about consumer privacy.
With every major misstep from the industry's biggest companies, consumers lose trust in the Internet ecosystem. It's the new startups that don't have long standing reputations and relationships with users that consumers that abandon first. At the same time, startups don't have the seemingly endless resources of their big tech counterparts to navigate the resulting legal and regulatory landscape if privacy laws are written with only the biggest tech companies in mind.
We've already seen this happen in Europe and California. Without necessarily meaning to, those sets of privacy rules create obligations and requirements that larger companies can navigate while small companies simply cannot. One of the biggest reasons behind this disparate impact is the fact that startups almost always have to rely on a wide network of vendors to do everyday business activities, from data processing, to analytics, to cybersecurity management. Whereas the largest companies can often build these capabilities in house, startups and medium-sized companies need these third parties to keep their companies running.
In Europe, two years after its General Data Protection Regulation (GDPR) went into effect, startups have had to either leave or forgo European markets or shoulder the high cost of ensuring compliance. According to Google, the company spent "hundreds of years of human time" on GDPR compliance, something a startup with a small staff and bootstrap budget can hardly afford. And the burden of GDPR compliance can fall disproportionately on smaller companies. The law distinguishes between "processors" and "controllers" and carries different responsibilities and obligations around consumer data first-party controllers and third-party processors. To comply with GDPR, companies that rely on third-party service providers, or processors, have to negotiate their contracts with those providers and put in place data protection agreements that ensure compliance as user data travels from the controller to the processor. For a small startup relying on dozens of third-party service providers for everyday business needs, that renegotiation process is incredibly costly and time consuming.
And in California, the California Consumer Protection Act—which went into effect in January and will be enforced next month, even though the state's Attorney General recently submitted final rules, which might not be finalized before the July 1 enforcement deadline—is expected to cost businesses $55 billion in total, with small businesses spending up to $50,000 each on compliance. As the cost estimate report commissioned by the California's Department of Justice notes, "Small firms are likely to face a disproportionately higher share of compliance costs relative to larger enterprises." The report cites apparently "overstated" concerns about the impact of GDPR on large companies "while many smaller firms have struggled to meet compliance costs."
One of the biggest open questions about complexity in CCPA compliance, and therefore increased compliance costs, is the law's overly broad definition of "sale," which some are worried could include benign and necessary data sharing. The law defines a sale as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." Coupled with limitations on service providers and how they can use consumer data, the broad definition of "sale" in the law could make it more complicated for a startup to work with its many third-party vendors.
These complexities get even worse for startups when the rules vary across state lines. Thanks to the Internet, a startup in one state can launch and grow in all fifty states and even abroad without having a large reserve of legal resources. That could leave, for instance, a two person startup in North Dakota on the hook for complying with different privacy laws in every state where they have users.
Ideally, the varying state laws would be similar enough or build upon each other such that complying with the most stringent law for all users also satisfies a company's obligations in each state where it has users. Unfortunately, this is not the case, and even slight differences in state privacy laws can lead to huge compliance costs, which will fall disproportionately on startups. For instance, some privacy rules considered by state governments cabin the standard consumer rights to access, correct, and delete data to data held by a company that is easily identified. On the other hand, some proposed laws would allow consumers to request to access, correct, and delete any data a company has on them, sparking concerns that companies that follow good data hygiene practices by stripping users' data of identifying information will be forced to re-identify users' data to comply with their requests.
And even if a small startup were able to comply with the varying state laws as they're passed, the goal of privacy compliance has moving goalposts. The number of states considering enacting privacy laws is constantly growing, and even California—a state that already has a comprehensive consumer privacy law on the books—is just now figuring out what exactly compliance with the CCPA looks like less than a month before the state starts enforcement and as voters consider adding a second privacy law in the state later this year.
With a lack of federal action, it makes sense that state governments and the concerned consumers they represent want to see meaningful privacy protections, but the resulting landscape will be one that small and medium sized companies have trouble navigating. Instead, Congress should pass a federal privacy law that builds off of the goals of the efforts already in place and harmonizes obligations for companies.
One set of strong, sensible, and straightforward privacy protections can protect consumers and promote competition instead of rushed, uninformed rules that will hamper competition without providing consumers with meaningful protections.
Kate Tummarello is the Policy Director at Engine, an advocacy organization representing the startup community
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ccpa, competition, compliance, gdpr, privacy, regulations, startups
Reader Comments
Subscribe: RSS
View by: Thread
Expected costs
This seems a bit hard to believe, for a random small business. (But I'm not sure which definition of SME is being used here.)
[ link to this | view in chronology ]
Re: Expected costs
Professional legal advice is not cheap, and not something to skimp one when dealing with business regulations.
[ link to this | view in chronology ]
I remember years ago when a company challenged market incumbent Microsoft with the slogan "don't be evil". For those smaller companies that can stay afloat in the sea of burdensome regulation, they need to stake out this position, that they're not some fly-by-night operation, that they value privacy more than the established corporations, and generate some loyalty at the expense of those who don't.
[ link to this | view in chronology ]
Lack of Innovation
Privacy laws are going to get passed, too many companies have abused personal data. Whether these laws are state, federal, or international doesn't
change that they will impose a cost on companies, and costs applied to all companies will hurt small companies more. This is true for many protective legislature, like the ADA and OSHA laws. Sure these future privacy laws are going to negatively impact a ton of startups, but that's because the current ecosystem is based on companies abusing personal data. These laws (let's ignore their implementations for a moment) are intended to make those kinds of business models unattractive.
Companies didn't have this level of access to their customer's data before, but with modern technology has made it trivial to collect. Why wouldn't a company take advantage of this new revenue stream? It's free money after all. These privacy laws should push companies to use private data only when it's needed. Yes this will harm some startups, but it will also open the doors for other startups that don't need that data.
Imagine a VC is considering two companies, one that has a business model that will be collecting personal data while providing a service and another that provides a similar service without collecting personal data. In the current ecosystem it makes no sense to go with the second company which only produces one product, when the first company produces two. Change personal data collection to something that isn't a guaranteed revenue stream into something that could potentially be a huge expense and now the second company is a viable choice worth considering. It's this choice that allows more innovation to enter the market.
The article argues the need for a federal level law, rather than individual states, but I don't agree with that. Business have to deal with differing state laws in all sorts of arenas, why should privacy be any different? OSHA lays down a federal standard, but allows states to implement their own laws that exceed the federal rules. Perhaps this could be a natural way for smaller companies to compete with larger ones. While Google, Facebook, and Amazon are all having to deal with state, federal, and international rules, a Texan company might choose to just serve Texans, and use the money it's not spending on inter-state or international compliance to innovate.
Of course this all depends on the specific implementations, and we've seen how the GDPR's execution leaves much to be desired. I don't think this should be framed just as "privacy vs innovation", there will be innovation regardless of the ecosystem. Right now the deck is stacked for the business models that abuse private data, and that is what needs to change. We can't let innovation be guided only by the bottom line.
[ link to this | view in chronology ]
Re: Lack of Innovation
Why wouldn't a company take advantage of this new revenue stream? It's free money after all.
Maybe because it kills trust and creates other longer term issues? I mean, we've deliberately avoided using those business models here.
These privacy laws should push companies to use private data only when it's needed.
This sounds good in theory, but as we've seen with similar laws "needed" is very much open to interpretation.
Imagine a VC is considering two companies, one that has a business model that will be collecting personal data while providing a service and another that provides a similar service without collecting personal data. In the current ecosystem it makes no sense to go with the second company which only produces one product, when the first company produces two. Change personal data collection to something that isn't a guaranteed revenue stream into something that could potentially be a huge expense and now the second company is a viable choice worth considering. It's this choice that allows more innovation to enter the market.
This assumes that the two services are identical. What if the one that collects data can actually provide a much better service?
Business have to deal with differing state laws in all sorts of arenas, why should privacy be any different?
Because most small businesses are local. So they really only need to deal with one state's laws. It's only internet businesses that are automatically available basically everywhere.
[ link to this | view in chronology ]
Re: Re: Lack of Innovation
This is precisely my point, there is mostly just moral reasons to avoid those business models. Clearly those reasons carry little weight for a lot of companies. Privacy laws would hopefully add some financial weight in the form of compliance costs to help balance the equation. There will always be companies who forego morality to pad their bottom line. If they have to consider how much and what kind of data to collect and manage then maybe it won't be worth sacrificing customer trust.
I also assume the privacy laws are implemented well, which of course is a bit idealistic. To continue my example, the VC could go for either one based on a number of other variables I'm sure exist, but perhaps the service that does not have to worry about compliance could better compete on price, while the other could market itself as a premiere service. The finer details of VC decision making is well outside my expertise but I believe well implemented privacy laws could increase viable choices and be a net positive.
Internet companies being automatically interstate is where I see room for improvement. I've seen websites that only ship in their own country, why should every new web based business be forced to be interstate? Limiting a customer base to one state may not have much advantage, but that's for some clever innovators to explore. Unless the federal privacy law prevents states from enacting their own laws on top of it, there's going to be interstate compliance issues to worry about anyway.
[ link to this | view in chronology ]
And Ill
[ link to this | view in chronology ]
Re: And Ill
What? First of all the CARB exemptions are related specifically & solely to vehicle emission standards under the CAA. It does not have anything to do with the CWA, nor any other part of the CAA. Secondly, it does not allow California to have more lax emission limits, but to create stricter emission limits. So, in fact the federal governments attempt to revoke the waiver is an attempt to force them to lower their standards to the federal level. Also, despite the fact that Trump & the EPA have officially revoked California's authority to set these stricter standards it will be extremely unlikely that they will actually stop applying due to the length of time legal battles between states & the federal government typically take. By the time it would work its way up through the Supreme Court Trump will either be out of office and/or California will have figured out a way to backdoor the limits in... or at least enough so to force another round of legal battles.
On the tech/privacy stuff:
1) "Persistent Pseudonyms" is essentially what we have now. You create an account, you pick the username, you pick the email address you give, & so long as the site is not something explicitly focused on selling you sh-t you never enter an address or anything & if that is what the site does then yeah they kind of have to get that stuff. So, I don't really know what you think would be different with this.
2) Making my best guess at what you mean by "compartmentalized data" if this was to be done you might as well just prohibit the collection of personal data at all. Otherwise you would not only functionally be doing that for all but literally a handful of companies, but you would also manage to not really fix the problem here. Yeah the data would not really be floating around as freely & often as it is now, but the amount of data those handful of companies collect from direct interactions with people is so massive in scale that prohibiting their ability to aggregate data from other sources really doesn't do much of anything about the problem. For the tens of thousands of other companies out there the only value they get from the data they collect is in their ability to sell that to other companies who use that data and/or aggregate it for those who can use it [essentially just companies that directly sell advertising capability to other companies.] While I'm sure there are more than a handful of companies that do this, the vast majority of them sell non-digital services so they would not get any data anymore from this stuff. The ones that do sell digital services though are very tiny in number & are also the same ones with a large enough user base with interactions numerous & broad enough to actually get enough data on people to be useful [i.e. Google, Facebook, & Amazon.] Also don't forget credit score/history companies which I'm going to ignore here, but just know they are very relevant & were around long before the internet.
3) I can't even guess what you mean when you talk about "upstream data vacuuming providers," so I don't really have any comment on it. Sorry.
For the record I should state that prohibiting this type of information from being collected entirely is not something I strongly oppose or support really. The impossibility of it ever happening means I have never really looked that deeply into what all the ramifications would be. I lean towards prohibiting it, but I also understand that it is a really complex issue & the shear scope of what would be effected means anyone really needs to look at it closer before deciding.
[ link to this | view in chronology ]
the law's overly broad definition of "sale,"
"for monetary or other valuable consideration" is the key part of this definition. I think this has also been a key concept in contract / business law ever since there was such a thing. I don't see anything "overly broad" about it.
[ link to this | view in chronology ]
If a problem didn't exist, no one would ever realize there was something to regulate. Once such a problem does exist, you can be sure the regulations will follow and that the regulations will be written by people who don't understand the problem and fuck it up.
[ link to this | view in chronology ]
Compliance Costs
I've never understood why people argue against [or I imagine what they describe as "expressing concern",] over regulations based on the cost/complexity of compliance with small companies. It would seem to me that there would be a fairly simply & pretty effective method to deal with this, if this is the concern. Couldn't the regulatory agency implementing the rule simply have enough staff/funding to provide the on-the-ground assistance small companies need in complying with the rules? Less ideally couldn't there be a tax credit/deduction for the cost small companies incur when a regulatory or legislative change/addition occurs which means some sort of significance threshold test? Also less ideally, couldn't the government implementing the rule actually contract directly with the compliance professionals themselves making them available to small companies to use instead of the companies having to hire them?
To be clear, I don't agree with any of those things or the argument itself broadly speaking. But, if your concern over regulations is merely down to the financial burden of implementing the change for small companies then why not just do one of those things, or some other option I haven't thought of that eliminates this specific concern? It would also likely reduce the overall costs by negotiating smaller fees [i.e. lowering profit margins,] & reducing waste [in a similar kind of way a single-payer health care system lowers overall costs.] This way you eliminate the concern mentioned, while also being able to implement the regulation that people who bring this up appear to agree is in some way good since they don't argue the regulation itself is unnecessary, useless, harmful, etc...
Surely, unless one disagrees with the regulation itself [while not making that argument for some reason,] there are numerous ways to specifically eliminate this ancillary impact on small businesses instead of changing the actual regulation. A change that inevitably weakens the regulation, which again since not arguing against one would assume people with this concern would think is to some degree harmful/bad.
You wouldn't even really need to raise taxes or new sources of revenues to pay for it, since I know some people have incredibly ingrained opposition to the idea of raising taxes. You could theoretically more rigorously enforce existing laws/regulations while also making the fines from violations more accurately reflect the violation [or the company's criminal record.] Then pool those penalty amounts that are going to go to the State instead of as restitution into a fund that is used to cover these costs. This will likely create the "deterrent effect" leading to a reduction in corporate crimes & a corresponding shortfall in the fund for this stuff, but we can cross that road when we get there.
[ link to this | view in chronology ]