When evaluating California data regulation, don’t forget the thousands of US firms no longer operating in the EU
National Small Business Week offers an opportunity to take stock of the potential impact of the California Consumer Privacy Act. The Small Business Administration reports that independently owned and operated enterprises of limited revenue and head count employ more than half of all American workers and create two-thirds of America’s new jobs. Sen. Jerry Moran (R-KS) recently called a hearing on this topic and elicited feedback from realtors, startups, rural internet service providers, and community development organizations. The hearing highlighted how entrepreneurs use personal data to improve the buying and selling of homes, compete and innovate with larger firms, improve customer service, and solve problems with advanced computing.
Many are concerned about how the CCPA will affect small business, as minimum compliance costs are running about $100,000 per firm, which is more than most small businesses spend on their entire information technology budget. It is helpful to review the outcomes of Europe’s General Data Protection Regulation in its first year. Senate Commerce Committee Chair Roger Wicker (R-MS) called an additional hearing to inquire how to improve notice and consent regimes and consumers’ knowledge so that they can make informed choices and to ensure that legislation doesn’t create unintended consequences and perverse outcomes such as the unwitting collection of more personal data reported in Denmark.
Last week, Helen Dixon, head of the Data Protection Commission of Ireland (considered the linchpin of GDPR enforcement given the many tech companies — Facebook, Twitter, WhatsApp, Google, AirBnB, Microsoft, and Oath — headquartered there) testified before the Senate Commerce Committee: “We haven’t seen any direct evidence of organizations having to shut down because they could not meet the compliance burden of the GDPR once they understood the practical way to implement it.”