Should Feds or States Govern Consumer Privacy?
California recently made waves with the passage of comprehensive consumer data protection rules — rules the private sector has sharply criticized for adding to an already hard-to-navigate national patchwork.
But would a federal standard be better? Or, as one expert at a SXSW panel on the topic of consumer privacy put it, should states be allowed to inadvertently “export” their policies to others?
And despite the number of people who skip terms and conditions statements on apps and software, Megan Stifel, cybersecurity director with the nonprofit Public Knowledge, said the idea that consumers aren’t concerned about their data privacy is “patently wrong.” All too often, she argued, they simply aren’t aware of their exposure to data sharing practices or what to do about it.
“If consumers really want to be off the grid, so to speak, as much as they can, it ought to be easy for them to do that,” Stifel said.
When asked whether federal pre-emption would be a step toward solving the problems faced by consumers and companies, opinions were mixed. While Stifel argued against taking the protective power from state, fellow panelist and cybersecurity and data privacy attorney Megan Brown argued in favor of predictability.
Stifel said that while over-regulation would undoubtedly hamper innovation, any rules made by the federal government would need to make a real impact.
“We can’t set the bar so low that we don’t actually change the dynamic,” Stifel said.
For her clients, Brown said the inability to navigate data policy everywhere they do business leads to legal problems and can even stand in the way of positive progress. She pointed to language in the California legislation that mentions “olfactory information” as an example of overly prescriptive language that might limit future data use.
“Data that a company collects today might have a really amazing use in the future that we can’t predict,” Brown said.
Where Brown said the federal government could provide the most guidance would be in the areas of liability and enforcement. As she sees it, the Federal Trade Commission (FTC) and state attorneys general would be logical choices for enforcement.
“I think what we see drafted goes much beyond the kinds of things that people are really concerned about people having,” Brown said.
In Washington, D.C., Stifel said companies that rely on data flows for survival are anxious to see legislation that would head off stiff privacy protections like the one in California.
U.S. Rep. Robin Kelly from Illinois said crafting legislation that is effective while not hampering the market hinges on two things: educating legislators on the issues and having the right stakeholders at the table.
Kelly was sympathetic to the idea that over-regulation could have long-lasting impacts on the market, but said citizens are increasingly concerned about the issues surrounding the use and protection of their data.