When the California Consumer Privacy Act goes into effect on January 1, it will be the first major piece of American data privacy legislation – but it will likely not be the last. While 22 states currently have some form of data privacy law, many more will soon follow or be updated, if the growing call for regulation of data from nearly 20 billion internet-capable devices currently in use is any indication.
Though legislation from individual states creates layers of protection for constituents, it creates a host of compliance issues in the business landscape – namely, that the individual states’ laws will necessarily have different requirements and demand time and resources to satisfy each of them separately.
“A lot of companies want to build [legislation] on a national basis,” said Bruce Teichner, senior vice president and managing counsel at Wells Fargo, in a panel about the emerging data privacy patchwork at the Bloomberg Law Leadership Forum, held on Sept. 18, 2019, in Washington, D.C. “What is the standard that you are going to apply to the other 49 states? What exactly are you doing and what is the fallback when there are claims and issues in these other 49 states?”
Jo Ann Davaris, global chief privacy officer of Mercer, pointed to the open letter signed by 51 CEOs of major U.S. corporations in September 2019 that called for federal data privacy legislation that preempts individual state laws. That letter, which was signed by the likes of Jeff Bezos of Amazon and Jamie Dimon of JPMorgan Chase, addressed the need for corporate standards but also what they saw as reasonable protections for consumers.
“I know that when corporations speak up on the pro side of privacy, it’s sometimes not with a credibility behind it. Sometimes those that are speaking for privacy have gotten in trouble with the FTC or other enforcement agencies,” Davaris said in the same panel talk.