Why Is There No Federal Data Privacy Law: Compliance Costs and Obstacles
Federal data privacy legislation has been introduced before, but has never passed Congress. Smaller companies and larger companies have objected to this legislation, for different reasons. Small businesses, which make up 99.9% of American businesses, have argued that they are unable to afford the compliance costs associated with implementing and following a federal data privacy law. These businesses have argued that if they were forced to comply with a federal data privacy law, consumers would be the ones to pay the price, in the form of higher costs for goods and services, and reduced access to new and innovative products and services.
Larger companies have historically been opposed to the concept of a federal data privacy law – until the passage of the California Consumer Privacy Act and other states’ data privacy laws. Ten years ago, state data privacy laws were at the drawing board stage. Now, a number of states have passed such laws. Since each state’s law is different, large companies that do business across the U.S., including Amazon, AT&T, Dell, Ford, IBM, and Walmart, are now in favor of a federal data privacy law. Having to comply with only one federal data privacy law, as opposed to a slew of different state laws, costs less.
Why is There No Federal Data Privacy Law: Recent Developments
Several members of Congress and advocacy groups have already drafted versions of a federal data protection law. One version consists of existing federal data privacy and consumer protection laws, including COPAA, the GLBA, as well as the CAN-SPAM Act, the Do-Not-Call Implementation Act, the Fair Credit Reporting Act (FCRA), Subtitle D of the HITECH Act, the Telephone Consumer Protection Act of 1991, and the Identity Theft Assumption and Deterrence Act of 1998, all being rolled into one federal data privacy law, which would be known as the Personal Data Security and Privacy Protection Act.
The proposed law would only cover companies that meet one or more of the following criteria:
- The company has an annual gross revenue that exceeds $25,000,000.
- The company annually buys, receives for its commercial purposes, sells, or discloses for commercial purposes, alone or in combination, the personal information of 50,000 or more individuals, households, or devices.
- The company derives 50 percent or more of its annual revenues from the sale of personal data.
Under these criteria, only entities that either have significant annual gross revenue, or that frequently engage in the sale or disclosure of data, would be regulated by the Personal Data Security and Privacy Protection Act. Small businesses not in the business of selling or disclosing personal data would be exempt from the law’s provisions.
The law also calls for the creation