As the tech world grapples with the ominous realities of the California Consumer Privacy Act (CCPA), other states are working with various degrees of success to implement their own versions.
That creates the possibility of some serious regulatory landmines for anyone operating in the tech space, as an industry that operates globally finds itself having to operate under different sets of rules in various states and/or localities.
Combine that with the GDPR that’s spooking Facebook and Google in Europe, and it’s understandable to wonder if anyone knows the rules clearly from one location to the next.
A situation like this brings to mind the Commerce Clause in the U.S. Constitution. The Founders gave Congress the power to regulate interstate commerce precisely because it could become so unwieldy for companies operating across state lines to deal with so many different sets of rules.
Is it possible that Congress might step in and establish one set of privacy rules for the entire country? If so, the tech world would still have to deal with the discrepancies between the U.S. and the EU, but that would be more manageable than dealing with 50 sets of rules in 50 states.
Political realities, however, don’t offer a lot of hope this is coming soon.
One major issue, of course, is the fact that control of Congress is currently divided – with Republicans controlling the Senate and Democrats controlling the House of Representatives. Even if there was a privacy law the president was willing to sign, the current power divisions in Washington suggest it would be nearly impossible for a bill to pass both the House and the Senate – especially when you consider the Senate needs 60 votes to overcome a filibuster.
TrustArc CEO Chris Babel, quoted in Consumer Affairs, suggested any federal privacy laws would be driven by the outcome of the United States-Mexico-Canada Agreement on trade, as the trade deal would establish much of the framework that would govern any such laws.
And the trade deal itself is far from guaranteed passage by Congress, which puts in further question any federal effort to harmonize state-by-state privacy laws.
In the meantime, a handful of states will probably pass their own laws. But California remains the elephant in the room because it represents such a large market that almost no one can work in the tech field without touching something or someone in California.
Unless or until Congress passes its own law, the CCPA is essentially America’s privacy act. The tech world has little choice for now but to deal with it.