There’s no sweeping federal US consumer data privacy law, and so far, all the action has been at the state level. The California Consumer Protection Act (CCPA), which went live last month, is similar to the EU’s General Data Protection Regulation (GDPR) in regard to increasing consumer access and control over personal information. But it goes further, enabling consumers to find out what information a company collects about them, and to sue companies if they believe the law has been violated, even if there is no data breach. 

Unlike GDPR, CCPA mainly affects large companies that collect or sell data as a core part of their business. Therefore, the emphasis of CCPA is giving consumers the option to opt out of the sale of their data, as well as setting clear requirements for “do not sell my personal information” links on websites and apps. With explicit permission, companies can still share personal information with third parties, and can offer financial incentives to consumers to obtain permission for collection or use of their personal information for specific purposes. 

Although California, Maine and Nevada are the only states to have passed privacy laws so far, approximately nine other states have proposed data protection laws on the table. 

The cost of compliance

To comply and respond to consumer requests, most businesses will have to invest in new data management systems, implement new processes and standards, and hire additional employees at significant cost. In fact, the State of California’s estimate of the total cost of initial compliance with CCPA is $55 billion. Though some small businesses are exempt, it is best that they are prepared and invest in sophisticated data management and reporting systems. The cost for ongoing compliance, including potential fines, is estimated to come in at $467 million to $16 billion over the next 10 years.

Additionally, beyond the financial implications for companies, the consumer is also affected. On the one hand, some will appreciate how these regulations force companies to slow down their marketing. On the other hand, while we all probably would like to receive fewer marketing emails, a better solution would be for businesses to make their marketing more personalized, relevant and useful to the recipient -- which requires good data. 

Surveys show that nearly three-quarters of consumers expect that companies will anticipate their needs and make recommendations for better customer experiences. Instead, reconciling the differences between state laws for national marketing efforts will make it more difficult for companies to collect and use data, which may have the adverse effect of making marketing less personalized -- and more annoying. 

Furthermore, more regulation does not necessarily result in smarter consumer decision-making. What we’re already seeing with GDPR is user fatigue instead of greater transparency, such as the human impulse to click “I accept these terms” without reading the pages of required legalese. Another good example of this is the millions of US consumers who readily accept the terms of TV manufacturers when setting up a new television, allowing manufacturers to track what’s being watched. 

Finding a balance

Some experts believe too much regulation hurts businesses, particularly start-ups, and their ability to access data to support innovation. However, others say that too little regulation allows companies to take advantage of consumers’ data (e.g., data brokers, advertisers, etc.). Insufficient regulation can also result in data violations, so it’s important to figure in the costs associated with the fines, as well as money spent by consumers to clean up fraud perpetrated using stolen personal information.  

The federal vs. state privacy law debate also has two sides. Some argue that a federal law would be watered down by compromise and offer little recourse for consumers who would have to wait for Congress to act. However, it would be wise to side with the “federalists” because a multitude of different state regulations will be an unnecessary burden to businesses. 

We need to take a step back and truly weigh the pros and cons -- and incorporate learnings from GDPR outcomes -- before moving forward to ratify additional state laws. A federal law is necessary as a consistent foundation that will reduce confusion and litigation and benefit consumers as well as businesses.

A federal law that standardizes acceptance forms and language for consumers would make implementation vastly easier for companies, as well as more transparent for consumers who would understand what they’re agreeing to. When federal regulations are put into practice and we see evidence of their efficacy, perhaps states could then enact additional measures as needed to further strengthen the law as they saw fit. 

Vivek Lakshman is co-founder and VP Product of Reve Marketing, where he leads product management and operations for this growing company focused on data-driven personalized consumer experiences. Reve Marketing offers Mulch.ai to help companies activate content and gather zero-party data, the data that consumers are willing to share with brands they trust.