Congress has faced calls for federal privacy legislation for years, including from the startup community, but a privacy bill remains on the to-do list.
At a hearing before the August recess, there was bipartisan support for federal privacy law. And a key House panel this week voted to spend a record-breaking $1 billion on privacy enforcement at the Federal Trade Commission (FTC), indicating that consumer privacy is still top of mind for lawmakers. But Congress has yet to pass, or even advance, an actual bipartisan consumer privacy bill that creates strong protections for consumers and consistent obligations for companies across the country.
Without leadership from Congress, states have taken the lead. California moved first with its California Consumer Privacy Act (CCPA) in 2018. There are now at least three states that have passed privacy legislation — Virginia, Colorado, and a second privacy measure passed as a ballot initiative in California in 2020 — while at least four other states have advanced privacy bills through the legislative process. The bills being considered and passed at the state level share a lot of the same high-level goals, but, as we’ve explained, even small differences in obligations under the laws can create a complex patchwork that is impossible for startups to navigate. As Rep. Bob Latta (R-Ohio) explained during the hearing earlier this year, “this patchwork of state laws as it breeds confusion and leaves gaps in consumer protection. … It’s not realistic for small and mid-sized companies to follow 50 different privacy laws.”
On top of state governments writing their own rules of the road, the FTC has hinted at using its narrow rulemaking authority under Section 18 of the FTC Act — which authorizes the Commission to establish rules that define the acts and practices that are unfair or deceptive in or affecting commerce — to write privacy regulations. In response to the reports about the FTC exploring issuing its own privacy rules, Rep. Cathy McMorris Rodgers (R-Wa.) warned at the hearing this summer that Congress, not the FTC, should create the national privacy framework. “I am concerned about rumors of the FTC acting outside of Congress and issuing a rule on privacy,” she said, calling a federal privacy law “something we desperately need.”
As we’ve long argued, both consumers and startups can benefit from a federal privacy law that allows the user’s greater control over their data and prohibits abusive data practices. For startups, a federal privacy law could go a long way towards boosting consumer trust and confidence in the Internet ecosystem. But an unnecessarily burdensome framework — including a patchwork of state laws or the possibility of abusive or misguided litigation against startups — will make it harder for startups to launch and compete against incumbent tech companies with deeper pockets and more resources to spend on regulatory and legal compliance. Initial compliance with California’s CCPA cost small firms an estimated $50,000 dollars. The average investor-backed, seed-stage startup — which is among the most resource-rich of 22-month-old startups, as few startups overall earn investment through formal channels like venture capital — by comparison, is working with about $55,000 a month in resources, meaning CCPA can eat up nearly a month of that short runway.
Congress can create certainty for startups and strong protections for consumers by passing a federal privacy bill. As lawmakers return from recess and consider the already-dwindling congressional calendar, they should prioritize privacy legislation.