Small business groups said March 26 that while California's privacy law includes some important protections for consumers, the U.S. Congress should not replicate the state's framework for protecting small businesses or enforcing penalties after a breach.
At a hearing hosted by the Senate Subcommittee on Manufacturing, Trade and Consumer Protection, a panel of small-business representatives said that while they laud the broader goals of the California law, they have a number of concerns about it as well. With the California Consumer Privacy Act set to take effect in 2020, federal lawmakers are considering whether they should adopt a national privacy law that would not only protect consumers but also pre-empt state laws on the issue.
One major concern raised about the California privacy law, which requires companies to notify consumers as to why their data is being collected and which third-party companies have access to their data, among other provisions, is the carve-out it contains for small businesses.
Under state law, companies must meet three requirements to be considered a small business: have less than $25 million in annual gross revenues; make less than 50% of its annual revenues from the sale of personal data; and handle data relating to fewer than 50,000 consumers, households or devices.
It is this last provision that most concerns Evan Engstrom, executive director of Engine Advocacy and Research Foundation, a nonprofit group that works with startups.
"The law sets the threshold for businesses so low that few companies with users in California will qualify," Engstrom said in prepared testimony. He said that if each consumer visits a website that tracks unique visitors from a smartphone, a personal computer, a work computer and a tablet, the 50,000 figure quickly drops to under 13,000 users or devices.
"At the same time, the law doesn't include an on-ramp, meaning that a startup that suddenly becomes popular could immediately find itself in violation of the law," Engstrom said.
Ryan Weber — president of the KC Tech Council, an association serving as the regional advocate for Kansas City's tech industry — agreed that defining a small business under a federal privacy law will be "a challenge," especially since different rules might apply to different sectors.
"Maybe in tech, it is different than what the [U.S. Small Business Administration] defines," Weber said during the hearing.
The SBA's size standards vary by industry but are generally based on a company's number of employees or the size of its annual receipts.
Justin Brookman, director of privacy and technology policy at Consumer Reports Inc., said that traditional size standards often do not work for tech. "For example, at the time of its acquisition by Facebook [Inc.], Instagram [Inc.] had only thirteen employees and negligible revenues; nevertheless, it hosted the personal information of tens of millions of users," he said in prepared testimony.
But Brookman said he would support small business carve-outs in a federal privacy law that exempted smaller firms from access and deletion obligations. Under the California privacy law, consumers have the right to access their information, to delete unneeded information and to opt out of the sale of personal data.
"Some obligations — such as a prohibition on sale of customer data and a duty to use reasonable data security — should attach regardless of the size and scope of personal information possessed by a company," Brookman said.
In the communications sector, ACA Connects – America's Communications Association, a group that represents small to midsize cable operators, suggested in a letter to the subcommittee that any new federal law exempt communications providers collecting personal information from fewer than 1 million consumers.
Weber would also like to see a federal privacy law offer small businesses a first-strike warning in the event of a data breach or attack, rather than making them immediately liable for fines. He noted that heavy fines from regulators can be a "death blow to these companies."
Beyond California, other states — including New York, Massachusetts, Nevada and Washington — are considering their own privacy laws.
Senators at the hearing did not give a sense of how soon they might move on federal privacy legislation, but Sen. Richard Blumenthal, D-Conn., stressed the importance of a bipartisan bill.