Nicolas Guibert de Bruet, Attorney at Law and Technology Consultant
Guibert.law Blog Entry
Tuesday, March 3, 2020, at 03:33.
Your company handles consumer data as a normal part of its (online) business. Great! Now, which body of law does your company need to obey? The following jurisdictions each have recently passed their own specific, differing and extraterritorial laws concerning the handling of the private data of its citizens: India, European Union, Washington State (proposed), California, China, just to name a few. Being wise, you choose to limit the reach of your business, for now, to customers residing in the United States, the site of your current headquarters. You have effectively eliminated the non-U.S. bodies of law. However you are not out of the woods!
Recently, California enacted its new Consumer Protection Act (CCPA) that dictates requirements for collecting information about customers from California. It seemed to set the high standard for legally accumulating such consumer information, in the wake of the European Union's General Data Protection Regulation (GDPR) compliance deadline last year. Rumblings in the Washington State legislature now reveal that more stringent laws are looming over the horizon, creating an assortment of regulation that may be unworkable for multi-jurisdictional business across the U.S. (let alone worldwide). One tool that remains in the quiver of business associations and chambers of commerce may be the federal preemption of state regulations, through the use of Congress' Commerce Clause enumerated power. A federal act would aim to create a single standard that businesses would need to meet while transacting across the United States, much in the same way that GDPR has streamlined the European regulatory landscape.
The privacy and consumer data protection laws, of each U.S. state and other sovereign states abroad, do offer hindsight benefits to U.S. rulemaking:
• Congress should strive to incorporate the best ideas from all these existing laws, based on deep technical knowledge and workably sound legal principles that tread lightly on extraterrial overreach; and
• Congress should codify the Department of Commerce's ability to certify reciprocity compliance between the United States and a foreign sovereign, such that businesses in the United States would need to comply only with federal law worldwide. This proposal differs from congressional-executive agreements with certain foreign governments that aim to (a) protect transborder data transfers for transnational criminal investigations; and (b) allow a right of action in the United States for foreign citizens under their country's privacy rights, instead of the hereby proposed federal data privacy law.
Even though you are nimbly taking care of business everyday, should you wish for a consumer privacy law like GDPR in the United States? Apparently, at least a pair of choices are actively being proposed today. First there is the Mind You Own Business Act (MYOBA) and then more recently introduced the Consumer Online Privacy Act (COPRA). Both endow the Federal Trade Commission (FTC), among other agencies, with some new powers. Before you decide which bill you prefer, if any, it would behoove you to plan out your company's strategy for navigating the current patchwork of rules and penalties.