WASHINGTON, DC — Late last month, Iowa became the sixth state to pass consumer data privacy legislation, joining a list that already includes California, Colorado, Connecticut, Utah and Virginia. The state is the latest but not likely the last to do so, with nearly a dozen states — including New York and Texas — considering some form of comprehensive consumer privacy legislation.
If this patchwork approach to legislation continues to cross the country, the cost of compliance to businesses could eventually hit $1 trillion over 10 years, according to a report by the Information Technology and Innovation Foundation. Even California's official impact assessment projected the cost of the California Consumer Privacy Act (CCPA) on the state's businesses to be $55 billion. The massive cost of compliance with more and more state-based laws could impact marketing budgets, customer experience and the ability for brands to introduce new products and services.
How brands can navigate this increasingly complicated landscape was the topic of discussion during a panel at the IAB Public Policy & Legal Summit on April 3.
The elephant in the room — superseding federal legislation that could simplify the field of state-led privacy laws — remains a potential panacea, if not a particularly likely one, given the divided Congress and increased political polarization. This year, Congress will likely focus on a few major priorities — raising the debt limit, funding the government, reauthorizing the FAA, a Farm Bill — that could open a window for federal privacy legislation.
"You have some moving vehicles and some things that, one way or another, are going to have to get to the President's desk," said Nicholas Choate, senior policy advisor at Venable, during the panel. "For the purposes of privacy, or tech generally, those are the things I would be watching, because once you have that moving vehicle, it's pretty easy, especially in an environment where standard bills aren't moving, to try to attach things to those."
Aside from hitching a ride on those vehicles, the path toward federal privacy legislation during this Congress is a narrow one, especially as the presidential cycle looms. While there seems to be bipartisan support for action against TikTok, there has not been meaningful discussion about privacy or tech antitrust this session.
"It's to be determined whether the rhetoric can die down enough that we're able to find common ground," Choate continued. "To the extent there's bipartisan interest in doing something to rein in big tech, we're still pretty far apart on what that looks like. But you never know."
Fixing a federal approach
A key focus of the discussion was how the current landscape is vastly different from just a year ago, when the American Data Privacy and Protection Act (ADPPA) was passed by the House Energy and Commerce Committee, by a nearly unanimous vote, but stalled on the House floor. Reviving ADPPA in this session would be difficult, given that it had already been the subject of a difficult, compromise-filled process that saw the legislation drastically reworked several times in just a few months. Going back to the drawing board to address the ambiguity and unintended consequences of ADPPA that were a result of the fraught process would likely doom the bill this time around.
"If there were attempts to drastically rework some of the core elements of that bill, you could see key supporters leaving — both folks on the Hill and key stakeholder groups — and that could put us back at square one, which would be unfortunate," said Keir Lamont, director for U.S. legislation at the Future of Privacy Forum, during the panel.
If Congress were to work on a new version of ADPPA, industry stakeholders would likely push legislators to address some of the concerns they had with the legislation, according to panelist Maneesha Mithal, a partner at Wilson Sonsini Goodrich & Rosati. Mithal noted that the draft legislation lacked clarity around whether targeting advertising must be opt-in or opt-out; what constitutes so-called "dark patterns" that cause users to make unintended decisions about their privacy; and what "duty of loyalty" data collectors have to consumers.
Until Congress continues work on federal privacy legislation, marketers will be at the mercy of an increasing number of states with laws that often overlap but have their own approaches and requirements. Mithal suggested marketers focus on several areas around compliance, including creating data maps that track what data is being collected and for what purpose and updating contracts, notices and subject access requests to remain in compliance with new legislation.
The cost of compliance until federal legislation is passed, possibly superseding state-level regulations, will cut into other business priorities, from increasing marketing budgets to expanding into new product lines to offering new services, said Alex Propes, government affairs and public policy manager at Google. Getting data privacy right at the federal level could lead to better outcomes for both businesses and consumers.
"When you have nuances between the different bills, that creates challenges that aren't necessarily providing a better consumer experience," Propes said. "We need something that's done at the federal level that balances utility and makes sure that businesses can still grow and compete, and also provides these consumer privacy rights to the world."