More states have begun writing legislation to protect consumer personal data. There are a variety of approaches and considerations although most tend to follow a similar formula to that of the California Consumer Privacy Act.
Let us focus on one aspect of these data privacy laws: which businesses are required to comply, and which are exempt. Here we find no consistency state-to-state and that leads to an interesting conundrum of balancing the interests of consumers with those of businesses that collect and use consumer personal data. More importantly, the exemption levels appear to be arbitrary with no basis for their selection other than it seems to be a good number.
Unlike GDPR, CCPA established an exception for businesses with annual revenue below $25M or companies that dealt with less than 50k consumer residents, households, or devices. However, that didn’t last long. CPRA increased the floor to 100k residents or households while keeping the annual minimum revenue at $25M. Unfortunately for Consumer #73,489, your personal data that used to be protected under CCPA is no longer protected under CPRA.
Same holds for you folks in Alaska. Hey, Consumer #94,772, yes you. Unfortunately, your data is not as important with a specific business as Consumer #101,834 is with another business. It very well could even be the same person, simply shopping at two different merchants. Good news for citizens of Washington who shop at companies with annual revenues greater than $10M, your personal data is considered important. Just don’t shop at merchants with annual revenues below $10M because that exact same personal data is of less importance.
Let’s consider a citizen of Florida. Shop online at Merchant A with annual revenue greater than $50M, say $51,934,236. Merchant A will need to comply with the proposed Florida Privacy Protection Act. But go to a different website with Merchant B whose annual revenue is only $49,118,836, and they won’t need to comply. Or in a mall, walk from Store A to Store B. The personal data each business collects from that citizen is identical, and the businesses are very close in profile not to mention revenue. Yet, differing standards for duty of care are prescribed by that state’s privacy law (well, for those states that have a law) solely based on an arbitrary number that has no relation to the consumer’s personal data. Why not $30M or $40M or $20M or $60M?
Interestingly, any financial institution of any size operating in each of these states must follow the GLBA Financial Privacy Rule and Safeguards Rule. Per the FTC website, these rules apply to any financial institution, even those businesses that don’t normally consider themselves financial institutions, including “...check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services.” Often, the personal data collected by a retail online merchant is the same as the data collected by a financial institution, yet the protection afforded to that consumer is very different.
Clearly, state legislators are trying to avoid burdening smaller businesses with additional costs to ensure compliance. However, many businesses today leverage cloud-based SaaS offerings for their financial systems, eCommerce engines, marketing, payroll, and websites, among other components of their operations. And many of these solutions have functionality built-in that is designed to comply with data laws of various states and international regions. Plus, many privacy solutions are available, often at minimal to no charge for small businesses with basic compliance needs. For example, NiX offers its solution at no charge for businesses with up to 5M customers.
Perhaps State legislators should be less concerned with the types of businesses they exempt, i.e. retail of a certain size, and more focused on the thing of real value: consumer personal data.