That unintended consequences come with innovation should be no surprise. Today, technology and social media are global cultural obsessions with a tremendous impact on business.
Not that long ago, who would have thought a wallet-sized object like a smart phone would replace nearly every piece of office equipment — telephones, typewriters, copiers, cameras and, to some degree, even desktop computers?
Furthermore, many jobs that were once quite common have largely disappeared. Administrative support, travel departments, interoffice mail delivery: all gone. Think about the woes of the U.S. Postal Service: First, UPS and FedEx gobble up their lucrative package deliveries. Then, e-mail makes stamps and letters into artifacts of a bygone era.
At the same time, technology has spawned new global business behemoths. Apple, Amazon, Alphabet, Facebook, Microsoft and Tesla saw an all-time high combined market value of $8.2 trillion in early September. That’s almost 40% of the gross domestic product (GDP) of the U.S., nearly 60% of the GDP of China and $2.5 trillion more than Japan’s GDP. Those are the world’s three largest economies.
And what’s the business model for most of these tech companies? Largely, it is built on your personal information. What you buy, what you read, who your friends are, even where you travel is being packaged and resold to advertisers and others for targeted communications. Sometimes your data is anonymous and sometimes it’s not. This isn’t a business model that relies on products or even content. It’s a business model based on information that you give up willingly and mostly for free.
In the European Union, the protection of personal data is considered a fundamental human right. The General Data Protection Regulation (GDPR), implemented in 2018, gives EU residents control over their personal data. Even when collected with an individual’s consent, that consent may be revoked at any time. Another purpose of the GDPR is to simplify the regulatory framework by having a single rule for all businesses operating in the 27 countries comprising the EU.
At the federal level, the U.S. has no similar legislation. In 2018, the California Consumer Privacy Act was signed into law; it is largely modeled on the GDPR. Maine and Nevada have also passed online consumer privacy regulations. A Virginia Privacy Act was introduced in this year’s General Assembly session. It has been referred to committee and will be revisited during the 2021 session. At least 20 other states are in some stage of considering consumer data privacy protections.
This morass of pending legislation amounts to a regulatory nightmare for companies doing business in the U.S. Some things, especially those affecting interstate commerce, are best not left to 50 individual states. The U.S. Chamber of Commerce, often reluctant to encourage regulation, has gone so far as to propose model legislation to create a federal data privacy law.
In an age when global companies have become larger than many nation’s economies, the penalties for failing to comply with regulations may seem significant but often are less impactful on corporations than one might think.
In 2012, the Federal Trade Commission charged Facebook with consumer privacy violations related to how the social media giant handled user data. In July 2019, after seven years of negotiation, the FTC announced a record-breaking $5 billion settlement with Facebook. That sounds like a lot of money, but Facebook’s 2019 revenue was $70.7 billion and its net income for the year was $18.5 billion.
Regardless of size, businesses should not be burdened with a multiplicity of regulations varying from state to state. Instead of drafting their own regulations, Virginia and the other states should be seeking a single national data privacy standard. It’s just good business.