Federal data privacy laws are coming; Here’s what you should consider

Editor’s note: The opinions expressed in this commentary are the author’s alone. Ryan Weber, KC Tech Council president, on Tuesday testified before a U.S. Senate subcommittee on “Small Business Perspectives on a Federal Data Privacy Framework.”

I recently had the privilege of testifying before a U.S. Senate Subcommittee, chaired by U.S. Sen. Jerry Moran, R-Kansas, about the potential impacts federal data privacy laws could have on small and startup tech businesses. You can read our full testimony here.

Before I ask you to contact your elected officials — and you should — it’s important everyone understand what’s coming because this law won’t only impact businesses. Anyone who stores or shares data over the web will be affected. And unless someone printed this piece for you to read, this means you.

The European Union (EU) was among the first to pass data privacy laws called the General Data Protection Rights (GDPR). These laws don’t just impact EU-based companies or those doing business there. The same rights protect the users, individuals, from the EU who visit websites, regardless of where the company with the website is located.

Last year, California passed the Consumer Protection Act (CCPA) rather swiftly and shocked many in the tech industry. Though different in many ways, the spirit of this law has some of the core principles written in GDPR. Many other states have soon followed suit and proposed their own set of statutes. The resulting effect could be a patchwork of varying state-by-state laws, confusing users and making compliance nearly impossible for companies.

In my conversations with tech companies, big and small, there is strong support for the U.S. to pursue overarching data privacy laws at a federal level. There is little to no support for states to continue and pass their patchwork of individual laws. The cost to comply with could be overwhelming for small and startup companies. Enforcement would also be inconsistent. In other words, it’d be a mess. Therefore, it’s crucial Congress act to preempt these state laws with a sensible federal law.

As this legislation is developed by Congress, here are key questions for tech companies to consider:

1. How should Congress US control the “bad actors,” without overregulating everyone else?
2. What entity should be enforcing these laws? Should states have a role with enforcement?
3. Regarding enforcement, how should fines be determined? What about on the first offense?
4. How should Congress define sensitive data?
5. If exemptions for small business were created, how should Congress define a small business?

Data privacy is a complicated issue, and these questions are only a small part of the overall debate. A draft bill is forthcoming, and this conversation will continue to heat up once we have something tangible to debate. In the meantime, I encourage KC’s tech community to continue to discuss this issue. And yes, I want you to contact your elected officials, and I think they’d appreciate your thoughts on the questions above. Your voice matters and they do listen.

Ryan Weber is president of the KC Tech Council, a nonpartisan, regional advocate for the Kansas City tech industry.