The Age of Personal Data Protections: Privacy Laws Need to Catch Up

Since the internet has existed, it has been about sharing. Sharing pictures with our friends, sharing ideas with anyone who would listen, sharing real-time news with people around the world and, before we knew it, sharing our personal data with companies (sometimes without even realizing it). While sharing is one of the characteristics that makes the internet the informative and empowering economic engine it has become, it has also left us vulnerable.

Policymakers around the world have taken note of these vulnerabilities and data protection and privacy laws are finally taking center stage. Bold frameworks have been proposed at the state, regional and national level, while it is crucial we develop policy that protects the privacy of all Americans, we must do so in a balanced manner that takes all voices into account. If behemoth technology companies like Facebook are losing their user base due to new privacy rules, imagine how this will impact startups.

Six months ago, the European Union introduced the General Data Protection Regulation, which gives EU citizens more control over their personal data, restricting how companies — who offer goods or services to customers or businesses in the EU — gather, store and use personal data. While the unprecedented protections that the GDPR provides EU citizens is noble, the one-size-fits-all rule set does not differentiate between behemoth companies and small startups, putting entrepreneurs at a disadvantage. EU policymakers aren’t the only ones taking the lead on providing privacy protections for its citizens.

India policymakers introduced the draft Personal Data Protection Bill 2018 in July, designed to give individuals control of their personal data. At its core, the proposed rules make individual consent central to data sharing and require companies who use personal data to do so only for the purposes intended in the first place. Many aspects of the Personal Data Protection Bill 2018 follow the GDPR rules and other legal frameworks around the world, however, in its current form, it still needs work— particularly the mandates on the local storage of certain types of data.

And on a regional level, state legislatures in California passed a new digital privacy law granting consumers more control and insight of their personal data in July. The California Consumer Privacy Act, which comes into effect on Jan. 1, 2020, while not as expansive as the GDPR, is considered to be the most stringent privacy protection in the United States to date. Unlike the GDPR, the CCPA does not treat all businesses the same, only subjecting companies who have annual gross revenues in excess of $25 million, process the information of 50,000 or more consumers, or derive at least 50 percent of their annual revenues from the sale of personal information to the law. While the CCPA is not perfect, this differentiation is critical to providing startups with the opportunity to succeed and grow before being put out of business by overly burdensome regulations.

California has one of the largest economies in the United States and the introduction of the CCPA will likely have a ripple effect across the country. The 116th United States Congress needs to take bold action to address the data privacy concerns of today’s internet, and it’s vital policymakers do so in a thoughtful manner that takes all internet users into account. Startups — from San Francisco to Austin to Boston to D.C. — are enabling innovation and creating technologies that will change the world. It’s our job not to stand in the way.

Melissa Blaustein is the founder and CEO of Allied for Startups, a global network for startups, entrepreneurs, VCs, and advocacy organizations working together to build a worldwide consensus on key public policy issues impacting startups.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult