LexisNexis Risk Solutions, which provides aggregated data services in the U.S., has stepped up to assist in passing a national privacy law as an alternative to each states having their own laws.
The company will collaborate with other businesses such as the Consumer Data Industry Association, the U.S. Chamber of Commerce, and the Software Industry Association to advocate for a federal privacy law.
Michael Lamb, chief privacy officer at LexisNexis Risk, believes the California Consumer Privacy Act (CCPA) will have significant unintended adverse effects on consumer protections, which American companies and consumers will be unaware of to a great extent.
“Ecommerce and other online data does not stop at state borders, making us concerned that state by state laws being passed that will vary and create different rules,” he said. “Privacy is a bipartisan issue, but given the challenges in Washington DC, cooperating among the parties isn’t always possible. We do believe there will be an agreement on basic privacy laws either in 2020 or 2021.
This will become very disruptive and costly. One example of the law’s effects is the California Attorney General estimate that the initial cost for CCPA will run to about $55 billion — more than 1,500 for each resident, Lamb said. Another example is the option for fraudsters and criminals to opt out of services designed to protect consumers.
Meetings with congressional staff members are in progress. The group is attempting to identify the core elements of a U.S. privacy law. “We can learn from Europe’s, but the U.S. has its own traditions and first amendment requirements,” he said. “We’re not advocating for an exact duplicate of GDPR.”
Earlier this month Democrats across four Senate committees — Commerce; Judiciary; Banking; and Health, Education, Labor and Pensions — unveiled principles for a comprehensive federal privacy law.
These principles are the basis for comprehensive federal privacy and data protection legislation. Under the new framework, consumers would be able to control their personal information, and corporations, non-profits, and political entities would be held to higher standards for when and how they collect, use, share and protect consumer data.
Lamb said CCPA was triggered by a ballot initiative in 2018, which would have restricted the ability to improve the law. The initiative was withdrawn and then California enacted its own privacy law. It was legislative initiative to prevent a semi-problematic initiative, he said. Some companies like Microsoft have applied CCPA-like restrictions nationwide. Google last week presented best practices. In a blog post it describes a “restricted data processing” tool that aims to help online companies comply with CCPA.
Restricted data processing is intended to help advertisers, publishers, and partners meet CCPA compliance. With restricted data processing, Google restricts how it uses certain unique identifiers, and other data processed in the provision of services to you, to only undertake certain business purposes.
“For products where action is required to enable restricted data processing, partners must decide for themselves when and how to enable it. Some may decide to enable restricted data processing on a per-user basis (for example, following a user opt-out by clicking on a “Do Not Sell My Personal Information” link),” per the post. “Alternatively, for products that support it, some partners may decide to enable restricted data processing for all users in California.”
Lamb also said a federal law could provide a framework for artificial intelligence and the logic that makes up those decisions.