A new study shows that state privacy laws could create significant compliance costs for both in- and out-of-state businesses. Credit: Jolygon / Getty Images Allowing the states to regulate data privacy could cost businesses more than $1 trillion in the next 10 years, according to a new study by the Information Technology & Innovation Foundation.So far, the report noted, only a handful of states have enacted privacy laws, including California, Colorado, and Virginia, but more states are likely to pass laws in the coming years. Since 2018, 34 states have passed or introduced 72 privacy bills regulating the commercial collection and use of personal data. However, as more laws are passed, they will create significant compliance costs for both in- and out-of-state businesses and confusion for consumers.The ITIF estimates that, without a federal law governing data privacy, a patchwork of laws in 50 states could impose out-of-state costs of between $98 billion and $112 billion annually, with small businesses picking up from $20 billion to $23 billion of that tab annually. “Our hope is that putting this policy model out there helps policymakers understand and pay attention to why we need to get privacy legislation right in this country,” ITIF Vice President Daniel Castro said at an online forum held January 27. Legislation should minimize compliance costs and restrictions on data useThe report calls for Congress to pass legislation to create a national privacy framework that streamlines regulation, establishes basic consumer data rights, and minimizes the impact on innovation.Ideally, it continued, such legislation should protect and promote innovation by minimizing compliance costs and restrictions on data use, such as by allowing consumers to generally opt-out of data collection—rather than requiring them to opt-in—and avoiding data-minimization requirements, purpose-specification requirements, limitations on data retention, and privacy-by-design requirements. Whatever legislation Congress passes, the report identified two critical provisions of any federal measure on data privacy: pre-emption of state laws and a ban on a private right-of-action for violations of the law.“We feel that it’s really necessary that we pass a federal privacy law, pre-emptive, that allows one standard for all businesses and consumers so they can understand their responsibilities and innovate using one standard,” Carl Holshouser, senior vice president for operations and strategic initiatives and corporate secretary at TechNet, a provider of tools and resources for users of Microsoft products, said at the ITIF forum.Federal right-to-action would “open floodgate” to privacy lawsuits He maintained that a single standard is also important for businesses, especially small- and medium-sized businesses, trying to protect their data from bad actors. “It’s a lot harder for a small- or medium-sized business to be sure that they’re doing the right thing to comply with a regime that will protect them from litigation but also help them control their systems and protect the data within them,” Holshouser said.According to the report, there’s no need for any federal law to establish a private right-to-action because it would open a floodgate of expensive, and unnecessary, lawsuits against organizations subject to the new law.“We do not want to see a private right-to-action with no guardrails,” declared Caleb Williamson, state public policy associate at ACT | The App Association, an advocacy group for small tech companies, also speaking at the forum. “We recognize and have seen on the state level how a private right-to-action can be used to harass businesses and create financial damages to small businesses, forcing them to fold.” Related content news analysis Rise of zero-day exploits reshape security recommendations Research from Rapid7 shows a spike in zero-days contributing to quicker exploit timelines, leaving IT security teams under strain with a greater need for post-incident response. By Lucian Constantin May 22, 2024 7 mins Incident Response Zero-day vulnerability Security Practices opinion Reducing CSO-CIO tension requires recognizing the signs Given competing pressures and priorities, CIOs and CISOs often find themselves at odds. Knowing where tensions flair and how your partner operates is essential to maintaining a productive partnership. By David Gee May 22, 2024 6 mins CIO CSO and CISO IT Leadership brandpost Sponsored by Cyber NewsWire Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud By Cyber NewsWire - Paid Press Release May 21, 2024 4 mins Cyberattacks Security opinion Employee discontent: Insider threat No. 1 CISOs who focus only on detection technology — and don’t engage with the human side of the security equation — are missing a key ingredient for insider risk management. By Christopher Burgess May 21, 2024 7 mins CSO and CISO Threat and Vulnerability Management Human Resources PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe