Inviting Startups to the Privacy Regulation Party

Last week, a joint committee hearing of the California Assembly Judiciary Committee, the Business, Professions and Consumer Protection Committee and the Select Committee on Privacy explored the issue of what should be done next when it comes to consumer privacy in California.

Unfortunately, many of the individuals and companies who would be impacted by measures taken by the legislative body were not invited to the party. While the hearing played host to a variety of privacy experts and academics, it failed to include more practitioners and companies who are grappling with these issues from a business perspective on a daily basis. The voice of small businesses and true startups was near absent.

One practitioner, the American Civil Liberties Union's Chris Conley, appropriately pointed out that there should be and is "an economic cost to not being transparent." This is precisely why many larger companies who can afford to do privacy compliance do it: they want to avoid public relations moments that cost them a lot of money. Even larger companies want to avoid the regulatory ire of the Federal Trade Commission or state level agency action that, while they can afford to manage it, causes unnecessary and time consuming legal issues to arise. Target's recent data breach is a good example of why large companies have privacy programs in place and also communication plans if there is a data breach.

It was unsettling to hear some who gave testimony intimate that privacy compliance does not have a cost if "companies do their jobs." Actually, it does cost human capital, money and time to effectively manage privacy.

There are distinct legal and management costs to institutionalizing privacy, which should be the real goal. It's not free. Whether you are a startup and can barely afford to put some notice mechanisms in place for users, or you are a multinational corporation who spends millions on privacy and security compliance, there is a cost, in dollars and the inputs of human capital. The goal for several years as the privacy debate has heated up has been to convince more companies that having a budget for these costs will be worthwhile to their bottom line since consumers will start to make decisions based on how a company handles privacy and data security.

Statements playing down what it takes to effectively make privacy an imperative at a company and the continuance of legislative bodies and agencies just talking to the Googles and Facebooks of the world drove comments like those from Santa Clara University law professor Eric Goldman, who stated, "We need to talk to not just the big incumbents."

The "should we regulate" conversation is continuing to drive towards the regulation of social networks, which currently are not regulated under an umbrella framework at the federal level in the United States. If we have learned anything from past attempts to regulate areas where the technology innovation is moving quickly (copyright), not talking to small businesses and startup operators will eliminate a critical voice in the conversation of how such regulation would be practically implemented.