Stronger privacy regulations in the manner of the European Union’s General Data Protection Regulation (GDPR) are almost universally seen as a net good for consumers. However, as with most debates that pit private and public interests against each other, there is a legitimate competing interest to consider. New privacy regulations that stress consent of the individual mean added compliance costs, and those are often quite significant. While a Google or an Apple may be able to bear these costs without much pain, it can be much more of a burden on small businesses.
The U.S. is marching toward GDPR-like privacy regulations, with certain states (such as California) already passing comparable legislation. A number of federal proposals are on the table, and something could be in place as early as 2020. While this is generally seen as favorable to consumers no matter what form the national legislation ends up taking, small and medium-size businesses (SMBs) are worrying about what the associated costs of new data privacy laws will be.
The main concerns of small businesses in the U.S.
The Connected Commerce Council, a non-profit digital technology industry organization that focuses on small business needs, recently published the Small Businesses Data Regulation and Responsibility research report. This report surveyed SMBs throughout the country to sample business ideas about new and stronger privacy regulations.
A broad mix of business types were surveyed, with 12 categories ranging from agriculture to finance. Business sizes ranged from 5 to 500 employees and about $25,000 to $1 million in annual revenue. The demographics included were meant to mirror 2016 census data on country business patterns. Persons surveyed were either small business owners or key decision makers at their respective companies.
Surprisingly, even though 80% of respondents said they knew very little about data protection law, 72% support improvements to privacy regulations. The big caveat there is that those changes must not cause distress to their day-to-day operations. 56% of the respondents believe there will be a negative impact to their business if there is any change to current regulations, and only 15% believe that policy makers will pass regulations that do not adversely affect small businesses.
The study appears to indicate that U.S. SMBs largely understand the need for privacy regulations based on the examples of personal information mishandling by giant companies such as Facebook. They are not at all confident that such regulation will not be overbroad to their detriment, however. Only 40% of these companies felt that a “one size fits all” regulatory approach would be best for small businesses, and only 16% believe that policy makers know how to properly regulate digital platforms and social media.
This is hardly an unfounded concern. While the majority of the respondents may not know much about privacy regulations, it’s readily apparent that most of Congress doesn’t either. Only about 4% of its members come from a tech background, the median age of the House is 58 and the Senate is 65, and a lack of basic tech literacy has been regularly put on display during events such as last year’s hearings on data breaches. While no one wants to engage in ageism, senators such as Orrin Hatch and Patrick Leahy made very clear during the Facebook hearings that they come from an era prior to the internet and really have no intention of making a serious effort to catch up with technology.
The two specific main concerns that these SMBs had were the public performance of Senators regarding tech matters and a belief that lawmakers have little understanding of the importance of digital marketing to a modern business plan. Other concerns were a simple lack of trust in the government, the inability of regulators to keep pace with current threats, and a perceived preference for enterprise-scale companies over small and medium-size businesses.
Privacy regulations and knowledge gaps
Company size definitely influences knowledge and preparedness levels. 51% of the companies that had at least 250 employees felt they had a high level of knowledge of data protection and privacy regulations, while only 12% of the smallest companies shared that confidence.
A similar correlation can be seen in terms of revenue. More profitable business respondents tend to be more confident in their ability to handle regulation. As revenue goes down, so does self-reported knowledge and preparedness. This is a particular problem in the U.S., as small businesses with five or fewer employees are the most numerous.
Federal vs state regulation
Respondents had a very slight preference of 1% for national rather than state regulation.
Like larger businesses, SMBs were concerned about having to track unique privacy regulations for each different state. Some respondents also believed that small businesses would flock to the states with the most lax regulations, something that could incentivize states to intentionally fail to address personal data protection properly. 61% of those favoring a national bill cited uniformity and consistency as their main determiner.
The state regulation supporters were primarily concerned about the political and economic differences between states, and a general distrust of any federal agency that might be regulating them.
Regulation without unfair burden
Respondents across the board were clearly open to the idea of new privacy regulations, but strongly believed that the needs of small businesses had to be addressed for them to work. These SMBs were also very open to the idea of new regulations applying only to larger companies at first, with blanket regulations that apply to all businesses being adopted later. The overwhelming majority also felt that there should be different sets of rules for the tech giants and for the SMB category.
The small businesses surveyed were solicited to provide direct quotes on the matter. The concerns that came up included:
- Worries about new privacy regulations necessitating a complete overhaul that can’t be handled without losing business
- Lack of budget to implement necessary changes forcing companies to simply go offline
- Concerns about new regulations impeding growth
- Fears of inability to start a business due to regulatory burden
- Concerns that even if SMBs are not unfairly burdened, increased costs for larger tech companies will be passed on to the SMBs that rely on their services
Given that organizations with fewer than 500 employees make up 99.7% of the U.S. economy, it would appear that assuaging SMB concerns about fairness will be key to getting regulations in place that everyone is content with.