> No private right of action in any of those, which means it’s up to the states to enforce the laws.
These laws are nearly worthless when they cannot be enforced by regular people. Laws such as these will be used as weapons by partisan attorneys general who will wield them to settle scores with companies that they don't like. When an organization that they do like violates a state privacy law, no action will be taken against them.
If they actually cared about data privacy, they would have written the law to be more like the TCPA, which can be enforced by anyone.
Serious question, in an interconnected online marketplace how are you supposed to comply with these granular state and sometimes municipal laws.
Is there some kind of monitoring database or notification that you can subscribe to?
It seems very expensive for every single business to have a compliance lawyer specifically for this task of complying with each state's mandates to a tee.
> Serious question, in an interconnected online marketplace how are you supposed to comply with these granular state and sometimes municipal laws.
Identifying standards/laws and then combing through them for applicable requirements is just part of early product design.
When there are an overwhelming number of jurisdictions, start with the local ones in depth. Do a survey on the rest to get a flavor for what other areas are doing. Shape the product so that compliance is most likely already done or easily actionable when you get around to deep diving the other jurisdiction's rules.
I get that software-only products often don't have to do this, but it's not like it's a dark art. And while having a lawyer in the loop is important, you're rarely asking them to read the standard/regulation to you. They help you understand and digest when needed, and make sure you're doing it right.
Now, the topic at hand here is privacy which is a bit different. Finding a design that respects privacy and is probably fine nationwide is much less complex than morphing the product by jurisdiction to match the local minimum viable compliance.
I've argued in the past here on HN that your first employee should probably be an attorney--or at the very least have one on retainer, and got absolutely roasted for it. I still believe it though. How do you even know if your software product is legal everywhere you plan to distribute it? Are there any states that forbid what you are doing? Are all your dependency licenses really compatible? Are your logging practices legal in the EU? A single lawyer is not going to be a deep expert in Polish law, but he or she will be able to at least give general advice to keep the product from being dead on day one.
We laugh-complain about "ha ha the lawyers are designing our products now" but it kind of has to be the case in the complex legal environment businesses operate in.
I work as a lawyer for a business that has lots of lawyers. Compliance with differing state laws is indeed very expensive. I would personally like to see a federal privacy statute that preempted these various and sometimes inconsistent state and local privacy laws.
> I would personally like to see a federal privacy statute that preempted these various and sometimes inconsistent state and local privacy laws.
It would have to be under the auspices of Interstate Commerce (to be legal under enumerated powers) but even then can Congress override State and local law?
That's basically my reason for wanting all laws to be simplified to the point that an average person can remember at least half of them[0] in aggregate — if people don't know their rights or responsibilities without having to pay a lawyer, that feels unjust by my standards.
That said, there's no rule of nature that says running a business has to be cheap; it may not be optimal if all the laws in each marketplace are different, but I feel much less strongly about it — and not just because higher levels of government can unify and simplify when things get too much, nor just because I'm in Europe and one side of the border is all Rindfleischetikettierungsueberwachungsaufgabenuebertragungsgesetz and the other is Ustawa o przeniesieniu zadań z zakresu nadzoru nad etykietowaniem wołowiny because it's not just the law that isn't unified.
[0] of those laws that apply in general, at least; there's no need for normal people to know details of the accounting laws that apply to businesses unless the society really does want everyone to be a small business owner
> It seems very expensive for every single business to have a compliance lawyer specifically for this task of complying with each state's mandates to a tee.
It is. I've worked in healthcare, and it's not uncommon to have very specific requirements. However, there's no obligation to geolocate your customer beyond a simple request for their zip code, so it doesn't get too difficult from an engineering standpoint.
I think in practice, what ends up happening, is that small businesses don't really bother to comply while they fly under the radar. Or they just end up buying an e-commerce plugin that handles the minimum.
We had one for GDPR and then they just added support for CCPA when that was a thing.
Right. The big guys with assets like Facebook and Google spend millions to comply.
The small guys duck under the radar.
It's kind of silly, but what happens when you have tons of laws. There is no realistic way a business of 1-10 people is going to be able to comply with every law in every state AND country they do business in.
Comprehensive doesn't mean effective. Just going by a comment below the article, some of these laws are opt-out and any recourse is held solely by the state. Private citizens have to pro-actively declare their rights and when they're violated, plea to your state AG to do something, which will probably be prioritized right to the bottom of the pile.
~ 5 minutes of ducking;
"exceed $25 million in revenue, and meet one of these criteria:
Control or process information of 25,000 or more Tennessee consumers per year and derive more than 50% of gross revenue from the sale of personal information; or
Control or process information of at least 175,000 Tennessee consumers. ...
"
At least for this one, appears no need for a startup to have lawyers just for this, and if your start up gets to $20 million, you can afford the ~$400 to create another llc and split your income and not worry about it until you start making 49 million per year.
<- makes a saas that auto-creates a new llc every time company A gets 174k customers.
<- not a lawyer, 5 minutes of DDG does not replace actual legal research.
Readit News
These laws are nearly worthless when they cannot be enforced by regular people. Laws such as these will be used as weapons by partisan attorneys general who will wield them to settle scores with companies that they don't like. When an organization that they do like violates a state privacy law, no action will be taken against them.
If they actually cared about data privacy, they would have written the law to be more like the TCPA, which can be enforced by anyone.
Dead Comment
Is there some kind of monitoring database or notification that you can subscribe to?
It seems very expensive for every single business to have a compliance lawyer specifically for this task of complying with each state's mandates to a tee.
Identifying standards/laws and then combing through them for applicable requirements is just part of early product design.
When there are an overwhelming number of jurisdictions, start with the local ones in depth. Do a survey on the rest to get a flavor for what other areas are doing. Shape the product so that compliance is most likely already done or easily actionable when you get around to deep diving the other jurisdiction's rules.
I get that software-only products often don't have to do this, but it's not like it's a dark art. And while having a lawyer in the loop is important, you're rarely asking them to read the standard/regulation to you. They help you understand and digest when needed, and make sure you're doing it right.
Now, the topic at hand here is privacy which is a bit different. Finding a design that respects privacy and is probably fine nationwide is much less complex than morphing the product by jurisdiction to match the local minimum viable compliance.
We laugh-complain about "ha ha the lawyers are designing our products now" but it kind of has to be the case in the complex legal environment businesses operate in.
It would have to be under the auspices of Interstate Commerce (to be legal under enumerated powers) but even then can Congress override State and local law?
That said, there's no rule of nature that says running a business has to be cheap; it may not be optimal if all the laws in each marketplace are different, but I feel much less strongly about it — and not just because higher levels of government can unify and simplify when things get too much, nor just because I'm in Europe and one side of the border is all Rindfleischetikettierungsueberwachungsaufgabenuebertragungsgesetz and the other is Ustawa o przeniesieniu zadań z zakresu nadzoru nad etykietowaniem wołowiny because it's not just the law that isn't unified.
[0] of those laws that apply in general, at least; there's no need for normal people to know details of the accounting laws that apply to businesses unless the society really does want everyone to be a small business owner
It is. I've worked in healthcare, and it's not uncommon to have very specific requirements. However, there's no obligation to geolocate your customer beyond a simple request for their zip code, so it doesn't get too difficult from an engineering standpoint.
The small guys duck under the radar.
It's kind of silly, but what happens when you have tons of laws. There is no realistic way a business of 1-10 people is going to be able to comply with every law in every state AND country they do business in.
At least for this one, appears no need for a startup to have lawyers just for this, and if your start up gets to $20 million, you can afford the ~$400 to create another llc and split your income and not worry about it until you start making 49 million per year.
<- makes a saas that auto-creates a new llc every time company A gets 174k customers. <- not a lawyer, 5 minutes of DDG does not replace actual legal research.