Deep Dive: How US Data Regulation Fragmentation Is Affecting Merchants, Consumers

merchant regulation compliance

Devising open banking laws that adequately respond to shifting privacy needs and satisfy both businesses and consumers is difficult. U.S. legislators in several states are either drafting, voting on or have passed requirements to tackle online data’s and transactions’ importance, but these laws often do not integrate well with those passed in neighboring states. Discussions can be further complicated by world events that change the way FIs, businesses and consumers interact. The COVID-19 pandemic has led to a jump in online payments versus those made in stores, for example.

The necessity of such regulations is undeniable, however, as lagging data standards leave businesses and consumers open to fraud and boost frustration regarding the speed of digital transactions. Sixty-three percent of U.S. businesses experienced at least one data breach that compromised a minimum of 1,000 records in 2019. The challenge is coming up with comprehensive rules regarding what data may be shared and how to provide deeper layers of protection for businesses and consumers while also allowing the former to create more personalized services and compete on a global stage.

It can be difficult for U.S. merchants to understand which data may be accessed, however, and this is becoming more challenging as state legislators change, adapt and stretch their open banking and privacy laws. California, New Jersey, New York and Washington have different laws, for example, and companies operating in all of these states must comply with each. Such complexities are frustrating for consumers, who are now confronted with messages asking them to share their details or opt out of doing so.

It is thus critical that merchants take a comprehensive look at recent shifts in U.S. data privacy laws and how companies can comply with any and all of these new rules.

Decluttering the US Privacy Arena  

Each state regulator is trying to answer two simple questions regarding these new developments: Which data is important, and which companies can access it? Answers to these inquiries have proved elusive, however, largely because access to privileged information has become key to how a business succeeds over its competition.

Data is valuable and merchants are caught in the middle, as evidenced by the recent questions arising in the EU regarding GDPR’s applicability to healthcare data during the COVID-19 outbreak. Merchants are still unsure which data they have access to under GDPR’s emergency laws, further exacerbating existing confusion over its restrictions. Similar debates have played out in other markets, including California, where merchants can respond to data barriers under both the California Consumer Privacy Act (CCPA) and its Assembly Bill 5, or the “gig economy bill,” regulating data that businesses and freelancers share.

Which companies should — and, most importantly to regulators, should not — have access to data underpins the laws being passed worldwide, from China’s rules governing foreign entities to the battles between social media giants like Facebook and EU lawmakers. This years-long conversation has resulted in regular privacy standard changes and upgrades, but shifting goalposts present a real source of frustration for merchants. These firms are expected to comply with all new rules that present themselves, both in their home countries and abroad — a costly endeavor. U.S. companies spent more than $82 billion on compliance solutions last year, according to one report, and many experts expect these costs to increase given the questions that remain over privacy and online transaction rules.

Fragmentation in U.S. privacy standards is such that merchants can have full access to consumers’ personal data in one state but may be unable to touch crucial details in another — an especially frustrating factor for merchants that conduct business online. The guidelines for data transmission state by state are equally unclear: Legislators in Washington, who are proposing the Washington Privacy Act(WPA), are adamant that large technology companies like Google should not have access to the personal information they currently do, for example. This represents a problem for smaller merchants as well because many rely on companies like Google or Facebook for the data they use to market to or interact with customers.

Other lawmakers are more willing to open online platforms to a broader swath of firms, but that comes with its own set of troubles. The CCPA is strict with these companies, for example, but the merchants to which the rules do apply and the consequences for noncompliance are less clear as a result. Figuring these details out can prove costly, as well: Online invitation service Evite spent $1 million attempting to determine its privacy requirements under CCPA, according to a recent article, and that was after it stopped selling personal information to third parties. It also posted a “do not sell my info” button on its site in addition to its policy change. Other firms have followed Evite’s example in the two months since CCPA became effective.

Such confusion is detrimental to merchants and concerning for the future. Many U.S. companies have watched similarly murky regulations affect businesses in Europe, where SCA (strong customer authentication) measures could potentially lead to EU merchants collectively losing $60.8 billion from consumers who abandon transactions because of added payment frictions. It is difficult to generate loss predictions for U.S. merchants because the rules differ from state to state, but it can be assumed that companies may suffer similar declines in revenue and customer conversions. Defragmenting the U.S. privacy market is thus a matter of necessity for merchants, but this is easier said than done.

Examining Privacy Worldwide  

U.S. regulators are searching for solutions that can make the privacy landscape more cohesive, with Sen. Kirsten Gillibrand making regulatory proposals at the federal level, but such legislation is still in states’ hands. Most U.S. merchants operate online and internationally, meaning they not only need to comply with U.S. privacy laws but also those in other countries.

Developing international standards for data access and open banking could ease merchants’ confusion in this area, especially as more businesses operate on a global scale. This would require a single body to agree on a full suite of rules for international application, however, which would likely take years. Many markets are using the EU’s approach to open banking and privacy as guidelines, but GDPR’s true reach remains unclear. Regulators have issued $ 126 million in fines for noncompliance since the rule’s 2018 introduction, but it is worth noting that much of that figure comes from larger fines levied against companies like Google. Many smaller merchants are relying on their banking partners for GDPR compliance and have thus kept up with the rule.

Any global standard will need to take all of this into account before it can be implemented. It will also have to answer regulators’ questions — which data is important and why — which will remain central inquiries at the heart of such a standard.