Federal legislation often arrives in areas where state laws are so inconsistent that citizens or industries demand uniformity. We have seen this over and over in the history of the United States. For example, we are seeing inconsistent GMO labeling laws prompt a push for a national GMO labeling standard (Safe and Accurate Food Labeling Act). GMO proponents would not normally want mandatory labeling, but a patchwork quilt state-regulatory system is much worse. Will the same issues arise with agricultural data?
There are no federal laws directly regulating the storage, use, or transfer of agricultural data between farmers and ag technology providers. This leaves companies entering the ag data market struggling to interpret 50 state laws to determine whether their products and software run afoul of state privacy laws. There are two areas in particular where it is clear that state laws are inconsistent—and could be an impediment to new technology.
Lack of standard definitions for “personal information.” State law defines what is “personal information” or “personally identifiable information.” That means there are 50 standards, and one state may not define what is personal information the same way as another state.
But I don’t know any state that clearly defines agricultural data as something that is also “personal information.” That can leave companies guessing as to whether collection of ag data is also subject to protections on personal information.
My own opinion is that agricultural data is not what most states consider “personal information,” such as name, address, phone number and social security number. Agricultural data is different, more proprietary in nature.
Lack of common standards for notification of breach. What happens to your ag data if the company where it is stored is hacked, resulting in a breach of security? Will the company notify you and how? The answer to this question requires understanding 50 different state laws, as each one may have a different standard for what a company must do if a customer’s data is accessed from an outside source. This can make crafting a uniform policy for notifying farmers of a breach very difficult for ag technology providers.
Again, since we do not have a common standard for what constitutes “ag data” it is hard to say whether any state law would require notice to a farmer if their ag data were breached. Companies have to make their best guess as to what the law requires if a breach occurs.
Conclusion. I am not an advocate for federal intervention in the ag data space, at least not at this point. The industry is still too young, and the technologies are evolving. Legislation could be speed bump that slows everyone down. But lack of federal regulation does not mean there aren’t issues here that need fixed.