Dear Chair Gallegos:
The U.S. Chamber of Commerce (“Chamber”) urges the Committee to disapprove House Bill 307 (“HB 307”). In today’s digital economy, it is critical that consumers have strong uniform privacy protections and enjoy innovative products and services. While we appreciate the efforts of Representatives Herndon and Rubio, the bill’s sponsors, the Chamber has strong concerns regarding the bill’s lack of small business exemptions and the inclusion of a private right of action, which has a long track record of abuse. Furthermore, HB 307 deviates significantly from the “Consensus Privacy Approach” found in most states with comprehensive consumer privacy protections.
Data privacy laws have a significant impact on the operations and prospects of small businesses. According to a recent Chamber report, Empowering Small Business, 70 percent of small businesses stated that technology platforms such as payment apps, digital advertising, and delivery, help them to compete with larger companies. However, most of these small business owners are concerned that a patchwork of state privacy laws will create an uneven playing field by exposing them to higher litigation and compliance costs which they do not have the resources to deal with.[1] Consistency, uniformity, and workability are critical to ensuring small businesses are not disproportionately harmed by data protection laws.
Over 100 million Americans, in states such as Texas, Colorado, Utah, and Indiana enjoy privacy protections under the Consensus Privacy Approach. Under this framework consumers have the right to delete, access, and correct data as well as opt out of targeted advertising, sales, and certain automated profiling.[2] We believe that the Consensus Privacy Approach strikes the right balance in arming citizens with privacy protections while fostering innovation.
There are several areas where the proposed legislation differs from this framework. Accordingly, we encourage you not to pass HB 307 until it is appropriately aligned with the Consensus Privacy Approach.
I. Applicability to Small Businesses
All states that have adopted Consensus Privacy Approach have attempted to reduce burdens on small businesses by establishing data subject number or revenue percentage thresholds a company must exceed to be considered covered entities. Again, it should be kept in mind that small businesses will bear a disproportionate burden because they do not have the same compliance and legal resources as larger companies.
We agree with states, such as Indiana, which have carved out small business that have data records of fewer than 100,000 state residents or do not earn most of their revenue from data sales.[3] However, HB 307 does not harmonize with the Consensus State Approach because it would not exempt any small businesses from compliance.
II. Data Minimization Standard
The Consensus Privacy Approach generally allows companies to use data for what is reasonably necessary to provide a product, service, or a disclosed purpose. This contrasts with prohibitions on data usage allowing companies to only use data for what is “strictly necessary” to provide a good or service. A “strictly necessary” data minimization standard would significantly inhibit innovation as covered entities may have new consumer-friendly business uses for data throughout different times of product and service development.[4] However, HB 307 would restrict the use of “sensitive data” to what is strictly necessary to provide a good or service. This treatment of sensitive data may inadvertently prevent societally beneficial uses of data meant to promote inclusion for example.
III. Enforcement
HB 307 as drafted calls for the inclusion of a private right of action which would lead to abusive litigation especially against small businesses. The adoption of the Consensus Privacy Approach would strike the right balance by exclusively vesting enforcement authority with the Attorney General.
We thank you for the opportunity to comment. For the reasons stated above to protect privacy, encourage innovation, and prevent a state patchwork, we encourage you not to pass HB 307 until it is appropriately aligned with the Consensus Privacy Framework. We look forward to working with you and the legislature on this critical issue.
[1]U.S. Chamber of Commerce, “Empowering Small Business,” (September 2024) at 14, 25 available at https://www.uschamber.com/assets/documents/Impact-of-Technology-on-Small-Business-Rep
[2]Jordan Crenshaw, “What Congress Can Learn from the States on Data Privacy,” (January 2024) available at https://www.realclearpolicy.com/2024/01/30/what_congress_can_learn_from_the_states_on_data_privacy_1008521.html
[3] See Ind. Code § 24-15-1-1(a).
[4] U.S. Chamber of Commerce, “Data for Good: Promoting Safety, Health, and Inclusion,” (January 2020) available at https://americaninnovators.com/research/data-for-good-promoting-safety-health-and-inclusion/
