Dear Chair Hill:
The U.S. Chamber of Commerce (“Chamber”) urges the Committee not to pass Senate Bill 258 (“SB 258”) as currently drafted. In today’s digital economy, it is critical that consumers have strong uniform privacy protections and enjoy innovative products and services. While we appreciate the efforts of Senator Penzo and Representative Meeks, the Chamber has recommendations to align the privacy components of SB 258 with the “Consensus Privacy Approach” found in most states with comprehensive consumer privacy protections. Moreover, we ask that the artificial intelligence provisions be struck from the legislation.
Data privacy laws have a significant impact on the operations and prospects of small businesses. According to a recent Chamber report, Empowering Small Business, 70 percent of small businesses stated that technology platforms such as payment apps, digital advertising, and delivery, help them to compete with larger companies. However, most of these small business owners are concerned that a patchwork of state privacy laws will create an uneven playing field by exposing them to higher litigation and compliance costs which they do not have the resources to deal with.[1] Consistency, uniformity, and workability are critical to ensuring small businesses are not disproportionately harmed by data protection laws.
More than 100 million Americans, in states such as Texas, Virginia, and Indiana enjoy privacy protections under the Consensus Privacy Approach. Under this framework consumers have the right to delete, access, and correct data as well as opt out of targeted advertising, sales, and certain automated profiling.[2] We believe that the Consensus Privacy Approach strikes the right balance in arming citizens with privacy protections while fostering innovation.
Almost all states that have adopted the Consensus Privacy Approach have attempted to reduce burdens on small businesses by establishing data subject number or revenue percentage thresholds a company must exceed to be considered covered entities as opposed to using the Small Business Administration definition for small businesses. We encourage you to adopt Virginia’s model of exempting small businesses, applying the law only to businesses that process the data of more than 100,000 people or derive a majority of their gross revenue from the sale of personal data if they process the data of more than 25,000 people.[3]
Additionally, SB 258 as drafted does not provide the same clarity on data processing and purpose limitations found in legislation aligned with the Consensus Privacy Approach. We believe states like Texas and Virginia provide the structural framework and clear data minimization language that protects consumers while providing businesses with regulatory clarity.[4]
Although we believe that the privacy provisions in SB 258 are laudable and provide a step in the right direction, we are concerned that Subchapter 6 related to Artificial Intelligence has not received sufficient legal analysis and should be removed from the bill and tabled for later conversation. Just recently, Vice President J.D. Vance warned that “excessive regulation of the AI sector could kill a transformative industry just as it is taking off.” [5] Unfortunately, Subchapter Six reflects policies in legislation in states like Colorado, Connecticut, and California that could hinder the innovation Vice President Vance was referencing.
The Chamber recommends a risk-based approach to AI that instills certainty for businesses and promotes innovation. In 2023, the Chamber’s bipartisan AI Commission called for a regulatory framework in which existing laws are used to address AI risks and only when those laws fail to protect citizens should legislators create targeted, sector-specific, and risk-based laws.[6]
Unfortunately, SB 258 appears to adopt standards that expand liability on companies beyond the current Arkansas Civil Rights Act of 1993.[7] SB 258 as drafted would establish a threshold for algorithmic discrimination based on “impact” as opposed to the Arkansas Civil Rights Act which focuses on intent. We would urge the State of Arkansas to conduct an analysis of current laws and their applicability to AI to ensure state laws harmonize and do not conflict. For this reason, we urge you to strike Subchapter 6 and allow for a more fulsome legal analysis.
For the reasons stated above to protect privacy, encourage innovation, and prevent a state patchwork, we encourage you not to pass SB 258 until it is appropriately aligned with the Consensus Privacy Framework found in states like Virginia and Texas. We look forward to working with you and the legislature on this critical issue.
[1]U.S. Chamber of Commerce, “Empowering Small Business,” (September 2024) at 14, 25 available at https://www.uschamber.com/assets/documents/Impact-of-Technology-on-Small-Business-Rep
[2]Jordan Crenshaw, “What Congress Can Learn from the States on Data Privacy,” (January 2024) available at https://www.realclearpolicy.com/2024/01/30/what_congress_can_learn_from_the_states_on_data_privacy_1008521.html
[3] Va. Code § 59.1-572
[4] Id. at § 59.1-578(1); Tex. Bus. & Com. Code Ann. § 541.101(1).
[5]J.D. Vance, “Remarks by the Vice President at the Intelligence Action Summit in Paris, France” (February 2025) available at https://www.presidency.ucsb.edu/documents/remarks-the-vice-president-the-artificial-intelligence-action-summit-paris-france
[6]U.S. Chamber Technology Engagement Center, “Commission on Artificial Intelligence Competitiveness, Inclusion and Innovation,” (March 2023) available at https://www.uschamber.com/technology/artificial-intelligence-commission-report
[7]Ark. Code § 16-123-101, et al.
