Harvey Perlman, Chair
Jane Bambauer, Reporter
Collection and Use of Personally Identifiable Data
Uniform Law Commission
111 N. Wabash Ave
Suite 1010
Chicago, IL 60602
Dear Chairman Perlman and Reporter Bambauer:
The U.S. Chamber of Commerce and the U.S. Chamber Institute for Legal Reform (collectively, the “Chamber) thank you for the opportunity to provide comments to the Uniform Law Commission (“ULC” or “Commission”) on the March 2021 meeting draft on the Collection and Use of Personally Identifiable Data Act. Although the Chamber believes that Congress should pass national privacy legislation that protects all Americans equally, the business community offers several suggestions to maintain state uniformity.
Uniformity and robust privacy protections should be the hallmark of the draft and it is for this reason that the Chamber urges the Commission to adopt Section 17 Alternative B stating that “[t]he [Attorney General] has exclusive jurisdiction to enforce this [act]. This [act] does not provide a claim for damages or injunctive relief by a person.” This is a sound policy approach because private rights of action (“PRA”) drain judicial resources, lead to disparate treatment of what is actionable, create uncertainty in jurisprudence from district to district, and threaten innovation by encouraging potential class action lawsuits based on technical violations and not actual harm to consumers.[1]
Not only is Alternative B good policy, it promotes uniformity. Voters in California adopted the California Privacy Rights Act in November 2020 which empowers a state agency with sole enforcement rights for privacy violations.[2] Virginia recently enacted the Consumer Data Protection Act which similarly gives exclusive enforcement authority to the Commonwealth’s Attorney General.[3] Legislative chambers in Washington and Oklahoma last week passed bills without PRAs. The Uniform Law Commission should follow this emerging uniform approach of giving state agencies enforcement authority and not subjecting companies to lawsuits which would complicate the compliance environment.
To further clarify the draft’s provisions regarding enforcement by the attorney general (“AG”) of a state, the Chamber recommends the following changes to Section 16:
- This section should add a notice and cure provision (ideally 30 days). The new Virginia privacy law provides such opportunity.
- Section 16(a) suggests that a violation of the Act would be a violation of a state consumer protection unfair and deceptive practices (“UDAP”) law, such that violations of the Act are treated as violations of the UDAP law, but this crossreference should be removed or qualified. The state UDAP statute may have a different remedy (like a PRA) or different procedures for violations that are inconsistent with the privacy law, and/or that make little sense in terms of a privacy law. In the alternative, this provision could say that, if the AG shows a violation under the terms of the Act, the AG may seek remedies that the AG only is authorized to seek under the state UDAP law. (These should also be subject to any damage or civil penalty caps specific to the privacy law.)
- Sections 16(b) provides for broad rulemaking authority and does not sufficiently constrain the AG’s rulemaking authority under the Act. The Act should define and constrain the AG’s rulemaking authority to filling certain gaps if necessary, for purposes of predictability for covered entities. Broad rulemaking authority on a state level has the potential to undermine uniformity.
We thank you for this opportunity to comment and look forward to working with you on ways that privacy laws can become more uniform.
Sincerely,
Tom Quaadman
Executive Vice President
U.S. Chamber of Commerce
Harold Kim
President
U.S. Chamber of Commerce
[1] U.S. Chamber Institute for Legal Reform, Ill-Suited: Private Rights of Action and Privacy Claims at 14 (July 2019) available athttps://instituteforlegalreform.com/wp–content/uploads/media/Private_Rights_of_Action__Ill_Suited_Paper.pdf.
[2] See California Privacy Rights Act at Section 17 (https://iapp.org/media/pdf/resource_center/ca_privacy_rights_act_2020_ballot_initiative.pdf).
[3] SeeVirginia Consumer Data Protection Act at §59.1-580(A) (https://lis.virginia.gov/cgibin/legp604.exe?212+ful+SB1392ER+pdf).