House Privacy Coalition Comments on Request for Information to Explore Data Privacy and Security Framework

The undersigned organizations, representing multiple sectors of the business community, offer the following principles in response to your Request for Information on a national privacy and security framework. Consumers have more options than ever when it comes to goods, services, information, and entertainment. Data-driven innovation, digital advertising, and investment enable consumers to take advantage of faster, higher quality, and customized services at lower costs. This Fourth Industrial Revolution, which relies on data and technology, requires policies that respect individual privacy, promote choice and competition while spurring innovation. Legal certainty is crucial for achieving those goals, and it is incumbent that consumers have assurance that their data is safeguarded and used responsibly.

As representatives of businesses who serve those consumers, we request that Congress undertake the legislative action needed for a fully preemptive comprehensive national privacy law. Such action will increase access to employment, education, health care, communications, and the ability to meet family needs. Furthermore, a national privacy standard will help start-ups and main street businesses compete on a broader scale, helping to lower prices and widen consumer access to goods and services. These policies are also necessary due to technological developments, including the increased application of Artificial Intelligence throughout the economy.

Accordingly, we offer the following principles to achieve this goal:

I.               A National Privacy Framework 

Consumers and businesses benefit when there is certainty and consistency regarding laws and enforcement of privacy protections. They lose when they must navigate a confusing and inconsistent patchwork of state laws. While the United States already has a history of robust privacy protection, Congress should adopt a federal privacy framework that fully preempts state laws related to data privacy and security to establish a uniform privacy standard.  

II.              Individual Rights 

People should have the right to determine how personal information about them is used, collected, and shared. For this reason, properly scoped to allow for beneficial data uses, we believe individuals should be given the right to: 

• Know whether a company is processing personal information about them;
• Correct inaccurate data upon verification and delete personal information about them not required to be retained for permissible purposes;
• Obtain a portable copy of personal information about them where practicable; and
• Opt out of targeted advertising (as commonly defined) that is based upon online activities across unaffiliated websites and digital properties over time, sale of personal information about them for remuneration, and automated profiling that facilitates decisions that produce adverse legal or similarly significant effects on a consumer 

III.            Transparency

Federal privacy legislation should require companies to disclose their data practices in a public privacy policy including: 

• The categories of data processed by companies;
• The general purposes for processing data;
• How consumers can exercise their rights; and
• Categories of third parties with whom companies share data 

IV.            Responsible Data Use 

Companies should limit the collection of personal data to what is reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer. In order to promote trust, federal privacy legislation should: 

• Require companies to obtain consent before processing clearly and appropriately defined sensitive consumer data, with properly scoped exceptions to allow for beneficial data uses;
• Prohibit unlawful discrimination using data, including retaliating against consumers for exercising their privacy rights; and
• Provide clear and defined roles and responsibilities for parties that collect and process data  

V.              Security 

Organizations processing consumer data should establish, implement, and maintain reasonable administrative, technical, and physical security practices that are appropriate to the volume and nature of the data being used. 

VI.            Preserving Beneficial Data Uses 

Federal privacy legislation should explicitly preserve the processing of personal data for beneficial purposes such as offering goods and services; using payment data to complete transactions; maintaining business operations; offering bona fide customer loyalty programs; First Amendment protected activities like journalism; effectuating product recalls; processing of publicly available records, employment and worker information; complying with laws; supporting law enforcement; fulfilling warranties; promoting security; preventing, detecting, protecting against, and responding to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or illegal activity; independent measurement; commercial and scientific research; commercial credit; advertising and marketing; marketing research; improving products and services; allowing product recalls; dealing with technical errors; and reasonable internal operations. 

VII.          Small Business Protections 

Small businesses should benefit from federal preemption while also not being required to have the same compliance burdens as larger companies. To provide adequate small business relief, privacy laws should only apply to companies that annually process the personal data of over 200,000 people or those who annually process the personal data of over 50,000 and derive over 50 percent of revenue from sales of that personal data, while also ensuring that its preemption provisions prevent states from regulating these small businesses. Legislation should also substantively promote the use—with appropriate privacy protections—of digital tools like targeted advertising and analytics that even the playing field and enable small businesses to compete. 

VIII.        Reasonable Enforcement and Collaborative Compliance 

Federal privacy legislation should encourage cooperation between the business community and government, not promote adversarial action that results in frivolous litigation. The Federal Trade Commission and State Attorneys General should have exclusive enforcement authority, with guardrails on state level enforcement to prevent duplicative actions. This should include the converged market for online and communications services. Where appropriate, such as in the insurance sector, previously existing state enforcement agencies should retain exclusive enforcement authority. Businesses should be given a reasonable opportunity to cure violations of the law that do not result in harm before enforcement actions can be taken. Businesses should also have reasonably equivalent obligations to protect consumer privacy under federal law and not be subjected to duplicative requirements or enforcement from agencies other than the Federal Trade Commission.  Additionally, Congress should support the development of industry-based approved certification programs that can aid compliance and provide businesses with presumptions of compliance for conduct covered by such programs.

            We look forward to working with the 119^th Congress to ensure that consumers and businesses have certainty that their individual privacy and data are protected and that consumers can benefit from continued innovation.

About the authors

Jordan Crenshaw

Crenshaw is Senior Vice President of the Chamber Technology Engagement Center (C_TEC).

Read more