Dear Chair Cavanagh and Vice Chairs Irwin and Huizenga:
The U.S. Chamber of Commerce (“Chamber”) appreciates the opportunity to provide comment on SB 659, the “Personal Data Privacy Act.” In today’s digital economy, it is critical that consumers have strong uniform privacy protections and enjoy innovative products and services. While we appreciate the willingness of Senator Bayer, the bill’s sponsor, to address concerns of the business community, we offer concerns about the most recent draft version of the bill.
Data privacy laws have a significant impact on small businesses. According to a recent Chamber report, Empowering Small Business, 70 percent of small businesses stated that technology platforms, such as payment apps, digital advertising, and delivery, help them compete with larger companies yet a majority of these entrepreneurs are concerned that a patchwork of state privacy laws will expose them to higher litigation and compliance costs which their larger competitors are more apt to bear.[1] Consistency, uniformity, and workability are critical to ensuring small businesses are not disproportionately harmed by data protection laws.
Over 100 million Americans in states like Texas, Colorado, Indiana, and Virginia enjoy privacy protections under the “Consensus Privacy Approach.” This framework gives consumers the right to delete, access, and correct data as well as opt out of targeted advertising, sales, and certain automated profiling.[2] This approach strikes the right balance in empowering citizens over their privacy while fostering innovation.
Although the Chamber recognizes that the bill’s sponsor is working to align the legislation with the Consensus Privacy Approach, there are several areas where we have identified that SB 659 differs from this framework and encourage you to amend the bill to appropriately align with other states.
I. Applicability to Small Businesses
All states that have adopted comprehensive privacy legislation have attempted to reduce burdens on small businesses by establishing data subject number or revenue percentage thresholds a company must exceed to be considered covered entities. As discussed previously, small businesses will bear a disproportionate burden because they do not have the same compliance and legal resources as larger companies.
We agree with states that have adopted the Consensus State Approach, like Indiana, which have carved out small businesses that have data of fewer than 100,000 state residents or do not earn the majority of their revenue from data sales.[3] However, SB 659 does not harmonize with the Consensus State Approach because it would not exempt small businesses that derive any revenue from data sales. Given SB 659’s broad definition of data “sale,” many small businesses who are not operating as data-broker companies and sharing data for legitimate consumer-friendly purposes may lose their exemption.
II. Data Minimization Standard
The Consensus Framework approach generally allows companies to use data for what is reasonably necessary to provide a product, service, or a disclosed purpose. This contrasts with a “strictly necessary” approach in which companies may only use data to provide a good or service. A strict data minimization approach would significantly inhibit innovation as covered entities may have new societally and consumer-friendly business uses for data throughout different times of product and service development.[4] However, SB 659 would restrict the use of “sensitive data” to what is strictly necessary to provide a good or service. Such an approach may inadvertently prevent societally beneficial uses of data meant to promote inclusion for example.
III. Customer Loyalty Programs
Consumers overwhelmingly support loyalty programs. Although we appreciate SB 659’s attempt to preserve bona fide loyalty programs when consumers exercise their privacy rights, we are troubled by the requirement that the program “benefit to the consumer is proportional to the benefit received by the [business] in collecting personal information from the reward, feature, discount, or program.” This requirement diverges from the Consensus State Approach and the business community is concerned such a subjective standard will cause retailers, restaurants, and other loyalty program offerors to scale back these programs in Michigan because of the uncertainty of how the Attorney General will interpret what is proportionate and expose companies to unnecessary liability.
IV. Enforcement
SB 659 as drafted strikes the right balance by vesting enforcement authority with the Attorney General. We also believe that to encourage collaborative compliance, privacy legislation should provide for a right to cure period that does not expire to track what other states like Virginia, Indiana, and Texas have implemented.
We once again thank you for the opportunity to comment. For the reasons stated above to protect privacy, encourage innovation, and prevent a state patchwork, we encourage you to focus on passing SB 659 and harmonize it with existing state laws.
[1]U.S. Chamber of Commerce, “Empowering Small Business,” (September 2024) at 14, 25 available at https://www.uschamber.com/assets/documents/Impact-of-Technology-on-Small-Business-Rep
[2]Jordan Crenshaw, “What Congress Can Learn from the States on Data Privacy,” (January 2024) available at https://www.realclearpolicy.com/2024/01/30/what_congress_can_learn_from_the_states_on_data_privacy_1008521.html
[3] See Ind. Code § 24-15-1-1(a).
[4] U.S. Chamber of Commerce, “Data for Good: Promoting Safety, Health, and Inclusion,” (January 2020) available at https://americaninnovators.com/research/data-for-good-promoting-safety-health-and-inclusion/
