Dear Chair Cantwell and Ranking Member Cruz:
The U.S. Chamber of Commerce (“Chamber”) respectfully submits the following statement for the record for the Senate Committee on Commerce, Science, and Transportation hearing titled “The Need to Protect Americans’ Privacy and the AI Accelerant.”
America needs a national data privacy law that ensures equal protection nationwide. In response to the enactment of the California Consumer Privacy Act, the Chamber became the first national business association to propose model legislation that encompassed opt-out, deletion, and transparency rights.[1]
In 2021, the Chamber endorsed Representative Suzan Delbene’s (D-WA) Information Transparency and Personal Data Control Act[2] (“ITPDCA”) that would have required companies to obtain affirmative consent before the sharing, selling, or disclosing consumers’ sensitive data.[3]
In the absence of federal privacy legislation, the Chamber supported the passage of commonsense bills in states like Texas[4], Virginia[5], and Tennessee[6], which have embraced the Consensus Privacy Approach. This approach, which protects over 100 million Americans in sixteen states, most recently including Rhode Island, incorporates the protections in the Chamber’s Model Privacy Legislation and the ITPDCA, but also provides consumers with a right to correct inaccurate information as well as opt out of targeted advertising and certain automated profiling.
Two primary issues continue to drive whether national data privacy legislation will strike the right balance in protecting consumers and enabling entrepreneurship and innovation—preemption of state laws and enforcement. As incorporated into the Chamber’s Model Privacy Legislation and ITPDCA, successful national data protection legislation must have strong preemption of state laws related to data privacy and security to avoid a confusing and costly patchwork of future local and state regulations. A national privacy law should follow what all nineteen states enacting privacy laws have done by empowering expert agencies and State Attorneys General as enforcers and not establishing private rights of action which would be subject to abuse.
We applaud the Committee for addressing the impact of data protection on Artificial Intelligence (“AI”). America finds itself in a race against non-democratically aligned nations like China to lead in the development and deployment of AI. Public trust is crucial for the implementation of AI. This is why we have prioritized the need to build public trust in AI through our continued efforts. The Chamber established a bipartisan Commission on Artificial Intelligence Competitiveness, Inclusion, and Innovation led by former members of Congress John Delaney (D-MD) and Mike Ferguson (R-NJ) which released a report detailing how to regulate AI.[7] The Commission recommended that Congress should evaluate existing law and appropriately fill in gaps with a risk-based approach. We urge Congress to pass national privacy legislation before enacting AI-specific laws. Concurrently, Congress must conduct a legal gap analysis as proposed by Senators Schumer, Young, Rounds, and Heinrich.[8]
The Chamber provides the following recommendations on preemption, enforcement, data minimization, small business, and AI as Congress contemplates privacy protections.
I. The Need for a Single, National Privacy Standard
Congress should include in any federal privacy legislation full preemption of state standards. A national privacy law without strong preemption would enable a state patchwork of laws that would confuse consumers and potentially make it impossible for small businesses to comply. To ensure full preemption, national privacy legislation must preempt all state laws related to broad categories of data privacy and security practices and not preempt state rules and regulations merely covered by a law.
A recent report highlighted that a national patchwork of privacy laws would cost the United States economy $1 trillion and disproportionately impact small businesses with a $200 billion economic burden.[9] Many small businesses are worried that a patchwork of state laws will increase litigation and compliance costs.[10]
The recently introduced H.R. 8818, the “American Privacy Rights Act (“APRA”) unfortunately follows the approach of only preempting what is in a national bill as opposed to strong preemption. Although APRA’s advocates express an intention to create “uniform national data privacy and security standard,” the actual provisions of the draft provide only limited preemption and would allow states to pass more restrictive privacy laws. APRA only preempts “any law, regulation, rule, or requirement covered by the provisions of this Act or a rule, regulation, or requirement promulgated under this Act.”[11]
To ensure full preemption, a national privacy law must expressly preempt all law related to broad categories of activity. APRA’s preemption language fails to meet this standard. According to a Congressional Research Service report, to provide the strongest preemption, Congress should use clearer and more forceful terms than “covering” or “covered by.”[12] Congress should avoid merely preempting what a proposed bill is “covering” or “covered by,” because such clauses are considered by the Supreme Court “to have a narrower effect than ‘related to’ preemption clauses.[13] The Supreme Court has stated that “covered by” language “indicates that pre-emption will lie only if the federal regulations substantially subsume the subject matter of the relevant state law.”[14]
A national privacy law that merely preempts what it “covers” and then provides for exceptions to that preemption would likely be viewed by courts as evidence that Congress has not intended to “substantially subsume” regulation. The APRA draft would also create exceptions to preemption in the areas of consumer protection, health data, and remedies based on California’s Consumer Privacy Act and highly abused lawsuits under the Illinois Biometric Privacy Law. These exceptions could easily be exploited by the trial bar in lawsuits and state legislatures to circumvent preemption in APRA.
There are better models. Congress, like it did when passing the Airline Deregulation Act, should craft preemption language that supersedes laws related to broad categories of potentially regulated activities. In recent years, legislation has been authored by both Republicans and Democrats that would provide strong preemption, including:
- H.R. 3388, the “SELF DRIVE Act,” from the 115th Congress, which preempted broad categories of activities and passed the House by unanimous consent.
- H.R. 1816, the Information Transparency and Personal Data Control Act, from the 117th Congress, that provided: “No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation, rule, requirement, or standard related to the data privacy or associated activities of covered entities.”[15] Representatives Carter (R-GA) and Obernolte (R-CA) suggested similar language to amend APRA.[16]
- Financial Services Committee Chairman Patrick McHenry’s “Data Privacy Act of 2023” draft from the current Congress, which provides that federal legislation “supersedes any statute or rule of a State.”[17]
Read the full letter here.
[1] Chamber Model Privacy Legislation (2019) available athttps://www.uschamber.com/assets/archived/images/uscc_data_privacy_model_legislation.pdf.
[2] H.R. 1816 (117th Congress) available athttps://www.congress.gov/bill/117th-congress/house-bill/1816/text?s=4&r=1&q=%7B%22search%22%3A%22information+transparency+and+personal+data+control+act%22%7D.
[3]https://americaninnovators.com/wp-content/uploads/2021/03/210310_InfoTransparencyPersonalDataControlAct_Rep.DelBene.pdf
[4] Letter to Texas House available athttps://americaninnovators.com/wp-content/uploads/2023/04/State_HB4_TexasDataPrivacyandSecurityAct_TXHouse.pdf
[5] Letter to Virginia Governor, available athttps://americaninnovators.com/wp-content/uploads/2022/08/Virginia-Data-Privacy-Act-Letter.pdf
[6] Letter to Tennessee Legislature, available athttps://americaninnovators.com/wp-content/uploads/2023/04/230417_State_BS73_TNPrivacy_TNSenate.pdf
[7] U.S. Chamber Commission on Artificial Intelligence Competitiveness, Inclusion, and Innovation Final Report (March 2023) available at https://www.uschamber.com/technology/artificial-intelligence-commission-report.
[8] Bipartisan Senate Working Group AI Roadmap (May 2024) available ati https://www.schumer.senate.gov/imo/media/doc/Roadmap_Electronic1.32pm.pdf.
[9] ITIF, “The Looming Cost of a Patchwork of State Privacy Laws,” (January 2022) available athttps://itif.org/publications/2022/01/24/50-state-patchwork-privacy-laws-could-cost-1-trillion-more-single-federal/.
[10] U.S. Chamber “Empowering Small Business: The Impact of Technology on U.S. Small Business,” (September 2023) available at https://americaninnovators.com/wp-content/uploads/2023/09/Empowering-Small-Business-The-Impact-of-Technology-on-U.S.-Small-Business.pdf.
[11] H.R. 8818 (118th Congress) § 118(a)(2) (emphasis added).
[12] Congressional Research Service “Federal Preemption: A Legal Primer,” (May 2023) available at https://crsreports.congress.gov/product/pdf/R/R45825.
[13]Id. at 10.
[14] See e.g., CSX Transportation, Inc. v. Easterwood, 507 U.S. 658, 664 (1993).
[15]Supra n. 2 (emphasis added).
[16] Amendment to APRA (June 2024) available at https://docs.house.gov/meetings/IF/IF00/20240627/117487/BILLS-118-HR8818-C001103-Amdt-15.pdf.
[17] H.R. 1165 at § 6 (118th Congress) available at https://www.congress.gov/bill/118th-congress/house-bill/1165/text?s=1&r=1&q=%7B%22search%22%3A%22mchenry+data+privacy+act%22%7D.
