It’s been nearly 2,000 days since California passed the country’s first comprehensive privacy law and an agreement on national privacy legislation in the federal legislature has yet to materialize. Because data is inherently an interstate issue that knows no borders or boundaries, it is now at the whim of a patchwork of state regulations, which is unsettling for businesses and consumers alike. Consumers deserve to have their data protected against privacy harms the same way in every state, and businesses must have the regulatory certainty they need to use data to provide the goods and services Americans enjoy. For this to become a reality, Congress must pass a single privacy law to safeguard consumer trust and innovation.
Although Congress is at an impasse and debate continues over what should comprise a national privacy law, it does not have to reinvent the wheel. Rather, Congress has a viable model to draw upon. Introducing the Consensus Privacy Approach. The Consensus Privacy Approach, which has been enacted by states across the political spectrum—including Oregon, Colorado, Virginia, Texas, and Tennessee—diverges from California’s privacy model and provides uniformity and robust data protections to consumers. 95 million Americans now enjoy the right to know how companies are using data as well as the ability to correct, delete, opt-in to the use of sensitive personal information. Residents in these states also can now tell companies to stop selling their data for certain advertising.
Having good data is also essential to ensuring AI is developed ethically and provides maximum benefits. The Consensus Privacy Approach requires companies to limit their data use to what is reasonably necessary for disclosed purposes as opposed to strict minimization requirements that could hinder the ability of developers to lead in deploying responsible AI. The Consensus Privacy Approach also addresses the AI-privacy dynamic in that it allows people to decline certain automated processing—such as AI—for important decisions like lending, housing, and employment.
Perhaps an equally critical consideration in the development of national data privacy legislation is how it would impact state laws, enforcement mechanisms, and consumer protections. A common thread in the Consensus Privacy Approach is that State Attorneys General—the lead experts in consumer protection—are solely responsible for enforcing their state privacy laws. Unlike in California, Attorneys General would be the primary enforcer of their respective state’s laws—minimizing the potential for broad rulemaking authority that leads to business uncertainty. This is a sure-fire way to protect privacy, while preventing companies, particularly small businesses, from expending resources to defend against frivolous private lawsuits. A national privacy law should follow the Consensus Privacy Approach and empower an expert agency like the Federal Trade Commission as well as Attorneys General to be the cop on the beat for privacy violations.
Not only should a successful national data protection law have a central enforcer, but it should also have strong preemption language—such as what has been adopted in Colorado—that broadly preempts localities from issuing their own privacy regulations and thus prevents an unworkable patchwork of laws. This is especially important for small businesses who—for example—sell a product to someone shopping online in Michigan—while using technology developed in California and shipping it through a state like Tennessee—could be subjected to compliance with different privacy require=ments in each state, making business operations incredibly difficult. Congress should also follow the states’ lead here as well.
Worries about a state patchwork are not unfounded. A study by ITI found that a patchwork of 50 state laws could cost the economy $1 trillion over ten years, disproportionately impacting small businesses by $200 billion. Late last year, the Chamber released a report Empowering Small Business demonstrating that small businesses use technology to increase sales, profits, and hiring. 74 percent of small businesses stated that limited access to data would harm their operations, while 65 percent indicated that losing the ability to tailor ads would also negatively impact their business. A confusing patchwork of rules could very well make this a reality, which is why a majority of small businesses are worried that complying with out-of-state laws on privacy and AI will expose them to higher costs.
For the U.S. to continue its global technology leadership and economic competitiveness that enables businesses to provide consumers the goods and services they need, while protecting individual privacy, we need a national privacy law that ends a state patchwork. We should not have to wait another 2,000 days to see this goal achieved when a bipartisan state consensus model on data privacy has already been adopted for one third of Americans. Congress should learn a lesson from the success of this approach and use it as the basis for developing and passing a strong national privacy law.
Jordan Crenshaw, Senior Vice President, U.S. Chamber Technology Engagement Center
Read Full Article »