The Honorable Jan Schakowsky
Chairwoman
Subcomm. on Consumer Protection & Commerce
Committee on Energy & Commerce
The Honorable Gus Bilirakis
Ranking Member
Subcomm. on Consumer Protection & Commerce
Committee on Energy & Commerce
The Honorable Frank Pallone
Chairman
Committee on Energy & Commerce
The Honorable Cathy McMorris Rodgers
Ranking Member
Committee on Energy & Commerce
Dear Chairwoman Schakowsky, Ranking Member Bilirakis, Chairman Pallone, and Ranking Member McMorris Rodgers:
On behalf of Business Roundtable, thank you for the opportunity to submit feedback ahead of the subcommittee’s markup of the American Data Privacy and Protection Act (“ADPPA”). Since 2018, Business Roundtable has consistently called for a federal consumer data privacy law that will protect and empower consumers and provide clear obligations for how companies handle personal data, while fostering American innovation and global competitiveness.
Business Roundtable is an association of chief executive officers of America’s leading companies. Business Roundtable member companies operate across all sectors of the domestic and global economy, employ 20 million people, and reach virtually every American consumer. Our companies – from technology, communications, retail, financial services, health, public safety and security, manufacturing, hospitality, insurance, and others – rely on data and data-driven processes and solutions, such as digital platforms, every day to deliver and improve innovative products and services across the U.S. and around the world. Consumer trust and confidence are essential elements of our businesses and our relationship with our customers.
A national data privacy framework with clear, consistent requirements to strengthen consumer trust and enable new services and technologies to flourish within a well-understood legal and regulatory structure is critically needed. We appreciate your leadership and your focus on moving towards a bipartisan consensus on comprehensive privacy legislation to accomplish this shared goal. While our members support many aspects of the ADPPA, we have concerns with some of the provisions and look forward to engaging constructively around these issues as discussions progress.
To provide a detailed guide for addressing key issues integral to an effective federal data privacy law, Business Roundtable released in 2018 a Framework for Consumer Privacy Legislation which includes the creation of robust protections for consumers by requiring businesses to take responsibility for the collection, use and sharing of personal information, regardless of jurisdiction. Our privacy framework also includes sections on enforcement, data security and breach notification, governance, risk-based privacy practices and covered organizations, and the effect on other laws.
Business Roundtable also supports strong personal data rights for consumers, including transparency, control, access, correction, and deletion, with application and enforcement in a consistent manner across federal and state governments to provide accountability and protection. However, we have serious concerns about the inclusion of a private right of action. Federal privacy legislation should avoid putting into place an enforcement system that encourages excessive and frivolous litigation that diverts company resources away from actual security and privacy compliance while providing little relief to actual victims.
A national consumer privacy law should be strong and provide consistent protections to consumers across every state in the country. U.S. privacy laws are highly fragmented across industries and jurisdictions, creating a patchwork of regulations, which hurts both consumers and companies. Business Roundtable supports total preemption of state and local privacy laws, including those already enacted. State exceptions and carve outs to a federal privacy framework would lead to inconsistent protections for consumers, disjointed user experiences, and an unworkable compliance structure for companies of all sizes. Federal privacy legislation should preclude these challenges by standardizing protections nationwide while also promoting global interoperability to meet the adequacy standards of our major trading partners. As a result, we are concerned that the ADPPA draft includes too many exceptions to preemption, undermining the scope and effectiveness of a national framework. We will engage the Committee on recommended changes.
Business Roundtable is also troubled by provisions in the bill that include overly broad definitions, which could lead to interpretations that differ from legislative intent with unintended consequences for American consumers and businesses. For example, the term “algorithm” is defined so broadly that it would encompass virtually any decision that involves modern workplace technology. ADPPA’s language regarding the “algorithmic impact assessment” requirement is also broad and unspecific. The language as currently written could be understood to require assessments of an extraordinary range of data processing activities. Business Roundtable and its members support approaches to regulation and assessments that are contextual, proportional, risk-based and use-case specific, in line with global policy and standards taking shape, and consistent with the recommendations outlined in our Policy Recommendations for Responsible Artificial Intelligence. We welcome an opportunity to further refine these key terms.
While Business Roundtable believes the Federal Trade Commission (“FTC”) has an important role to play enforcing a national consumer data privacy framework, we urge the Committee to provide clear direction to the agency and a long-term foundation for its rulemaking and enforcement responsibilities. For example, the bill should not automatically require assessments to be provided to the FTC or to Congress. The bill should require assessments be only provided to the relevant authorities if there is cause to believe that a violation of the law has occurred, consistent with Business Roundtable’s recommendation to policymakers that enforcement standards should be adaptive, clear, targeted, and well-calibrated.
Finally, we are concerned that additional reporting requirements like executive officer certification would create burdensome obligations on companies while doing little to add to consumer protection or increase privacy security.
Given the importance of this issue and its potential impact on the innovation economy, Business Roundtable encourages a thorough legislative review and the incorporation of additional stakeholder engagement. We look forward to working with you and your staff to ensure that any final product enhances consumer data privacy protections and provides the certainty American businesses need to compete and remain at the forefront of global innovation.
Sincerely,
Kristen Silverberg
President & Chief Operating Officer
Business Roundtable