May 22, 2020
Dear Chairman Wicker, Whip Thune and Senators Moran, Blackburn and Fischer:
On behalf of the members of Business Roundtable, an association of chief executive officers of leading U.S. companies representing all sectors of the economy, I want to thank you for your leadership on consumer data privacy issues. Last year, Business Roundtable welcomed the draft of the United States Consumer Data Privacy Act put forward by the Senate Commerce Committee majority and the draft’s comprehensive, national approach to consumer privacy. We also appreciate your efforts to address the unprecedented and unforeseen consequences of the coronavirus pandemic and commend you on the COVID-19 Consumer Data Protection Act of 2020 (the Act).
Business Roundtable believes that consumers should have meaningful rights related to their personal data and that companies that access this information should be held consistently accountable under a federal consumer data privacy law. We appreciate the Act’s national approach to consumer privacy, which would put in place meaningful, understandable and consistent privacy safeguards for Americans no matter where they live, where they work or where their personal information is located. During this time of crisis, a uniform, nationwide approach to the privacy of personal COVID-19 data will help enable public health efforts to monitor the virus, predict outbreaks, and deploy targeted interventions to contain further spread.
We also appreciate that the Act distinguishes between consumer data and data gathered in the workplace. This distinction will better enable employers to secure broad workforce participation in COVID-19 protective measures. We respectfully request that the relevant provisions be clarified to reflect the various types of workplaces and purposes for which a business may conduct testing. Business Roundtable has separately called for federal guidance to provide companies clarity and consistency around how to protect the privacy of employee data.[1] Companies that adhere to these guidelines or to legislatively adopted safeguards should be protected from liability.
We commend the Act’s recognition that the Federal Trade Commission should have primary responsibility for enforcing the requirements of a federal privacy bill, with additional enforcement by state attorneys general. Other bills that include a private right of action could significantly undermine the development and deployment of critical digital tools needed to mitigate the spread of the virus.
Business Roundtable agrees that precise geolocation, proximity and personal health data are the types of information that should be subject to heightened privacy protections and should be deemed covered data in the Act. We also agree that covered data should exclude aggregated data, business contact information, de-identified data, employee screening data and publicly available information. We appreciate that the Act defines personal health information as information that identifies, or is reasonably linkable to, the individual. However, we are concerned that categorically including any “persistent identifier” as covered information is overbroad and will have unintended consequences for consumers. At the very least, we believe that such an identifier should be deemed covered data only if it allows other forms of covered data to be linked or reasonably linkable to such an individual.
Business Roundtable appreciates that the Act includes transparency requirements for covered entities. We believe that consumers deserve the right to transparency regarding a company’s data practices, including the types of personal information that a company collects, the purposes for which this information is used, and whether and for what purposes personal information is disclosed or transferred to processors or nonaffiliated third parties. However, companies should have a reasonable amount of time (e.g., 14 days) after the Federal Trade Commission issues its guidance on data minimization to publish their privacy policies.
We also recognize that the Act would require privacy policies to include the categories of recipients to whom a company transfers data. We believe that any requirement to disclose to whom data are transferred should be limited to categories of recipients and ask that the reporting obligations included under Section 3(c)(2)(B) be amended to maintain consistency. Having to disclose the names of all third parties would be a unique requirement in the United States because no state privacy law requires it. It also would slow COVID-19 response activities and would in many cases require disclosing important trade secret information, providing hackers and fraudsters a dangerous roadmap showing which entities are using which security firms, IT firms, etc.
It is also important to ensure that the Act would not interfere with critical COVID-19 health and scientific research that is in the public interest. We recommend adding an exception to permit research and development activities related to COVID-19, including the development of diagnostics, treatments and vaccines.
Business Roundtable believes the Act would put in place a much-needed uniform set of safeguards to protect the privacy of consumers during the COVID-19 pandemic. As new tools are used to help contain the spread of the virus, this Act will harmonize inconsistent approaches to consumer privacy across federal and state jurisdictions while enhancing privacy protections for all U.S. citizens.
Thank you for your leadership on data privacy legislation. We look forward to working with you as the legislation is considered by the Senate.
Sincerely,
Joshua Bolten
President & CEO
Business Roundtable
[1] See Business Roundtable recommendations on protecting the privacy of personal COVID-19 data.