Technology Business Roundtable Letter to the FTC on Consumer Privacy in the 21st Century

May 31, 2019

Mr. Donald S. Clark

Federal Trade Commission

Office of the Secretary

600 Pennsylvania Avenue, NW

Washington, DC 20580

Comments of Business Roundtable Via Regulations.gov

Re: Hearings on Competition and Consumer Privacy in the 21st Century: Consumer Privacy Docket ID: FTC-2018-0098

Dear Mr. Clark:

On behalf of the members of the Business Roundtable, an association composed of chief executive officers of leading U.S. companies representing all sectors of the economy, I thank you for the opportunity to comment as the Federal Trade Commission (FTC) considers issues of consumer privacy.

Enhancing and sustaining consumer trust is vital for continued innovation and economic competitiveness. To achieve this, all companies that collect, use, share, or otherwise handle personal data must do so responsibly and with respect for individuals. As business leaders, we take this responsibility seriously and call for a national consumer privacy law that strengthens protections for consumers and achieves greater transparency without shortchanging innovation and growth. Business Roundtable has developed and released a legislative framework on privacy (attached) and continues to work across industries and sectors to build widespread support for a law based on the framework.

Why a National Consumer Privacy Law is so Urgently Needed

Companies rely on data to deliver products and services, conduct day-to-day operations, and deliver meaningful innovation that benefits consumers who have grown to expect increasingly data-driven and personalized products and services. Consumer trust forms the backbone of these efforts, and yet consumers have grown increasingly concerned over how some companies use and share data. Without consumer trust in how data is collected, used, stored, and shared, companies’ abilities to deliver valuable user experiences, prevent fraud and cyberattacks, and enable greater productivity inevitably weaken. As a direct result of these consumer concerns, we are now at a moment, perhaps for the first time in the United States, where there is widespread agreement among companies across all sectors of the economy on the need for a comprehensive federal consumer privacy law.

Across the world, the regulatory landscape around privacy is changing quickly. With the implementation of the European Union’s General Data Protection Regulation, the enactment of new data protection laws in California and Brazil, and the development of a myriad of regulations at the state and local level and around the globe, data privacy regulations have grown more complex and fragmented. A patchwork of confusing data privacy requirements hurts consumers who deserve meaningful, understandable and consistent data privacy rights regardless of where they live or where their data may be located. Fragmentation also threatens the global digital economy by restricting the flow of data across borders. As a first step, the United States should eliminate fragmentation within its borders by establishing a comprehensive and consistent national privacy law.

To advance national consumer privacy legislation, government and the private sector must work together. Business Roundtable continues to support policymakers’ efforts to advance consumer privacy, and we welcome future opportunities to work together to achieve our shared goals.

A National Consumer Privacy Law Must Champion Privacy While Facilitating Innovation

Business Roundtable believes a national consumer privacy law must advance four important objectives:

  • Championing Consumer Privacy and Promote Accountability. It should include robust protections for personal data that enhance consumer trust and demonstrate U.S. leadership as a champion for privacy by including clear and comprehensive obligations regarding the collection, use, and sharing of personal data, and accountability measures to ensure that those obligations are met.
  • Facilitating Innovation. It should be neutral as to technology and take a principles-based approach in order for organizations to adopt privacy protections that are appropriate to specific risks as well as provide for continued innovation and economic competitiveness in a dynamic and constantly evolving technology landscape.
  • Harmonizing Regulations. It should eliminate fragmentation of regulation in the United States by harmonizing approaches to consumer privacy across federal and state jurisdictions through a comprehensive national standard that helps ensure consistent privacy protections and avoids a state-by-state approach to regulating consumer privacy.
  • Achieving Global Interoperability. It should facilitate international transfers of personal data and electronic commerce and promote consumer privacy regimes that are interoperable, meaning it should support consumer privacy while also respecting and bridging differences between U.S. and foreign privacy regimes.

Components of a National Consumer Privacy Law

Business Roundtable believes that these objectives can be achieved only through a national consumer privacy law that preempts state and local personal data privacy requirements. The result of increased certainty and predictability for both companies and consumers will make it easier for companies to protect consumers’ personal data and materially enhance the ability of consumers to manage their privacy preferences.

To that end, Business Roundtable supports a national consumer privacy law with the following components:

Comprehensiveness and Uniformity. A national consumer privacy law should apply a consistent, uniform framework to the collection, storage, use and sharing of personal data by companies. As a threshold issue, data should be considered personal and covered by the law only if it reasonably may be deemed to identify or be identifiable to a natural, individual person. However, it is appropriate to exclude from the definition of “personal data” certain categories of information that cannot reasonably be deemed to identify a specific individual, do not relate to information collected from consumers, or are already (with certain exceptions) within the public domain. In addition, to advance a comprehensive approach, it may be appropriate to harmonize certain sector-specific regulations in order to bring those standards in line with a national privacy law so consumers are not disserved by multiple and conflicting standards over personal data, which would undermine consumer expectations and trust.

Recognize Consumer Rights. A national consumer privacy law must be squarely focused on identifying and protecting consumer rights. A law should provide consumers with the following rights with regard to personal data, subject to legal obligations and limitations and informed by the legitimate interests of a business:

  • Consumers should have the right to transparency regarding a company’s data practices, including the types of personal data that a company collects, the purposes for which this data is used, whether personal data is disclosed to third parties and, if so, for what purposes, but companies should be allowed flexibility as to the form and manner in providing this information based on the context.
  • Consumers should have opportunities to exert reasonable control in regard to the collection, use and sharing of personal data. Consumers should also have the opportunity to make choices with respect to the sale of their personal data to non-affiliated third parties. No one specific mechanism for consumer control is suitable in all instances, and companies should be permitted flexibility in how these controls may reasonably be exercised, taking into account the sensitivity of the personal data and the risks associated with its collection, use and sharing.
  • Consumers should have a reasonable right to access and correct inaccuracies in personal data about themselves, taking into account both security and operational risks and other considerations.
  • Consumers should be able to require an organization to delete personal data about them when the personal data is no longer required for the organization’s legitimate business purposes or legal obligations.

Require Data Stewardship and Accountability. In addition to providing for consumer rights, a comprehensive national consumer privacy law should also include responsible data practices and accountability requirements to ensure that companies are responsible stewards of consumer data. These obligations should focus on areas that present potentially higher risks to the rights and interest of consumers and provide flexibility for companies to manage risk based on the nature of the data use and the sensitivity of the data involved as well as the benefits that may be achieved. Companies should leverage established risk-based privacy practices to prioritize and adjust their compliance measures and apply greater focus and protections to data practices in higher-risk areas.

Enable Effective, Consistent Enforcement. In order to provide accountability and protect consumer rights, a national consumer privacy law must be consistently enforced, with coordination between the federal government and states. Business Roundtable supports the role of the FTC as the primary consumer privacy enforcement agency, and any law should ensure that the FTC is adequately funded and has appropriate staffing for effective enforcement. In the limited instances where another regulator is the primary enforcer of the law, care should be taken to promote consistent obligations on companies regardless of industry sector and to avoid duplication of enforcement across federal agencies. In addition, state attorneys general should be permitted to enforce the law on behalf of their state’s residents while coordinating with the FTC in order to avoid duplicative or conflicting enforcement actions. A national privacy law should not provide for a private right of action.

The FTC should have the authority to impose fines taking into account a number of factors including the harm directly caused by, and the severity of, a company’s conduct, as well as any actions taken by a company to avoid and mitigate the harm, the degree of intentionality or negligence involved, self-reporting of the issue, the degree of a company’s cooperation, the types of data involved, and the company’s previous conduct with respect to personal data privacy and security.

Furthermore, the FTC should play a significant role in furthering industry adoption of a national privacy law by facilitating and approving industry codes of conduct. The FTC also should play an important role as an enforcement backstop for companies that fail to honor a commitment to follow such a code of conduct. These codes of conduct serve an important function by helping to clarify a law’s more general data privacy principles in response to specific consumer and industry considerations that may develop. Should Congress determine it necessary for the FTC to conduct notice and comment rulemaking pursuant to 5 U.S.C. § 553, that rulemaking should be clearly defined within the statutory framework to address the harms that Congress agrees warrant a remedy. In conducting such rulemaking, the FTC should adopt a regulation only upon a reasoned determination that its benefits justify its costs and seek input from its own economic and technical experts.

Business Roundtable appreciates the FTC’s consideration of these comments and looks forward to continued collaboration in this area.

Sincerely,

Denise E. Zheng

Vice President, Technology and Innovation Policy

Business Roundtable