For over one hundred years, the U.S. Chamber of Commerce has acted as the eyes and ears for businesses in Washington, D.C., taking action on legislative issues and representing the interests of their membership body. Today, the Chamber’s membership consists of more than three million organizations across all sectors and regions, ranging from large corporations to small businesses (in fact, more than 96% of Chamber member companies have fewer than 100 employees).
On July 11, 2019, the U.S. Chamber of Commerce hosted Data Done Right, a summit for “all things related to data privacy.” This event gave members an opportunity to hear from industry experts as well as voice their opinions. So, what’s the main takeaway from the day? That to effectively impact the data privacy debate, we all need to stand on common ground. To that end, here are four common views a majority of participants rallied behind:
1. Business supports the passing of a federal data privacy law.
No one thinks it makes sense that someone living in California should have more data rights than someone living in Kentucky. Getting a robust federal bill passed and avoiding a patchwork of state laws is a top priority for members of the Chamber. A lot of businesses just went through achieving compliance with GDPR and believe there is a strong need for harmonization across regions and countries, ensuring global interoperability. If laws in the U.S. are drastically different than GDPR, it will cause tremendous complications for businesses large and small.
2. Business understands that not all data is the same, and not all risks are the same.
Any balanced legislation should protect consumers while remembering that data itself is just data— it’s the use that matters. Not all technology uses data in an oppressive way, but that didn’t stop facial recognition technology for recently coming under fire, even though it has many valuable uses (e.g., stopping fraud at ATMs, uses in entertainment devices, etc.). Absolute restrictions not based on specific use will impact data-driven innovation. Lines will need to be drawn, but with the acknowledgment that regardless of where the line falls, some financial and economic impact will result. Coming up with standard measurements and a risk-based structure may offer the key to finding the right balance between protection and innovation.
3. Business need more time to prepare for CCPA.
While GDPR offered two years preparation time, CCPA has a January 1, 2020 compliance deadline, even though the California Legislature is currently making amendments to the law. This timing essentially forces businesses to build the plane while flying it.
A lot of the operational burdens, such as data organization and data hygiene, remain significant challenges. Without clarity on the rules required for businesses to operationalize CCPA requirements, California should wait to start the clock on enforcement. Instead, the AG’s office could pursue injunction-only cases that will build out the case law.
If CCPA is intended to be the trellis on which all privacy laws will grow on for the next 20 years, businesses need the time to get privacy by design right, doing what is needed to build trust with consumers and regulators alike.
4. Business prefers regulatory oversight to private right-of-action.
If the desired outcome of legislation is to improve people’s lives, private right-of-action contradicts this goal, driving investment in lawyers instead of products and services. Government should limit private right-of-action in state or federal laws, perhaps only allowing lawsuits that can demonstrate injury, such as that related to sensitive personal information (e.g. biometric), or limit it to data breach.
Additionally, businesses agree that the Federal Trade Commission (FTC) is the right authority in which to entrust the enforcement of data privacy laws, and business would rather see additional resources assigned to the FTC, potentially collaborating with state Attorneys General, rather than tripling or quadrupling legal and privacy teams to manage litigation.
To watch the highlights from Data Done Right, visit this webpage.
The information provided in this blog does not constitute legal advice. Please consult your legal counsel to obtain legal advice.