The chief executive officers of some of the largest companies in the United States are pushing for Congress to pass a consumer privacy law, but their efforts aren’t winning praise from some privacy advocates.
In a Sept. 10 letter to Congress, CEOs of 51 companies that are part of the Business Roundtable trade group called on lawmakers to pass a new privacy law “as soon as possible.”
“There is now widespread agreement among companies across all sectors of the economy, policymakers and consumer groups about the need for a comprehensive federal consumer data privacy law that provides strong, consistent protections for American consumers,” says the letter, signed by chief executives at Amazon, AT&T, General Motors, IBM, Bank of America, and other companies.
“Our companies reach virtually every American consumer and rely on data and digital platforms every day to deliver and improve our products and services,” the letter adds. “Consumer trust and confidence are essential to our businesses.”
The letter points lawmakers to a Business Roundtable policy paper released last year that stakes out the trade group’s legislative position. Among other things, it calls for consumers to have “reasonable” access to company privacy policies and to have “reasonable” control over the collection and use of their personal data.
However, the framework, which focuses more on high-level concepts than details, also calls for a national privacy law that would preempt state efforts such as the stringent California Consumer Privacy Act, scheduled to go into effect in 2020.
“Consumers should not and cannot be expected to understand rules that may change depending upon the state in which they reside, the state in which they are accessing the internet, and the state in which the company’s operation is providing those resources or services,” the CEOs’ letter says.
The report also calls on Congress to pass legislation prohibiting consumer lawsuits against companies for privacy violations. Advocates objected to both the state preemption and lawsuit prohibition.
“The reason CEOs want to preempt state laws is because the state laws hold them accountable,” said Joe Hoelscher, managing attorney at Hoelscher Gebbia Cepeda, a San Antonio law firm that deals with consumer privacy issues in child welfare cases.
He added that state laws passed so far don’t create significant compliance problems for companies that use best practices. A uniform federal law would make “compliance somewhat easier, but it’s only a benefit if you create a good policy that is uniform,” he said. “This policy is terrible.” In particular, the prohibition on private lawsuits would “gut” consumer protection in the U.S., Hoelscher said.
The framework outlined by the Business Roundtable lacks specifics, added Paul Bischoff, a privacy advocate with Comparitech, a tech review website.
“I think this is more of an attempt to make doing business easier by creating a uniform set of regulations across all states and less of an attempt to protect consumers,” he said.
Other observers praised the CEOs’ proposal, saying a uniform national privacy law would reduce consumer confusion and compliance headaches.
Many companies would welcome a national law that preempts state efforts, said Tom Garrubba, vice president and chief information security officer at Shared Assessments, a risk assessment vendor. “Countless organizations possessing personal data continue to struggle in ensuring their compliance with numerous state, and even municipal, privacy laws,” he said.
Prohibiting private lawsuits is also a good idea, Garrubba added. “State privacy laws may be written with the noble intent to protect the privacy rights of their residents,” he said. “However, such laws may also be amended to protect certain industries that are important to their state and local economies.”
He also added that the prohibition of consumer lawsuits would eliminate the potential for people to file them frivolously.
