Recently, Business Roundtable, an association for over 200 CEOs of America’s largest companies, released a detailed framework for a national consumer data privacy law that would provide uniformity in an area currently governed by an amalgam of state statutes and regulations. Business Roundtable is hopeful that it has the ear of the Administration and the Legislature to see progress on this effort in the 2019 Session.
The CEOs leading this effort come from a wide variety of industries, including: technology, communications, retail, financial services, health, manufacturing, hospitality, insurance and others. “There is an unprecedented opportunity to establish an innovative privacy landscape and underscore the need for a national privacy law,” said Julie Sweet, Chief Executive Officer – North America of Accenture and Chair of the Business Roundtable Technology Committee. “Consumers do not feel in control of their personal data and how it is collected, used and shared. U.S. laws to protect consumer privacy are highly fragmented, inconsistent and are nonexistent for much of the U.S. economy. A comprehensive national standard that details individual data privacy rights and provides clear obligations for how companies handle personal data is crucial for consumers, business and the U.S. economy.”
The Business Roundtable legislative framework outlines four fundamental privacy rights for consumers:
- The right to transparency regarding a company’s data practices, including the types of personal data that a company collects, the purposes for which this data is used and whether and for what purposes personal data is shared.
- The right to exert control over their data, including the ability to control whether companies sell their personal data.
- The right to access and correct inaccuracies in their personal data
- The right to delete their personal data.
The proposal invokes federal preemption of state and local regulations and also addresses uniformity for data breach notifications. Currently all 50 states, Puerto Rico, the Virgin Islands, and Guam have a variety of requirements related to notification after data breaches or potential breaches. Despite having common threads, businesses operating in several states currently have to be wary of variance in notification requirements dependent on the number of affected residents, what constitutes “unreasonably delay,” and whether breaches may be pursued by private individuals or only the state’s attorney general. The proposal encompasses regulation by the FTC to ensure uniformity across industries and does not provide for a private right of action.
We will continue to track this issue, which addresses the balance that must be struck between the need for protection of the privacy of consumers and employees with the business community’s need for consistency and predictability in data privacy protection.