04/17/2024 | Press release | Distributed by Public on 04/17/2024 07:30
Dear Chairman Bilirakis and Ranking Member Schakowsky:
In advance of your Subcommittee's hearing, "Legislative Solutions to Protect Kids Online and Ensure American Data Privacy Rights," the U.S. Chamber of Commerce ("the Chamber") offers the following thoughts and concerns regarding draft legislation titled "American Privacy Rights Act" ("APRA").
The Chamber has supported efforts to pass data privacy legislation that includes strong preemption language. Such an approach is necessary to achieve the goal of a national set of privacy requirements that protects children and consumers, allows businesses, including small businesses and entrepreneurs, to use the latest technology, and continue American global leadership in technology and innovation. In the absence of a national approach, the Chamber supports the bi-partisan consensus privacy approach that has created effective privacy protections in Texas[1], Tennessee[2], Virginia[3] and eleven other states.[4]
Unfortunately, in its current form, the APRA would fail to create a national standard and imposes California-style privacy standards that undermine the consensus privacy approach that protects the privacy rights of almost 100 million Americans.
Our concerns are outlined in more detail below.
I. A Single National Privacy Standard
Congress must pass a fully preemptive privacy law that eliminates a state patchwork of privacy laws and prevents States from drafting laws that survive preemption in the future. A single preemptive national privacy standard would allow the United States to reap the benefits of the 21st century digital economy and enable a thriving ecosystem that facilitates small business growth. Simply adopting a national privacy law without strong preemption would enable a state patchwork of laws that will be confusing to consumers and potentially impossible for small businesses to comply.
A recent report from ITI highlighted that a national patchwork of privacy laws would cost the United States economy $1 trillion and disproportionately impact small businesses with a $200 billion economic burden.[5] A majority of small businesses are worried a patchwork of state laws will increase litigation and compliance costs.[6]
The APRA draft does not address concerns previously raised with preemption language used in the 117th Congress's American Data Privacy and Protection Act ("ADPPA"). Although APRA states it seeks a "uniform national data privacy and security standard," the operative language APRA uses to preempt state laws is limited and could inadvertently lead to a federal floor and encourage states to pass more restrictive privacy laws. APRA only preempts "any law, regulation, rule, or requirement covered by the provisions of this Act or a rule, regulation, or requirement promulgated under this Act."
To provide the strongest preemption, according to a Congressional Research Service report, Congress should avoid merely preempting what a proposed bill is "covering" or "covered by," because such clauses are considered by the United States Supreme Court to be less restrictive on states than phrases like "related to."[7] According to the Supreme Court, "'Covering' is a more restrictive term [on what can be preempted] which indicates that preemption will lie only if the federal regulations substantially subsume the subject matter of the relevant state law."[8] A national privacy law that merely preempts what it "covers" and then provides for exceptions to that preemption would likely be taken by many as evidence that Congress has not intended to "substantially subsume" regulation.
The APRA draft also establishes exceptions to preemption in the areas of consumer protection, health data, and remedies established under California's Consumer Privacy Act and highly abused lawsuits under the Illinois Biometric Privacy Law. These exceptions could easily be exploited in lawsuits and by activist legislatures to get around desired preemption.
We, therefore, encourage the House Energy & Commerce Committee to adopt strong preemption language. In recent years, legislation has been authored by Republican and Democrats that would provide strong preemption concerning broad issues as opposed to only preempting what a law covers:
II. Private Right of Action
Comprehensive privacy legislation should leave enforcement to agencies like the Federal Trade Commission and state attorneys general and not empower the private trial bar at the expense of business innovation and viability. Frivolous, non-harm-based litigation has been used in the past to extract costly settlements from companies, even small businesses, based on privacy law provisions granting a private right of action. Private rights of action are ill-suited in privacy laws because:[11]
Private rights of action would be particularly devastating for business under a privacy law that does not have a strong preemptive effect. Not only would states be able to continue passing their own laws, but individual judicial district precedent could also create further confusion and conflict.
III. Substantive Concerns
We also note the following substantive concerns with APRA as drafted:
The Chamber's goal is to have a national set of privacy requirements that protects children and consumers, allows businesses of all sizes to use the latest technology, and permits the United States to be the global leader in technology and innovation. We believe that in its current form the APRA fails to meet those goals. The APRA would degrade the privacy protections enjoyed by almost 100 million Americans, would harm small businesses, and would endanger American global innovation leadership.
While the Chamber opposes the APRA in its current form, we stand ready to work with you to address our concerns and provide strong privacy protections for all Americans.
Sincerely,
Jordan Crenshaw
Senior Vice President
Chamber Technology Engagement Center
U.S. Chamber of Commerce
cc: Members of the House Committee on Energy & Commerce
[1] Letter to Texas House available athttps://americaninnovators.com/wp-content/uploads/2023/04/State_HB4_TexasDataPrivacyandSecurityAct_TXHouse.pdf
[2] Letter to Tennessee Legislature, available athttps://americaninnovators.com/wp-content/uploads/2023/04/230417_State_BS73_TNPrivacy_TNSenate.pdf
[3] Letter to Virginia Governor, available athttps://americaninnovators.com/wp-content/uploads/2022/08/Virginia-Data-Privacy-Act-Letter.pdf
[4] Fourteen states have passed the Consensus Privacy Approach including New Hampshire, Virginia, Florida, Kentucky, Tennessee, Indiana, Iowa, Montana, Texas, Colorado, Utah, Delaware, Connecticut, and Oregon.
[7]Id. at 10.
[8] Congressional Research Service, "Federal Preemption: A Legal Primer" (Mary 18, 2023) available at https://crsreports.congress.gov/product/pdf/R/R45825. (Citing CSX Transportation, Inc. v. Easterwood, 507 U.S. 663 (1993)).
[9]https://www.congress.gov/bill/117th-congress/house-bill/1816/text (emphasis added)
[10]https://financialservices.house.gov/uploadedfiles/glb_2023_xml_2.24_934.pdf
[11] U.S. Chamber Institute for Legal Reform, Ill-Suited: Private Rights of Action and Privacy Claims (July 2019) available at https://instituteforlegalreform.com/wp-content/uploads/2020/10/Ill-Suited_-_Private_RIghts_of_Action_and_Privacy_Claims_Report.pdf.