TechNet's diverse membership includes dynamic American businesses ranging from startups to the most iconic companies on the planet and represents over three million employees and countless customers in the fields of information technology, e-commerce, the sharing and gig economies, advanced energy, cybersecurity, venture capital, and finance. All of them collect, secure, or analyze data to provide services and enhanced experiences for their customers and fuel economic growth and opportunity across our nation. When it comes to the future of the federal privacy landscape, we believe the following:
For the Data-Driven Economy to Continue Enhancing Our Lives, We Must Keep the Consumer First
· The growth of the data-driven economy continues to fuel economic and social opportunity not just in the technology industry, but throughout every sector of the global economy.
· To date, U.S. laws and regulatory frameworks have contributed to unprecedented innovation, economic growth, and technological advancement stemming from responsible data collection and processing. This has allowed companies to not only create new, innovative products but also to enhance products and services that have improved consumers’ lives. More could be done to further advance this pro-innovation environment, but at minimum, when updating existing laws or creating new regulatory frameworks, we must ensure that consumers’ privacy and security are protected while enabling businesses to continue innovating.
· All Americans deserve to have their privacy protected and to trust that the laws and business practices work to protect their privacy, which is why we need a robust set of uniform data protections in federal law. Once bipartisan consensus has been reached about a federal law’s guarantees, layering on additional state requirements will only serve to complicate doing business across state and national borders, undermining the global competitiveness of U.S.-based companies.
· The internet continues to be a means to connect people; offer consumers more choices and better prices; provide businesses of all sizes more opportunities to sell their products and services across state and national boundaries; and encourage entrepreneurs to create new products and platforms — all of which benefit consumers. The federal government should adopt privacy proposals and frameworks that protect consumers while promoting continued innovation, consistent enforcement, interoperability, and a predictable regulatory environment.
· For example, we must not shut the door on data-driven innovations that make it possible for airlines or travel websites to help their passengers secure better car rental and hotel deals — or for apps to help people navigate traffic and reach their destinations more efficiently.
· Innovations in consumer protection approaches are a key way companies obtain competitive advantages and must be encouraged.
· For example, one way companies protect consumers from fraud is through the responsible collection, storage, and analysis of data that enables them to detect unusual consumer use and purchasing patterns. Federal legislation should ensure that companies can continue to effectively combat fraud and other forms of suspicious activity and allow companies to continue to innovate on how to detect and prevent suspicious activity.
· We must recognize that just as technology evolves, consumers and their preferences also evolve. The digital economy has empowered businesses to not only respond to, but also anticipate, changing consumer tastes and needs, thereby enhancing user experiences. To remain competitive, businesses understand that they must continue to be responsive to these evolving consumer expectations. In a similar vein, federal policy makers must take great care to listen to these businesses and their customers and avoid rigid regulation that would inhibit the ability of companies working in good faith to respond to their customers, innovate, and adapt.
· Companies should proactively take steps to enhance portability of consumers’ personal data while enabling consumers to correct and delete their data, as appropriate.
· Policymakers should take great care to ensure any policies adopted do not undermine privacy or data security interests; undermine detection of fraud or other unlawful activity; interfere with law enforcement or judicial proceedings; impose unduly burdensome or excessive requirements (particularly for small businesses and new market entrants); or inadvertently require greater collection or processing of personal information about the consumer than required or necessary.
· We should also help ensure companies can proactively educate consumers about the full range of services companies can offer and the privacy protections they have in place to protect consumer data.
Companies Must Proactively Promote Transparency and Security
· Keeping individuals’ data safe and secure — and being transparent with consumers about its use — must be a top priority of any organization.
· Protecting consumers’ privacy, being transparent about how companies collect and use their data, and earning and maintaining the public’s trust must remain overriding priorities for our industry. Our companies should lead by example when it comes to setting U.S. and global data and privacy standards that protect data and allow innovation to flourish.
Congress Should Act
· Congress should lead the way by enacting federal privacy legislation that brings uniformity to all Americans regardless of where they live.
· Federal legislation is needed to provide uniformity and standards throughout the U.S. when it comes to protecting consumer privacy and providing regulatory certainty for businesses. Federal legislation should be tech- and sector-neutral and apply to online and offline entities alike that collect and process personal data.
· Congress and other federal and state government entities must be collaborative partners in advancing the protection of consumers and the furtherance of innovation in the 21st century data-driven economy.
· Congress and the administration should consider and incorporate certain national and international frameworks, with particular focus on interoperability and secure data flows, as they develop a framework for baseline legislation.
Empower the Federal Trade Commission and Preserve the Role of State Attorneys General in Enforcement
· The FTC should be the primary authority to enforce privacy laws given its proven expertise and track record of enforcement of consumer privacy protections.
· Congress should ensure that the FTC has the resources it needs to effectively enforce privacy laws and data security rules that protect consumers from tangible privacy harms, while also preserving the ability of state attorneys general to protect their constituents and enforce the law based on the same unified national standard.
Uniform Laws and Regulations Will Enhance Compliance, Promote Even-Handed Enforcement, and Promote Innovation
· Federal policies should harness market incentives to drive effective risk-based management.
· Any law should recognize the value of certain permissible and narrowly construed forms of reasonable data collection, processing, use, and retention activities, including using data to provide customer service, authenticate a consumer’s identity, and process or fulfill orders and transactions.
· Because technology and security threats to consumer privacy evolve constantly, legislation should recognize that security requirements should be risk-based, technology-neutral, and flexible.
· Private rights of action should be avoided.
Congress Should Pass a Strong Federal Data Breach Notification Law
· Congress should pass a strong federal data breach notification law establishing a robust set of uniform protections for all Americans. For more detail about TechNet’s federal data breach principles and priorities, visit here.
Ensure New Entrants, Small Businesses, Underserved, and Under-Resourced Innovators Are Not Crushed by Burdensome Regulations
· While regulations affect all businesses, small, minority-owned, rural, and other under-resourced businesses in particular face disproportionate burdens and unique challenges in complying with complex privacy laws and regulations. This problem is exacerbated when having to deal with multiple sets of conflicting regulatory frameworks at home and abroad, making it important for policymakers to evaluate the global privacy landscape with the goal of promoting interoperability that allows American businesses to be innovative and competitive globally.
· To some innovative young companies that have limited personnel and resources to devote to overly stringent compliance efforts, regulations that are too prescriptive could effectively stifle their growth. Congress should endeavor to set baseline requirements but provide flexibility in how to meet those requirements, taking care to avoid prescriptive programmatic requirements and consider the unique needs and resource constraints of small and medium-sized enterprises and new market entrants.
· For example, Congress could provide regulatory relief for startups and small businesses if their activities are limited in nature in the amount of personal information they process, in particular if it does not include sensitive information.
· Congress should establish robust training resources within the Department of Commerce, Small Business Administration, Federal Trade Commission, and/or other appropriate agencies that can provide guidance to startups and small businesses, particularly minority-owned and rural businesses, to ensure they are abiding by the most basic privacy rules they may be subject to as a result of legislation or rulemaking.
· Furthermore, we must ensure that the complexity of privacy requirements do not effectively become a barrier to entry for new potential innovators. Congress and the administration must ensure that fundamental core privacy protections for consumers are in place without stifling free market forces that could enable new entrants and new data-based business models to flourish.
The U.S. Must Lead Globally
· As the home of the world’s preeminent tech sector, the U.S. must proactively demonstrate global leadership by leading multi-stakeholder discussions and trade negotiations with the goal of setting global standards, rules, frameworks, and norms that adequately promote data-driven innovation and safeguarding consumers’ privacy.
· Federal agencies, including the Department of Commerce and Federal Trade Commission, should engage with counterparts in the European Union with the aim of developing a new, more robust Privacy Shield Agreement in light of the 2020 “Schrems II” decision.
· Congress should take up and pass a baseline data protection bill that would enable a finding of adequacy under the General Data Protection Regulation or GDPR.
· Congress should consider whether it is possible to develop additional redress mechanisms that do not undermine the effectiveness of foreign intelligence surveillance laws.
· Efforts to promote digital trade and negotiate new trade agreements must promote seamless data flows across international borders.