Comprehensive federal privacy legislation is foundational to establishing consumer trust and reasserting American leadership on data policy issues around the world. As the U.S. House Energy and Commerce Committee holds its first hearing on the American Privacy Rights Act (APRA), ITI applauds U.S. House Energy and Commerce Committee Chairwoman McMorris Rodgers and U.S. Senate Commerce Committee Chairwoman Cantwell for their leadership in rekindling this important conversation on Capitol Hill. We remain committed to working with the U.S. Congress to enact a federal privacy law that enables continued U.S. competitiveness.
Data privacy is a central issue not only for the technology industry—but for every sector of the American economy. Since the U.S. Congress last considered a comprehensive privacy bill in 2022, 10 more U.S. states have adopted their own standards, totaling 15 with more to come. The patchwork of state laws and significant attendant compliance costs is now a reality for U.S. businesses of all sizes – and perhaps more importantly, for consumers whose level of protections varies widely depending on their zip code. American leadership on privacy is also seriously compromised in international conversations about how to ensure global free flows of data with trust. A federal privacy law would have an enormous impact in changing this concerning trajectory and demonstrating the strength of pro-innovation and pro-consumer data policy.
Industry, policymakers, academics, and consumers all agree we need to get privacy legislation done. But we should also all agree on the need to get privacy legislation right.
Many in the business community have raised concerns about two central issues that have been a stumbling block for a federal bill for over a decade – the scope of preemption and the inclusion of a private right of action. We appreciate the message from the APRA authors that they intend the bill to provide a uniform national standard and believe the bill could be strengthened to achieve that goal. We also continue to believe that a private right of action is an unnecessary and ineffective means of enforcement, especially in light of the significant authorities granted to the Federal Trade Commission and states attorneys general in the bill. If that is how the U.S. Congress chooses to move forward, more must be done to disincentivize frivolous lawsuits, precisely define key terms, and appropriately scope responsibilities amongst the various different entities collecting and processing data.
More work is also needed to better harmonize key parts of APRA with other privacy laws. For example, “sensitive covered data” is more broadly defined than in other prominent privacy laws and subjects many data categories to express opt-in consent. We agree with the importance of “data minimization” as a foundational privacy principle – but APRA is significantly more restrictive than the European Union’s General Data Protection Regulation (GDPR) in this respect. The bill should be amended at least to provide consumers with the choice to opt-in to internet services they enjoy, and to enable U.S. companies to process data for legitimate business activity like their competitors in Europe and around the world.
APRA targets “algorithms” for additional regulatory scrutiny, an imprecise term that does not provide an accurate picture of potential harms or necessary mitigations in automated decision-making tools. Addressing concerns about bias and discrimination should be predicated upon a holistic approach to managing AI risk, which in many instances requires an understanding of the deployment context of the AI system, and the processing of sensitive information to appropriately mitigate bias. These goals are in tension with the bill’s provisions on data minimization – companies may be precluded from collecting the very data they need to respond to the bill’s algorithms provisions.
As with any far-reaching legislation, we are continuing to analyze the impacts on our industry and hope to offer additional constructive feedback as consideration of APRA moves forward. We share the goal of getting a comprehensive privacy bill to President Biden’s desk as soon as possible and stand ready to work with Congress and key stakeholders to get the details right.