Privacy for America’s Letter to Congress

ANA-supported Privacy for America, which works with Congress to support the enactment of comprehensive federal consumer data privacy and security legislation, sent the following letter today to leaders of the House and Senate regarding the California Consumer Privacy Act (CCPA). The letter was signed by CEOs at the ANA, IAB, 4A’s, AAF, the Network Advertising Initiative, and the Insights Association.

We understand the relevant committees in both the Senate and House are continuing their important reviews of the nation’s consumer privacy laws and we are encouraged by reports of a possible legislative hearing in the Senate Commerce Committee next month. Given how tightly the internet is now woven into every aspect of our lives and the American economy, we applaud this crucial effort that you and your colleagues have undertaken.

At the state level, the sweeping California Consumer Privacy Act (CCPA) is slated to take effect in January, marking a significant development in the privacy debate. As our member companies work to comply with the CCPA, including efforts to clarify key elements of the bill, other states have enacted or proposed additional legislation, including Nevada that recently passed privacy legislation with provisions that are inconsistent with the CCPA. These efforts have already begun to create a patchwork of conflicting new restrictions on data collection and use along with other onerous obligations on businesses. Indeed, as businesses are awaiting final rules implementing the law, the CCPA’s chief proponent has proposed new rules as part of a planned ballot initiative to bypass the legislative process and create yet another new law in 2020. In addition, Europe’s General Data Protection Regulation (GDPR) has been adopted by some large multinational companies, while others have discontinued European operations as a result of the regulatory costs and uncertainty.

Data underlies the basic functions of virtually every component of the consumer economy, from new product development to supply chain management to billing and reconciliation; in the absence of Congressional action, policy affecting the entire consumer economy and consumers nationwide is being been shaped by Europe and a single state. This fragmented regulatory environment is untenable, creating a disparate set of privacy protections for American consumers depending on where they live, as well as significant disruption, costs and uncertainty for American businesses. The California Attorney General’s office has published a detailed economic analysis that estimates compliance costs for businesses in that state alone of more than $80 billion.

This environment underscores the need for a federal privacy law that applies equally to all Americans — and one that fundamentally rethinks how we provide consumers with real protections. Congress has the opportunity to adopt strong legislation that improves on the approaches being considered in the states and establishes consumer protections nationwide for the first time, backed by a strong federal regulator while preserving state enforcement authority. The time is right for Congress to step in to adopt a new comprehensive data privacy law that protects consumers and establishes clear, enforceable standards that apply to all consumers and businesses nationwide.

The internet of today needs a legislative framework that does not put the onus on consumers to sort through myriad onerous privacy notices in an effort to protect their privacy. Rather, consumers deserve a law that creates clear and enforceable requirements for businesses to collect and use data responsibly, to better inform consumers how their data is being used, and to outlaw harmful data practices. As founding members of the Privacy for America coalition, our organizations have joined with others to support such an approach.

This legislative approach should make plain what data uses are forbidden. For example, companies should not be allowed to use someone’s personal information, unless specifically permitted by federal or state law, to deny them a job, credit, insurance or health care. Similarly, the practice of digital redlining — using data about a person’s race, color or religion in setting prices for products or services — should be outlawed.

The law must also make clear that the most sensitive types of personal information — data like medical, financial or biometric information — must not be used or collected unless a company has a person’s explicit permission. And companies should be barred from sharing someone’s personal information with third parties, unless they have enforceable contracts ensuring that the other party will secure the data and use it lawfully.

This more comprehensive approach to protecting consumers privacy will only be effective, however, if regulators have the necessary resources and power to actually investigate and punish bad actors. For this reason, privacy reform legislation should enhance the Federal Trade Commission’s (FTC) longstanding expertise in overseeing privacy issues and strengthen privacy oversight and enforcement by creating a new Data Protection Bureau at the FTC. The FTC should also be provided with additional privacy staff and resources, as well as privacy jurisdiction over common carriers and nonprofits. Recognizing that new data practices will arise over time, a new law should set forth specific criteria for the FTC to identify and prohibit additional data practices through rulemaking.

We urge you to continue prioritizing this important issue and call on both chambers to consider and pass privacy legislation in this Congress. Thank you for your steadfast work toward creating a world in which Americans can feel safer and more comfortable online.