On September 10, 2019, 51 members of the Business Roundtable sent a letter to congressional leaders advocating principles for a national consumer data privacy law. The Business Roundtable’s Framework for Consumer Privacy Legislation offers a guide for potential federal legislation that would harmonize existing privacy regulations and preempt existing state and local data privacy laws. The Framework seeks to balance enhanced consumer protections with innovation and competition.

Business Roundtable’s Framework Proposal

Covered Organizations and Preemption of State Laws. The Framework endorses a national data privacy law that would apply consistently and uniformly across all industries, and that would preempt state and local laws regarding the collection, use, and sharing of personal data. The proposal acknowledges that such legislation may need to address existing sector-specific regulations. It also urges the careful consideration of small businesses that engage in limited and low-risk data processing activities.

Definition of Personal Data. The Framework defines personal data as “consumer data that is held by the organization and identifies or is identifiable to a natural, individual person.” Such information might include general identifying information, as well as information obtained from a specific device that could reasonably identify an individual. The definition would exempt de-identified data and data in the public domain.

Risk-Based Privacy Practices. The Framework encourages organizations to apply risk-based privacy practices and adopt greater protections for data processing activities with heightened risks.

Individual Rights. The Framework details four consumer rights—transparency, control, access and correction, and deletion—that organizations should recognize and facilitate. Facilitation of consumer rights should be informed by the organization’s legitimate interests but may be limited where required by law, such as legal obligations imposed on the organization by other statutes.

Governance. The Framework recommends that organizations adopt policies and procedures to comply with a national data privacy law, including appropriate mechanisms for monitoring their use of personal data and handling inquiries and complaints from consumers. Additionally, organizations that share personal data with service providers should bear the responsibility of contractually requiring the service providers to comply with specific protections for the data.

Data Security and Breach Notification. “Reasonable administrative, technical, and physical safeguards” should be implemented in order to reasonably protect against the unauthorized access or disclosure personal data. These safeguards should be “proportional to the likelihood and severity of the harm threatened and the sensitivity of the personal data,” but the Framework cautions that specific safeguards should not be required. Additionally, a national data privacy law should create a standard for breach notifications that inform consumers “within a reasonable timeframe if there is a reasonable risk of significant harm as a result of a personal data breach.” Such a standard should preempt the 54 state and territory breach notification laws currently in effect.

Enforcement. To ensure “consistent and coordinated enforcement across the federal government and states,” the Framework would establish the Federal Trade Commission (FTC) as the enforcement agency under the legislation. State attorneys general, after coordinating with the FTC if appropriate, may also bring actions in federal court. The Framework expressly states that there should be no private right of action. In addition, the Framework proposes a safe harbor program that would create a presumption of compliance when an organization adopts and complies with a code of conduct that has been approved by the appropriate agency.