The Reason Over 200 US Companies Are Calling For National Privacy Law

Since all businesses now use customer data, this is an attempt to get out in front of legislative, legal and regulatory efforts to rein in the growing list of abuses.

And it is also tacitly aimed at some of the big tech companies like Amazon, Google and Facebook which dont want any regulation of any kind, but whose chokehold on such data is putting the rest of the business community at a strategic disadvantage they will now use the government to curtail. JL


Cat Zakrzewski reports in the Washington Post:

The Business Roundtable’s consumer privacy legislation framework, calls on the United States to adopt a national privacy law that would apply the same data collection requirements to all companies regardless of sector while ramping up Federal Trade Commission staffing and funding to enforce the rule. It calls on companies to give consumers more control of their data and form a national standard for breach notification.

A broad coalition of more than 200 retailers, banks and technology companies is releasing new recommendations for national privacy legislation today in a clear push to get out in front of lawmakers promising to rein in their data collection practices in the next Congress.

The Business Roundtable’s consumer privacy legislation framework, provided exclusively to The Technology 202, calls on the United States to adopt a national privacy law that would apply the same data collection requirements to all companies regardless of sector -- while ramping up Federal Trade Commission staffing and funding to enforce the rule. It calls on companies to give consumers more control of their data and form a national standard for breach notification. 

“We see a real need to both protect consumers at a time when digital services and the digital economy is so important and expanding, and at the same time, making sure we’re advancing global competitiveness,” Julie Sweet, chief executive of Accenture North America, who chairs the Business Roundtable's technology committee, tells me. 

Members of the Business Roundtable include chief executives from companies such as Apple, Walmart and Wells Fargo. And some of its top executives such as J.P. Morgan chief executive Jamie Dimon and AT&T chief executive Randall L. Stephenson will meet with policymakers including Ivanka Trump and Sen. Mark Warner (D-Va.) at a CEO Innovation Summit in Washington later today. 

The fact that such a wide cross-section of companies -- far beyond the technology campuses of Silicon Valley – are actively seeking ways to change the collection and storage of data online reflects a sea change for the privacy debate in the United States. Companies such as Salesforce or Verizon, for instance, may not be in the eye of the political storm in Washington recently in the way that, say, Facebook has – but they also have skin in the private debate.

After all, every company is a technology company; it’s not just popular social networks or search engines that will be subject to national privacy legislation but any company that handles personal information online. As the Marriott data breach highlighted just last week, companies that are rarely associated with the technology industry hold tremendous amounts of data about individuals -- and they may not be doing enough to protect it. 

All this puts even more pressure on policymakers -- especially Democrats who have pledged to get tough on Big Tech as they take over the House. They will need to craft a bill that fulfills their promise to crack down on tech companies’ highly publicized misuse of their customers’ data but that also does not impede businesses big and small, in every sector from retail to media.

The Business Roundtable's framework is relatively broad -- and that reflects the challenge. Its recommendations to lawmakers include:

• Streamlining existing federal data collection laws so there aren't conflicting regulations. Historically, federal  law has been sector-specific, with different standards for businesses handling sensitive information such as financial services or healthcare.
• Some self-regulation: Companies should adopt some widely considered best practices, such as considering privacy from the design phase of a product or conducting consumer or conducting privacy assessments. But the law shouldn't mandate that. 
• Ensuring any law has flexibility to determine what kind of consent consumers need to have for their data. It does specify that companies should recognize consumers' right to transparency about how their data is being used and provide ways for them to access and change their data, and delete it under certain circumstances. 
• Creating a national standard for breach notification laws that would take the place of state laws. But it does not get into specifics about when a company should notify consumers it was hacked.  It just says within a "reasonable" time.
• Putting the FTC as lead agency to enforce the law. It also calls on state attorneys general to coordinate with the federal government. Currently, state attorney generals have been some of the most powerful enforcers in data breach cases.
• Considering how the law will impact small businesses that do not process much personal data. Lawmakers should be wary of the risks a privacy law poses to innovation, it says. 

What's more, Business Roundtable does not include some of the highest profile technology companies that have recently been under fire for their mishandling of user data. For instance, Google, Facebook and Amazon are not members. (Amazon founder and chief executive Jeffrey P. Bezos also owns The Washington Post.) 

It's a big tech day in Washington, and it remains to be seen whether privacy will be top of mind. Technology executives, including some who are also part of the Business Roundtable such as Oracle chief executive Safra Catz, are expected at a separate White House lunch on innovation with the Trump administration -- in what's appears to be easing an easing of tensions after President Trump's clashes with Silicon Valley on issues ranging from anti-conservative bias to antitrust issues. (IBM, whose chief executive is also attending, tells me for instance its priorities for that meeting include artificial intelligence and quantum computing.)

Whether or not it comes up at the White House, the devil will be in the details as lawmakers try to craft a privacy bill before 2020, when a law in California is slated to go into effect. 

Already, Democrats are saying they will not support a national bill that is weaker than protections consumers have in local jurisdictions. And as my colleague Aaron Gregg reported, some Democrats in the wake of the Marriott breach want the U.S. to adopt fines that are similar to the EU's  General Data Protection Regulation , which contains fines up to 4 percent of a company's global revenue if it fails to comply with its requirements.

Jay Stanley, a senior policy analyst with the ACLU, said any company that handles personal information is going to have to tighten its ship if a national law passes. But some companies will feel the burden of a national privacy law more than others, whether or not they’re considered a technology company, given the way many operate in today’s digital economy.
“If you’re in the business of profiting off of shady intrusions on people’s privacy, then I think you need to worry,” Stanley said. “There is a reckoning that’s taking place right now.”