Data privacy legislation fails to provide effective uniform national standard
The National Retail Federation called on the House to move cautiously on federal privacy legislation, saying a measure approved by the Energy and Commerce Committee fails to establish a single national standard for U.S. data privacy law.
“We appreciate that the committee has worked tirelessly to improve this bill during the subcommittee and full committee processes,” David French, senior vice president for Government Relations at NRF said. “The legislation adopted today appropriately revised a provision to safeguard customer loyalty programs that help make everyday necessities more affordable when Americans are struggling to cope with rising inflation. The committee also adopted an amendment that requires service providers and third parties to maintain consumer protections when handling retailers’ customer data. Those are important steps forward.”
“Unfortunately, this legislation fails to provide the strong and effective uniform national standard for data privacy law that is so badly needed,” French said. “Consumers need to know their privacy is protected no matter who is handling their personal information or where they are located. Failure to effectively preempt the growing number of inconsistent state laws will keep that critical goal from being achieved. In addition, the bill would let bounty-hunting trial lawyers file frivolous lawsuits over dubious claims rather than leaving enforcement to government officials like state attorneys general and the Federal Trade Commission. And refusal to give organizations sufficient time to correct violations once they’re put on notice puts the primary focus of enforcement on litigation and penalties rather than ensuring privacy protection and compliance, which is the foundation of consumer protection. Getting preemption and enforcement right is the touchstone of an effective federal privacy law. While this measure has robust provisions in both respects, it needs much more work, and the House needs to take a very close look at these provisions before moving toward a final vote.”
The Energy and Commerce Committee today approved H.R. 8152, the American Data Privacy and Protection Act, sending the measure to the House floor for consideration. Sponsored by Chairman Frank Pallone, D-N.J., and Ranking Member Cathy McMorris Rodgers, R-Wash., along with Consumer Protection and Commerce Subcommittee Chairwoman Jan Schakowsky, D-Ill., and Ranking Member Gus Bilirakis, R-Fla., the bill is intended to provide a national framework for privacy that would limit the collection, processing and transfer of consumer information.
NRF has worked closely with the committee in recent weeks, urging members and staff to avoid language that would block retailers from being able to offer loyalty programs and to ensure that service providers handling covered entities’ covered data have requirements to protect that data and help fulfill consumers’ requests when they exercise their privacy rights under the legislation. The committee has revised the bill substantially to address both concerns.
However, NRF told sponsors in a letter today that the bill needs to do more to ensure that it will truly preempt state privacy laws, which are currently on the books in five states with more expected regardless of congressional action. Without effective preemption, the nation could eventually see 50 state privacy laws. The bill also lacks an adequate “notice and cure” provision that would give organizations time to correct alleged violations before enforcement actions may be brought.
In addition, the “private right of action” provision in the bill would let trial lawyers across the country file lawsuits rather than leaving enforcement to state attorneys general or the FTC. Given the bill’s exclusion of other industries such as banking and health care that handle the most sensitive consumer information, retailers would be disproportionately impacted by private litigation. NRF believes private litigation is not an effective tool to drive compliance because of the technical complexity in achieving compliance. That’s why none of the states that have enacted general privacy laws – California, Virginia, Colorado, Connecticut and Utah – have a private right of action for enforcement of privacy provisions. Plaintiffs’ attorneys have greater incentives to sue when mistake-free compliance is not achievable, exponentially magnifying the bill’s complexity and costs. Current state laws have exclusive government enforcement of privacy provisions coupled with notice-and-cure periods of 30 or 60 days, permitting businesses to quickly correct non-compliance.