U.S. Chamber of Commerce Releases Privacy Principles

The U.S. Chamber of Commerce released a set of 10 privacy principles today as part of their roadmap for federal policymakers. It followed the recent announcement by the National Institute of Standards and Technology at the U.S. Department of Commerce that it would be creating a privacy framework for companies similar to its voluntary cybersecurity framework.

The 10 privacy principles announced by the U.S. Chamber of Commerce were:

1. Nationwide
2. Risk-Focused and Contextual
3. Transparency
4. Industry Neutral
5. Flexible
6. Harm-Focused Enforcement
7. Efficient and Collaborative Compliance
8. International Leadership
9. Encourage Privacy Innovation
10. Data Security and Breach Notification

To examine each one in more depth:

1. Nationwide Privacy Framework

The Chamber is looking for Congress to create a federal privacy framework that preempts state law. The passage of the California Consumer Privacy Act has raised the possibility that each state will pass a different set of rules and compliance with each one will become difficult and costly for businesses and confusing for consumers. Congress has the power to eliminate some or all of state privacy regulations through federal preemption.

2. Privacy Protections should be Risk-Focused and Contextual

The Chamber wants to avoid a one-size fits all approach to personal data that is not cognizant of the sensitivity of the data, the context, or the risk with the data and business environment. It is looking to avoid regulations that have little practical benefit for consumers but come with a high compliance cost for businesses.

3. Transparency

Businesses should provide consumers with clear privacy disclosures that are transparent about the collection, use and sharing of consumer data. This is pretty well accepted as standard between GDPR, the California Consumer Privacy Act and the Federal Trade Commission’s enforcement under Section 5 of the FTC Act.

4. Industry Neutral

The Chamber is recommending that the principles should be applied consistently across all industries. Obviously, their concern is probably the adoption of special privacy regulations for social media companies after the Cambridge Analytica scandal at Facebook. However, there is some tension between the industry-neutral principle and the second principle, that protections should be risk-focused and contextual.

5. Flexibility

The Chamber wants to avoid requiring businesses to use specific technology solutions given rapidly evolving technology. The Chamber wants to utilize incentives to promote consumer-friendly privacy programs rather than rigid regulations.

6. Harm-Focused Enforcement

The Chamber wants enforcement to be focused on concrete harm to individuals rather than create statutory damages similar to the California Consumer Privacy Act. The CCPA provides for consumers to get between $100 and $750 for a data breach that resulted from the company’s failure to maintain reasonable security practices. “Harm-focused” enforcement is probably a misnomer though, since what the Chamber really wants is for businesses to only have to pay the actual damages of consumers and not a fee for the more theoretical harm to a consumer from a privacy violation or data breach.

7. Enforcement Should Promote Efficient and Collaborative Compliance

The Chamber wants any federal privacy law to be enforced by the federal or state governments and not through a private cause of action. It also wants Congress to give businesses a reasonable opportunity to cure deficiencies before an enforcement action. This is likely a response to GDPR, which authorized fines of up to 4% of global annual revenue for violations of the EU data protection law. California included an opportunity to cure in its privacy law, although it remains to be seen how effective it will be at stopping enforcement actions and consumer lawsuits. The Chamber is hoping that businesses will spend their resources on improving privacy compliance and not defending themselves in litigation.

8. International Leadership

The Chamber wants the US to promote the free flow of data across international borders and facilitate interoperable cross-border data transfer frameworks. U.S. leadership on privacy has been an important topic of discussion this summer as other countries look to copy GDPR in order to protect their citizens data privacy.

9. Encouraging Privacy Innovation

The Chamber provides this as a goal but really doesn’t set forth how it plans to have a framework that encourages “stakeholders to recognize the importance of consumer privacy at every stage of the development of goods and services.” GDPR accomplishes this through its privacy by design and privacy by default requirements in Article 25.

10. Data Security and Breach Notification

The Chamber is also looking for Congress to preempt the current framework of security and breach notification requirements in the 50 states. Alabama and South Dakota passed legislation in March to bring the total number of states with such laws to all 50, and now the Chamber is looking for Congress to set a federal standard to reduce compliance costs.

Summary

The U.S. Chamber of Commerce did not waste any time after Labor Day in trying to push the policy debate over privacy regulations in a business friendly way. With both the White House and several members of the Senate Commerce Committee looking to add proposals for a federal privacy law to the half dozen or so already in the Senate and House, achieving consensus agreement may be difficult even on some of the less controversial aspects. It seems unlikely that the Chamber is going to get everything that it has asked for on this list based on the current sentiment in Congress.

Other Blog Posts on Proposed Federal Privacy Law Changes:

NIST Voluntary Privacy Framework
NTIA Global Privacy Priorities
Media Reports White House Considering Privacy Law Changes
Business Roundtable Privacy Framework
Intel Draft Privacy Law
ITI FAIR Privacy Framework
US Chamber of Commerce Privacy Principles

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.