On September 10, 2019, 51 members of the Business Roundtable (“BRT”), representing the CEOs of many of America’s largest companies, sent a letter to Congress advocating for their Consumer Privacy Legislation Framework (“Framework”) that would govern the collection, use and sharing of personal data across industry sectors. Their Framework claims that consumers are “disserved by multiple and conflicting standards over personal data, which undermine consumer expectations and trust.”
There are some goals that the Framework shares with the California Consumer Privacy Act (“CCPA”), including the “right to access,” “right to opt-out,” and the “right to deletion.” Not surprisingly the BRT calls for the preemption of all state and local privacy rules and laws, including sections on breach notification.
The Framework defines personal information much like most states do in their data breach notification law. The BRT believes that personal information should mean:
“consumer data that is held by the organization and identifies or is identifiable to a natural, individual person. This information may include but is not limited to: name and other identifying information, such as government-issued identification numbers, and personal information derived from a specific device that reasonably could be used to identify a specific individual.”
For context, the CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Based on the Framework’s definition of personal information, one would assume that the BRT is concerned with preventing human resource data and business to business information from being subject to the provisions of a national privacy law, the way it may be in the CCPA. Yes, the California legislature recently passed amendments that exclude human resource data and exempts B2B information for a year. But businesses have no guaranty that these particular pieces of data won’t be subject to the CCPA after that year.
The CCPA imposes a duty on businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. The Framework calls for ridding any particular standards as “prescribed by regulation,” though BRT also calls for businesses being required to have “reasonable administrative, technical and physical safeguards designed to reasonably protect against the unauthorized access to or disclosure of personal data, or other potentially harmful misuses.”
BRT also wants a national standard for breach notification that preempts state laws. Rather than prescribe specific timelines for businesses to follow for consumer and regulator notification, the Framework seeks to grant consumers the “right to be notified within a reasonable time-frame if there is a reasonable risk of significant harm as a result of a personal data breach.” The inclusion of the word “significant” limits the universe of notifications that businesses would be required to make.
The BRT believes the FTC would be best equipped to handle enforcement of the national law, and that state attorneys general should only be able to pursue litigation after cooperating with the FTC.
Nothing about the BRT Framework is surprising. Businesses want to preempt the CCPA and all state breach notification laws, but it remains significant because the business friendly Framework still nods at many privacy rights that have clearly become coveted in our social consciousness since the birth of the GDPR.