On September 10, 2019, 51 companies from the Business Roundtable joined together to send a letter to House and Senate leadership asking them to pass “a comprehensive data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.” The companies included, among others, Amazon, IBM, AT&T, Chubb, and Marriot International, Inc. Signatures from Facebook CEO Mark Zuckerberg and Apple CEO Tim Cook were notably absent, although both have, in the past, supported a comprehensive federal privacy law.
The letter, addressed to House and Senate leaders and the leaders of the House Energy and Commerce committees and the Senate Commerce, Science and Transport committees, states that a federal law is necessary to allow “American companies to continue to lead a globally competitive market.” The roundtable CEO’s argue that “consumers should not and cannot be expected to understand rules that may change depending upon the state in which they reside, the state in which they are accessing the internet, and the state in which the company’s operation is providing those resources or services.”
The roundtable CEO’s further presses that a national data privacy framework that will allow United States leadership in innovation to continue without companies having to comply with a patchwork of separate data privacy laws for each state, or for these state laws to be superseded by one constructed by the European Union or some other foreign entity. “We urgently need a comprehensive federal consumer data privacy law to strengthen consumer trust and establish a stable policy environment in which new services and technologies can flourish within a well-understood legal and regulatory framework,” the roundtable CEO’s said in the letter. “Innovation thrives under clearly defined and consistently applied rules.”
The push for a federal law comes on the heels of recent massive data breaches as well as the European Union’s expansive General Data Protection Regulation (GDPR), of which some parts may be a model or case study for a U.S. law. Currently, all 50 states have their own data breach laws with clashing compliance obligations, including the looming California Consumer Protection Act set to go into effect in 2020. In 2019, at least nine states passed new and expanded data breach notification laws, including Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, and Texas. Furthermore, since July 1, 2019, Delaware, New Hampshire and Connecticut have enacted laws imposing new cybersecurity requirements on insurers, joining similar statutes in six other states, but each statute differs. Privacy legislation has been met with bipartisan support on Capitol Hill, however, lawmakers and tech companies still battle over whether a federal law should go beyond state laws, or override or weaken state requirements. It remains to be seen whether 2020 will be the year a federal data privacy law could reach the president’s desk.