Privacy

Our members provide services and enhanced experiences for their customers and fuel economic growth and opportunity across our nation. In doing so, our member companies consistently place a high priority on consumer privacy. When it comes to the future of the federal privacy landscape, we support the following:

• Reasonable frameworks that set out organizational accountability as well as clear privacy rights for consumers, including rights to access, correct, delete, and port their data with reasonable limitations that take into account technical and privacy limitations.
  • Policymakers should ensure any frameworks adopted do not: undermine privacy or data security interests; stymie the ability to prevent, detect, or defend against fraud or other unlawful activity, or protect the security and integrity of systems; interfere
  • with law enforcement or judicial proceedings; or impose unduly burdensome or excessive requirements (particularly for small and medium-sized businesses, non-profit organizations, and new market entrants), including requirements that would exceed a consumer’s reasonable expectation of privacy.

Congress Should Act

• Congress should enact comprehensive federal privacy legislation that protects all Americans regardless of where they live and preempts state laws related to the federal standard, thereby ending the growing state-by-state privacy patchwork and preventing another patchwork from developing in the future. Absent a uniform federal standard, companies will continue to face regulatory fragmentation that hinders innovation and competitiveness in a fast-moving digital marketplace.
• Federal privacy legislation should be tech- and sector-neutral and apply across sectors to both online and offline entities that collect and process personal information, and avoid imposing any outright bans, prohibitions, or moratoriums on specific technologies.

Uniform Laws and Regulations Will Enhance Compliance, Promote Even-Handed Enforcement, and Enable Innovation

• Federal policies should incentivize effective risk-based management.
• Any law should recognize the value of reasonable data collection, processing, use, and retention activities, including using data to provide customer service, authenticate a consumer’s identity, process or fulfill orders and transactions, improve services, and the ability to personalize to consumers and make them aware of offered products and services.
• Federal law should establish a flexible framework that provides consumers with appropriate disclosures and control mechanisms with respect to how their information will be processed.
• Collection, processing, and retention of personal and sensitive data should be adequate, relevant, and reasonably necessary in relation to the purposes requested by, or as disclosed to, the consumer.
• Consumer consent, where applicable, should generally be required only for processing sensitive personal information or when there are material adverse changes to the processing of personal information previously collected. Any consent regime should be designed with the limitations of software, hardware, and data management in mind and should not be overly burdensome to the consumer or technology provider. It should also be flexible and convenient for all users regardless of socioeconomic or disability status.
• New federal laws should mirror state approaches by acknowledging commonsense exceptions and exemptions in definitions of personal data, including exemptions for publicly available information and appropriate entities.
• Clear definitions in a federal law for “personal information,” “sensitive personal information,” and “de-identified information” are essential.
• Any law should avoid restricting consumer access to free, ad-supported services, harming small and medium-sized businesses and non-profit organizations, and undermining a healthy Internet ecosystem, such as unduly burdensome restrictions on first-party, contextual, and personalized advertising. Similarly, any law should not impede the ability to detect and stop sophisticated fraud schemes.
• Consumers, rather than regulators, should be the arbiters of beneficial and valuable private sector technological innovation. We oppose proposals that would unduly restrict consumers’ ability to access new, beneficial, and innovative technologies, products, and services.
• Because technology and security threats to consumer privacy evolve constantly, legislation should recognize that security requirements should be risk-based, technology-neutral, and flexible. In addition, federal privacy legislation should not force data controllers to share consumer data with third parties.
• Federal privacy legislation should not treat data transfers across commonly owned affiliates as third-party transfers.
• Private rights of action and other tools that encourage litigation have the potential to undermine innovation and must be avoided.
• A right to cure should be provided, and monetary judgments should be tied to actual harms caused by violations.
• In addition, consumers and businesses should be free to enter into pre-dispute arbitration agreements to resolve disputes.
• Stringent age verification to access online platforms requires the collection, processing, and storage of users’ sensitive personally identifiable information, like birth dates and government identification, and should be avoided. This conflicts with data privacy best practices like privacy by design and data minimization, creates new vectors for fraud, and eliminates anonymity online.
• Privacy laws should not broadly prohibit government use of third-party data, which is often an integral component of providing effective and efficient government services as well as protecting against fraud.
• Federal privacy legislation should incentivize private and public sectors to take protective privacy measures, such as de-identification and pseudonymization when implemented with appropriate administrative, physical, and technical controls.
• Privacy laws should include an affirmative defense for controllers or processors maintaining a written privacy policy that reasonably conforms to the National Institutes of Standards and Technology (NIST) Privacy Framework.

Companies Must Proactively Promote Transparency and Security

• We caution against state and local government mandating “real-time” and seamless data portability, or other data sharing requirements that are not clearly necessary and proportionate to a specific defined public purpose, or that do not take into account the privacy implications and technical challenges of adhering to such a mandate.
• We caution against overly restrictive regulations on the uses of biometric technology or automated decision-making systems.

Clarify the Role of the Federal Trade Commission and Preserve the Role of State Attorneys General in Enforcement

• In comprehensive federal privacy legislation, clear requirements should be set forth in the law, and guardrails should be in place to avoid issuance of regulations that would create uncertainty and undermine America’s leadership in innovation. The FTC should be the exclusive federal regulator enforcing the law.
• Congress should clarify the scope of the FTC’s authority to regulate privacy and data security matters that impact significant portions of the American economy. Until such time that Congress provides the agency with clear authorization, the FTC should refrain from expansive rulemaking.
• Congress should ensure the FTC has the resources it needs to effectively enforce privacy and data security requirements that protect consumers from tangible privacy harms, while also preserving the ability of state attorneys general to protect their constituents and enforce the law based on the federal standard.
• The FTC should maintain its existing efforts of case-by-case enforcement actions rather than pursuing expansive regulatory rulemaking.

Congress Should Pass a Strong Federal Data Breach Notification Law

• Congress should pass a strong federal data breach notification law, which preempts existing state-level notification laws and establishes one robust set of uniform protections for all Americans. More details about TechNet’s federal data security principles can be found here.

Ensure New Entrants, Small- and Medium-Sized Businesses, Non-Profits, and Underserved-, and Under-resourced Innovators Are Not Adversely Affected by Burdensome Regulations

• Small, medium-sized, minority-owned, rural, non-profit, and other under-resourced businesses face disproportionate burdens and unique challenges in complying with complex privacy laws and regulations at home and abroad that in some cases overlap or conflict. Policymakers should evaluate the global privacy landscape with the goal of promoting interoperability that allows American businesses to innovate and compete globally.
• For some innovative young companies that have limited personnel and resources to devote to overly stringent compliance efforts, regulations that are too prescriptive could stifle growth. Congress should set baseline requirements and provide flexibility in how to comply, avoiding prescriptive programmatic requirements and considering the unique needs and resource constraints of small and medium-sized businesses and new market entrants.
• Congress should consider regulatory relief for startups and small businesses if the information they process is limited in nature or does not include sensitive information.
• Congress should establish robust training resources within the Department of Commerce, Small Business Administration, Federal Trade Commission, and/or other appropriate agencies that can provide guidance to startups and small businesses, particularly minority-owned and rural businesses, to ensure compliance with basic privacy requirements.
• Furthermore, we must ensure the complexity of privacy requirements does not effectively become a barrier to entry for new potential innovators. Congress and the administration must therefore ensure that fundamental core privacy protections for consumers are in place without stifling free market forces.

The United States Must Lead Globally

• As the home of the world’s preeminent tech sector, the United States must proactively demonstrate global leadership by participating in multi-lateral, multi-stakeholder forums to promote interoperability among privacy frameworks within trade discussions.
• TechNet supports the 2022 European Union-U.S. Data Privacy Framework, and preserving Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities.
• TechNet believes efforts to promote digital trade and negotiate new trade agreements must promote predictable seamless data flows across international borders.
• TechNet supports the efforts of the United States and its partners to expand the Global Cross Border Privacy Rules system and talks in the Organization for Economic Co-operation and Development on Trusted Government Access. In addition, TechNet urges the United States to support the free flow of data. Specifically, the United States must reassert its leadership on digital trade, including formally reversing its October 2023 announcement that abandoned longstanding, bipartisan digital trade positions at the World Trade Organization. The United States must stand firm against forced data localization and support the cross-border flow of data. It must also continue to challenge mandatory tech transfers and source code disclosures, while ensuring non-discriminatory treatment of digital products.

Facial Recognition Technology

Facial recognition technology can be utilized in a variety of use cases, many of which can improve security and access for individuals using services online. Facial recognition technology can enable remote access to essential services, removing location- and mobility-based barriers to access. In addition, different types of facial recognition technology can be used to facilitate entry to locations and stop fraud and protect consumers.

TechNet believes the following:

• Legislation should not prohibit or effectively prohibit the use of facial recognition technology.
• Legislation should not reduce access to non-identifiable diverse datasets necessary to train models to reduce bias.
• Policymakers should recognize the wide variety of use cases for technologies that detect and/or recognize faces or other parts of the human form and avoid over-regulating visual technologies that do not affect individual privacy.

Protecting Children and Teens

Protecting children and teens is a top priority for the technology industry. When examining protections for children and teens, Congress should:

• Align any updates with the Children’s Online Privacy Protection Act (COPPA), including continued adherence to an actual knowledge standard and focus on services directed to minors.
• Avoid imposing vague standards and obligations on the design and presentation of content that would run afoul of the First Amendment and fail to provide clear notice to companies about their obligations.
• Avoid imposing overly broad age restrictions on platform access and consider the unintended consequences of such approaches.
• Ensure any proposals are technology and sector neutral.
• Provide as much flexibility as possible, particularly for small- and medium-sized enterprises (SMEs), on implementation, and protect the overall wellbeing of children and teens.
• Ensure that student data is protected, while also providing parents, teachers, and students the ability to access educational tools to promote innovation and technology in the classroom.
• Include clear language to expressly preempt state children’s privacy laws that relate to any federal law, to end the current patchwork and prevent another patchwork from developing in the future.
• Grant exclusive federal enforcement authority to the FTC, without expanding the scope of the types of organizations over which the FTC has authority, while preserving the ability of state attorneys general to protect their constituents and enforce the law based on the federal standard.
• Provide law enforcement agencies with the resources and tools to hold perpetrators of child sexual exploitation material accountable.