Consumers expect, and should expect, to trust the tech sector to protect their data. One of TechNet’s top priorities is ensuring that governments focus on policies that harness market incentives to drive effective risk management and do not exacerbate harms to victims of criminal hacks.
Priority Issues
Privacy
Many policymakers and interest groups introduce and sponsor legislation targeted at data privacy and an individual’s rights with respect to their personally identifiable information. Our member companies consistently place a high priority on consumer privacy, and the technology industry is committed to privacy and security. As part of that, transparency and the responsible use of data are pillars of the tech sector. TechNet will advocate for a federal privacy standard that expressly preempts state laws and brings uniformity to all Americans regardless of where they live, encourages innovation, and ensures that consumers’ privacy is protected consistent with reasonable expectations and industry standards.
In the absence of a federal standard, lawmakers should look to interoperable, comprehensive legislation already passed in other states to build on the unified standard that already provides strong privacy protections to more than 100 million Americans. The state program supports the following principles:
- Any consumer privacy bill should be designed to build consumers’ trust and foster innovation and competitiveness.
- Consumer consent, where applicable, should generally be required only for processing sensitive personal information and the data of known children or when there are material adverse changes to the processing of personal information previously collected. Consumers should have the right to opt out of the sale of their personal data and its use for targeted advertising. Any consent regime should be designed with the limitations of software, hardware, and data management in mind and should not be overly burdensome to the consumer or technology provider. It should also be flexible and convenient for all users regardless of socioeconomic or disability status.
- New privacy laws should provide strong safeguards to consumers while also allowing the industry to continue to innovate. New laws should be based upon an interoperable, uniform set of standards to avoid imposing a patchwork of policies across jurisdictions.
- Privacy laws should promote transparency about the use of consumer data and provide consumers with rights to protect personal data over which they reasonably seek to maintain privacy.
- Specific requirements related to data processing, including collection, use, disclosure, security, or retention, should be commensurate with the sensitivity of the data.
- Enforcement by a state’s attorney general is the appropriate mechanism, and private rights of action and other tools that encourage litigation and lead to inconsistent enforcement must be avoided. A right to cure should be provided, and monetary judgments should be tied to actual harms caused by violations.
- Outright bans, prohibitions, or moratoriums on specific technologies should be avoided. Privacy laws should be technology neutral.
- State privacy laws should not apply to information already regulated by existing federal privacy laws or restrict access to publicly available information.
- Privacy laws should not limit consumer access to free, ad-supported services.
- Legislation should not force data controllers to share consumer data with third parties.
- Privacy laws should not treat data transfers across commonly owned affiliates as third-party transfers.
- Protecting everyone’s privacy will protect children’s, biometric, and health privacy. Lawmakers should prioritize comprehensive data privacy solutions based on a uniform set of standards that include rights for consumers of all ages, including the rights to access, correct, and delete personal data. Any legislation regarding children’s, biometric, or health privacy should avoid conflicts with comprehensive data privacy laws.
- TechNet members routinely assess their online services and products for their compliance with existing privacy laws and their potential impacts on users, including child users. Legislation to account for the safety and privacy of child users should use a risk-based approach and provide clear, actionable guidelines to companies that develop online services and products for child users in order to ensure compliance.
- Lawmakers should align any state laws with the federal Children’s Online Privacy Protection Act (COPPA) by, for example, defining “child” as “individual under the age of 13,” including an actual knowledge standard, and focusing on online services “directed to children.”
- Stringent age verification to access online platforms requires the collection, processing, and storage of users’ sensitive personally identifiable information, like birth dates and government identification, and should be avoided. This conflicts with data privacy best practices like privacy by design and data minimization, creates new vectors for fraud, and eliminates anonymity online.
- Privacy laws should not broadly prohibit government use of third-party data, which is often an integral component of providing effective and efficient government services as well as protecting against fraud.
Cybersecurity
Cybersecurity continues to be one of the most significant challenges facing public and private entities in the modern digital economy. The technology industry invests significant resources to protect public safety, guard our operations from interruption and intrusion, and prevent the loss of capital and intellectual property. Due to the nature of state statutes and local ordinances, legislation and regulation addressing cybersecurity issues can lead to the misallocation of limited resources through mandates that are overly prescriptive or technology-specific. These actions can hamper innovation and make impacted information systems easier targets for cyber criminals. Instead, we must protect and promote the ability of the private sector to be fast and agile in detection, prevention, mitigation, and response to ever-changing threats.
The state program supports the following principles:
- The internet is global and requires laws, policies, and regulations to reflect the global nature of the market.
- State and local governments should set positive examples for private sector businesses by effectively managing the security of their own networks through application of risk-based frameworks, dedicating necessary resources to manage critical IT systems, and focusing investment on modern technologies capable of being effectively secured. Governments should prioritize identifying technology at the end of its lifecycle, ensuring a proactive approach to managing cybersecurity risks.
- Cohesive and adaptable national guidelines for security based on widely accepted industry best practices are preferable to varying state or local mandates to provide consistent, clear standards for companies to follow. State efforts to create cybersecurity regulations threaten federal harmonization efforts and force businesses to divert resources from security to compliance. Private and public sector organizations widely embrace NIST’s Cybersecurity Framework (CSF) as a risk-based tool for prioritizing cybersecurity investments. Policies aimed at establishing best practices should be grounded in the CSF.
- Policymakers should encourage good cyber hygiene, modern technology, leading industry practices, and high-skilled cyber workers. Specifically, market-based incentives or safe harbors should be used to encourage companies to actively manage risks in accordance with widely accepted industry standards and best practices.
- Encryption and tokenization are fundamental technologies necessary to protect the security of critical systems and sensitive information. Governments should not demand changes that require backdoors, weaken encryption, or erode other reasonable security measures.
- A comprehensive, risk-based cybersecurity strategy should increase the security and resilience of all networks and end-user devices and prepare for and mitigate cyberattacks through the coordination of industry and government.
- Cybersecurity policies should focus on enhancing the confidentiality, integrity, and availability of information networks and end-user devices utilizing national and internationally recognized standards and data and provide for legal safe harbors to incentivize government and businesses to take steps to ensure that there are policies and procedures in place to protect against network intrusions.
- Security is an ongoing process aimed at managing risks that requires sustained and ongoing investments in people, processes, and technology.
- Securing internet-connected devices requires flexible security features appropriate to the nature and function of the device to prevent unauthorized remote access.
- Governments should maintain industry-leading cybersecurity practices and not require businesses to share data that it cannot keep safe and secure from threats.
- Reporting cyberthreat intelligence information to the government should be voluntary and include protections that ensure reported information is exempt from Freedom of Information Act requests, cannot be used as the basis for regulatory or enforcement actions, retains all legal privileges, and may not be introduced as evidence in any court proceeding. In addition, governments should reciprocate by sharing relevant cyberthreat information with the private sector to enhance the collective capacity to prevent and mitigate cybersecurity risks.
- Cybersecurity incident reporting should be compatible with existing federal laws and only require reporting once a covered entity is reasonably certain that a covered incident has occurred. Requirements linked to suspected or threatened incidents will result in excessive costs for businesses and governments without yielding actionable information. Additionally, reporting requirements should not include requirements to share trade secrets or intellectual property, as that will increase risk for companies.
Data Breach
Data breach policy focuses on the responsibility and requirements following what is almost always a malicious attack on a public or private entity that has successfully accessed or otherwise compromised consumer and proprietary business data. Public policy in this area should be risk-based and focused on the likelihood of actual harm to consumers.
The state program supports the following principles:
- A single, national standard focused on protecting people from substantial harm is preferred because it would provide companies and customers with consistent, actionable notice of a data breach.
- Notice requirements that are not related to actual harm only burden companies and confuse customers with notifications that are not actionable. These requirements should be uniform across agencies and jurisdictions, maintain consistent thresholds for reporting, and provide a reasonable notice timeframe.
- The distinction between an account takeover and a data breach should be explicitly recognized in data breach statutes, with differentiated provisions and reporting methodologies.
- Data rendered unusable by encryption, redaction, or any other security method or technology should be considered out of the scope of data breach reporting requirements because the risks of harm are not cognizable.
- Data breach notification policy should only impact an entity if their network or system has been breached and acquisition of personally identifiable information has occurred. Reporting requirements that relate to unsuccessful attempts are not risk-based, will waste limited resources, and result in cumbersome contractual terms that create friction without providing any substantive benefits to data subjects. Entities should not be held responsible for, or be required to rectify, breaches outside of their control or responsibility.
- The statutory definition of personally identifiable information should be limited to only a subset of “personal information” covered by applicable data privacy laws. That subset should be personally identifiable information that, if compromised, could lead to identity theft or other substantial harm.
- Public safety entities should be provided the appropriate level of resources to help deter, identify, track, and punish this criminal behavior.
- Private rights of action, civil penalties, and other tools to encourage litigation will reduce the effectiveness of a data breach notification standard by discouraging reporting without providing substantive breach protections.
- Policymakers should encourage privacy by design, good cyber hygiene, modern technology, leading industry practices, and high-skilled cyber workers. Specifically, market-based incentives or safe harbors should be used to encourage companies to actively manage risks in accordance with widely accepted industry standards and best practices.
- Companies should have adequate time for internal or external investigations, including by law enforcement, to determine the nature of an incident and whether it constitutes a data breach.
- Any requirements that vendors notify state IT agencies should follow existing law regarding breach notifications or the time period specified in the applicable terms of the contract between the state agency contractor and the state agency.
- Obligations to report data breaches and security incidents to state authorities should be limited to one agency per state, ideally the state’s attorney general. Obligations to provide duplicative reporting to multiple state agencies create an undue burden on businesses as they are actively responding to an incident.
Secure and Safe Repair
Consumers, small and large businesses, public schools, hospitals, banks, and manufacturers all need reasonable assurance that those they trust to repair their connected products will do so safely, securely, and correctly. Proposals that require original equipment manufacturers (OEMs) to provide unaffiliated repair firms with access to proprietary schematics and repair, diagnostic, and security tools create major risks to consumer safety and privacy and the security of connected infrastructure.
The state program supports the following principles:
- OEMs and authorized repair firms are uniquely qualified to ensure the secure and safe repair of electronic products. These firms use OEM-trained technicians and original parts that are backed by the OEMs and their partners with warranties, legally enforceable contracts, quality assurance requirements, and other mechanisms that provide strong protections for consumers.
- Requiring manufacturers to disclose diagnostic tools, source code, and software developed by the manufacturer at significant cost and provide access to tightly controlled supply chains to unaffiliated, unvetted third parties would place proprietary corporate information and sensitive customer information in the hands of unknown actors, creating a new set of intellectual property rights concerns and cybersecurity vulnerabilities.
- Private rights of action and other tools to encourage litigation must be avoided.
- Legislation should avoid a patchwork of inconsistent policies that will stifle innovation and/or are technically or operationally infeasible.
Facial Recognition and Biometric Technology
Facial recognition technology and other forms of biometric identification can be utilized in a variety of use cases, many of which can improve security and access for individuals using services. Biometric technology can enable remote access to essential services, removing location- and mobility-based barriers to access. In addition, different types of biometric technology can be used to facilitate entry, stop fraud, and protect consumers.
The state program supports the following principles:
- TechNet will oppose any legislation that prohibits or effectively prohibits the use of facial recognition or biometric technology except where there is a specific, unacceptably high-risk case identified and the legislation is narrowly tailored to address that unacceptable risk.
- Legislation regulating the use of biometric technology should not provide for private rights of action, and any damage awards should be limited to instances where cognizable forms of actual economic harm have been demonstrated.
- Legislation should not reduce access to non-identifiable diverse datasets necessary to train models to reduce bias.
- Policies should recognize the wide variety of use cases for technologies that detect and/or recognize faces or other parts of the human form, and policies should avoid over-regulating visual technologies that do not affect individual privacy.
- Cohesive and adaptable national guidance is preferable to individual state mandates to provide consistent, clear standards for companies to follow.
Government Requests for Data
Governments occasionally request data regarding consumers from data controllers. Consumers’ privacy should not be restricted except in narrowly defined circumstances based on clearly defined laws and standards, and any restrictions should be necessary and proportionate for the relevant purpose.
The state program supports the following principles:
- Disclosure of data should require proper authority and a valid legal process to be served and be consistent with the federal Stored Communications Act and the Data Privacy Framework under Executive Order 14086.
- Unless infeasible, a government should seek information from the entity contracting for cloud-based technology services instead of from the third-party providers who are not party to or the subject of a governmental investigation.
- Where valid legal process is not required, government requirements for the disclosure of consumer data should be for deidentified and aggregated data.
- Companies have the right to push back on overly broad or vague requests and seek attestation about the cause for a request for disclosure.
- Disclosure requirements should not contain arbitrary or unreasonable timelines for disclosure.
- Requirements for company disclosure of data under a non-disclosure order should contain a reasonably and clearly defined expiration date for that order.
- In cases where state-level data privacy laws are already in place, local rulemaking must align with state standards on consumer data protection, restricting the extent to which local authorities can mandate data disclosures.
Content Moderation
Online services enable freedom of expression for consumers, and companies have a vested interest and a First Amendment right to moderate their platforms to create a safe, welcoming online community for users. To ensure that online services are inclusive, useful, and safe for consumers, online platforms often moderate the content posted by users. In order to ensure users understand the rules they are expected to follow, the industry has been at the leading edge of providing greater access and information regarding their moderation policies and practices.
The state program supports the following principles:
- Governments should not restrict or penalize online platforms’ efforts to exercise their First Amendment rights to moderate content on their private platforms.
- Governments must recognize companies’ rights to enforce their terms of service and respond to evolving threats.
- Governments should avoid mandates that require companies to affirmatively search for and report content on their platforms. Such mandates have the potential to transform private platforms into agents of government and thereby create complex constitutional challenges for both platforms and law enforcement.
- TechNet supports clear, constitutional definitions that are consistent across jurisdictions.
- TechNet supports industry efforts to provide transparency about platforms’ content moderation practices and their efforts to limit and remove harmful content. These policies should not mandate or prioritize the policing of certain categories of content and should not undermine platforms’ efforts to moderate harmful content, including by requiring disclosure of otherwise confidential information.
- TechNet supports industry efforts to provide users with greater control over their online experience, including tools that allow users to better curate the content they see and the features they use based on their preferences. States should avoid policies that mandate or prohibit certain features or tools and instead focus on incentivizing platforms to provide users an increased ability to manage their experience on the platform.
Children and Teens’ Digital Well-Being
TechNet’s member companies prioritize the safety and well-being of children who access their sites and platforms. Our members strongly believe children deserve a heightened level of protection, and TechNet members have been at the forefront of raising the standard for digital well-being across the industry by creating new features such as settings, parental tools, and protections that are age-appropriate, empower families to create the online experience that fits their needs, and are tailored to the differing developmental needs of young people.
The state program supports the following principles:
- State laws should respect and uphold the First Amendment and avoid burdening lawful speech. State laws should not conflict with any relevant federal law.
- States should not implement laws that broadly restrict access to online services for all users under the age of 18. Instead, any law seeking to restrict access to online services should consider the various nuanced ways in which older teens utilize the internet differently from children and the benefits or potential harms of those uses. It should be narrowly tailored to the appropriate age groups at issue and alleged specific harms. States should also take care not to restrict advertising too broadly, which can have the effect of restricting access to otherwise free services or relevant information for participation in civic life.
- States play the lead role in K-12 education policy, including what students should learn and when. State lawmakers should encourage the adoption of instructional standards regarding digital and media literacy, as well as internet safety for use at multiple grade levels.
- School districts, with the guidance of parents, are best positioned to establish standards for how school-issued devices can be used by students to ensure all students have access to the technological tools essential in today’s modern economy and schools.
- Online platforms have created numerous digital tools to help parents control their children’s digital experiences. Lawmakers should seek opportunities to amplify these resources and educate parents on how they can be utilized, as parents know what is in the best interests of their child.
- Lawmakers should focus on the harms they wish companies to mitigate, rather than trying to dictate specific features or design choices. Any prohibited activities or harms should be stated with specificity so the companies know precisely what to prevent, and any knowledge standards for liability should be set at “knowing” and “intentional” so that bad actors are the focus of the law, not bad definitions.
- Regulation should enable parents to protect their children online without overstepping the duties of a parent. It should acknowledge the primary role that parents have in ensuring their children’s safety online and focus on addressing the underlying challenges that parents face to ensure their safety.
- Enforcement by a state’s attorney general is the appropriate mechanism, and private rights of action and other tools to encourage litigation must be avoided. Litigation leads to uneven and inconsistent policy outcomes, with companies choosing to limit their legal exposure differently. A single regulator, the opportunity to seek and receive guidance, and the opportunity to correct good faith mistakes will ensure greater compliance with the law and more consistent protections for child users.
Learn what TechNet member companies are doing to keep kids safe on their platforms here.