TechNet’s diverse membership includes dynamic American businesses ranging from startups to the most iconic companies on the planet and represents over four million employees and countless customers in the fields of information technology, e-commerce, the sharing and gig economies, advanced energy, cybersecurity, venture capital, and finance. Our members collect, secure, or analyze data to provide services and enhanced experiences for their customers and fuel economic growth and opportunity across our nation.
When it comes to the future of the federal privacy landscape, we believe the following:
For the Data-Driven Economy to Continue Enhancing Our Lives, We Must Keep the Consumer First
- The growth of the data-driven economy continues to fuel economic and social opportunity not just in the technology industry, but throughout every sector of the global economy.
- To date, U.S. laws and regulations have enabled unprecedented innovation, economic growth, and technological advancement stemming from responsible data collection and processing. This has allowed companies to create new, innovative products and enhance products and services that have improved consumers’ lives. More could be done to further advance this pro-innovation environment, but at minimum, when updating existing laws or creating new regulatory frameworks, federal authorities must prioritize the protection of consumers’ privacy and security while ensuring businesses are able to continue innovating.
- All Americans deserve to have their privacy protected and to trust that the laws and business practices work to protect their privacy, which is why TechNet supports a robust set of uniform data protections in federal law that preempts disparate state data protection laws. Once bipartisan consensus has been reached about a federal law, layering on additional state requirements, which are rapidly being developed in many states, will only serve to complicate doing business across state and national borders, undermining the global competitiveness of U.S.-based companies.
- The internet continues to be a means to: connect people; offer consumers more choices and better prices; provide businesses of all sizes more opportunities to sell their products and services across state and national boundaries; and encourage entrepreneurs to create new products and platforms — all of which benefits consumers. TechNet supports federal privacy proposals and frameworks that protect consumers while promoting continued innovation, consistent enforcement, interoperability, and a predictable regulatory environment for businesses.
- Innovations in methods to protect consumers are a key way companies strive to differentiate themselves from competitors and must be encouraged.
- For example, one way companies protect consumers from fraud is through the responsible collection, storage, and analysis of data that enables them to detect unusual consumer use and purchasing patterns. Federal legislation should ensure that companies can continue to effectively combat fraud and other forms of suspicious activity and allow companies to continue to innovate on how to detect and prevent suspicious activity.
- Another way is through the development of privacy-enhancing technologies that protect consumers.
- TechNet believes that just as technology evolves, consumers and their preferences also evolve. The digital economy has empowered businesses to not only respond to, but also anticipate, changing consumer tastes and needs, thereby enhancing user experiences. To remain competitive, businesses understand that they must continue to be responsive to these evolving consumer expectations. Similarly, federal policymakers must work with these businesses and their customers and avoid rigid regulation that would inhibit the ability of companies working in good faith to respond to their customers, innovate, and adapt.
- Companies support consumers’ rights to access, correct, and delete their data, as appropriate, and, when feasible, companies should support data portability.
- Policymakers should ensure any policies adopted do not undermine privacy or data security interests; undermine detection of fraud or other unlawful activity; interfere with law enforcement or judicial proceedings; impose unduly burdensome or excessive requirements (particularly for small businesses and new market entrants); or inadvertently require greater collection or processing of personal information about the consumer than required or necessary.
- We should also help ensure companies can proactively educate consumers about the full range of services companies can offer and the privacy protections they have in place to protect consumer data.
Companies Must Proactively Promote Transparency and Security
- Keeping personal information safe and secure — and being transparent with consumers about its use — must be a top priority of any organization.
- Protecting consumers’ privacy, being transparent about how companies collect and use their data, and earning and maintaining the public’s trust must remain overriding priorities for our industry. Our companies should lead by example when setting U.S. and global data and privacy standards that protect data and allow innovation to flourish.
- We encourage voluntary business-to-business and business-to-government data-sharing framework models in full compliance with existing laws and regulations. We caution against state and local government mandating “real-time” and seamless data portability without taking into account considering the privacy implications and technical challenges of adhering to such a mandate.
- We caution against a blanket prohibition or moratorium on all uses of biometric technology. Biometric technology has an innovative and diverse range of use cases. Policymakers should avoid one-size-fits-all frameworks for any regulation of biometric technology.
Congress Should Act
- Congress should lead the way by enacting federal privacy legislation that brings uniformity to all Americans regardless of where they live.
- Federal legislation is needed to provide harmonized and consistent standards throughout the U.S. to protect consumer privacy and provide regulatory certainty for businesses. Federal legislation should be tech- and sector-neutral and apply to online and offline entities alike that collect and process personal information.
- Congress and other federal and state government entities must be collaborative partners in advancing the protection of consumers and the furtherance of innovation in the 21st-century data-driven economy.
- Congress and the Administration should prioritize the need for interoperability with other legal frameworks and should take into account the need for data flows across borders, as they develop a framework for baseline legislation.
- Congress should continue its work to improve upon and advance the American Data Privacy and Protection Act (ADPPA). The ADPPA represents significant progress toward passing much-needed federal privacy legislation that protects consumers and provides businesses with certainty about their responsibilities.
Clarify the Role of the Federal Trade Commission and Preserve the Role of State Attorneys General in Enforcement
- In comprehensive federal privacy legislation, Congress should designate the FTC as the exclusive federal authority to enforce the law given the lack of express statutory delegation of this authority under existing law.
- Congress should clarify the scope of the FTC’s authority to regulate data security and privacy matters that impact significant portions of the American economy. Until then, the FTC should refrain from expansive rulemaking, particularly in light of the Supreme Court’s recent ruling in West Virginia v. EPA (2022).
- Congress should ensure that the FTC has the resources it needs to effectively enforce privacy and data security requirements that protect consumers from tangible privacy harms, while also preserving the ability of state attorneys general to protect their constituents and enforce the law based on the federal standard.
- In operating with sufficient resources, the FTC should maintain its existing efforts of case-by-case enforcement actions rather than pursuing expansive regulatory rulemaking and should avoid implementing a first-offense standard of compliance.
Uniform Laws and Regulations Will Enhance Compliance, Promote Even-Handed Enforcement, and Promote Innovation
- Federal policies should harness market incentives to drive effective risk-based management.
- Any law should recognize the value of reasonable data collection, processing, use, and retention activities, including using data to provide customer service, authenticate a consumer’s identity, process or fulfill orders and transactions, improve services, and the ability to personalize to consumers and make them aware of offered products and services.
- Because technology and security threats to consumer privacy evolve constantly, legislation should recognize that security requirements should be risk-based, technology-neutral, and flexible.
- Private rights of action that have the potential to undermine innovation must be avoided. In addition, consumers and businesses should be free to enter into mutually-agreeable pre-dispute arbitration agreements to resolve consumer privacy disputes.
Congress Should Pass a Strong Federal Data Breach Notification Law
- Congress should pass a strong federal data breach notification law, which preempts to the greatest extent possible, existing state-level notification laws and establish one robust set of uniform protections for all Americans. More detail about TechNet’s federal data security principles can be found here.
Ensure New Entrants, Small Businesses, Underserved, and Under-resourced Innovators Are Not Adversely Affected by Burdensome Regulations
- While regulations affect all businesses, small, minority-owned, rural, and other under-resourced businesses in particular face disproportionate burdens and unique challenges in complying with complex privacy laws and regulations. This problem is exacerbated when having to deal with multiple sets of inconsistent or conflicting regulatory frameworks at home and abroad, making it important for policymakers to evaluate the global privacy landscape with the goal of promoting interoperability that allows American businesses to innovate and compete globally.
- To some innovative young companies that have limited personnel and resources to devote to overly stringent compliance efforts, regulations that are too prescriptive could effectively stifle their growth. Congress should endeavor to set baseline requirements but provide flexibility in how to meet those requirements, taking care to avoid prescriptive programmatic requirements and consider the unique needs and resource constraints of small and medium-sized enterprises and new market entrants.
- For example, Congress could provide regulatory relief for startups and small businesses if their activities are limited in nature in the amount of personal information they process, in particular, if it does not include sensitive information.
- Congress should establish robust training resources within the Department of Commerce, Small Business Administration, Federal Trade Commission, and/or other appropriate agencies that can provide guidance to startups and small businesses, particularly minority-owned and rural businesses, to ensure they are abiding by the most basic privacy requirements they may be subject to as a result of legislation or rulemaking.
- Furthermore, we must ensure that the complexity of privacy requirements does not effectively become a barrier to entry for new potential innovators. Congress and the administration must ensure that fundamental core privacy protections for consumers are in place without stifling free market forces; this is fundamental to enabling new entrants and to allow new data-based business models to flourish.
The U.S. Must Lead Globally
- As the home of the world’s preeminent tech sector, the U.S. must proactively demonstrate global leadership by participating in multi-lateral, multi-stakeholder forums to promote interoperability among privacy frameworks, within trade discussions.
- TechNet supports the 2022 European Union-U.S. Data Privacy Framework and President Biden’s Executive Order on Enhancing Safeguards for the United States Signals Intelligence Activities. Reaching a final agreement is essential to maintaining transatlantic data flows.
- Efforts to promote digital trade and negotiate new trade agreements must promote predictable seamless data flows across international borders.
Facial Recognition Technology
Facial recognition technology can be utilized in a variety of use cases, many of which can improve security and access for individuals using services online. Facial recognition technology can enable remote access to essential services, removing location- and mobility-based barriers to access. In addition, different types of facial recognition technology can be used to stop fraud and protect consumers.
TechNet supports the following principles:
- TechNet will oppose any legislation that prohibits or effectively prohibits the use of facial recognition technology.
- Legislation should not reduce access to non-identifiable diverse datasets necessary to train models to reduce bias.
- Policies should recognize the wide variety of use cases for technologies that detect and/or recognize faces or other parts of the human form, and policies should avoid over-regulating visual technologies that do not affect individual privacy.