A U.S. Data Privacy and Security Framework: Comments to the House Energy & Commerce Committee
In February, U.S. Reps. Brett Guthrie (KY-02) and John Joyce (PA-13), representing the House Committee on Energy and Commerce, issued a request for information (RFI) inviting stakeholders to share their insights and suggestions on the newly formed data privacy working group.
The request highlighted the $2.6 trillion U.S. digital economy, which depends on digital technologies but faces challenges from rapid innovation and conflicting state and federal data privacy and security regulations, complicating the creation of clear digital protections for Americans.
Leaders at our organization have often voiced the need for a comprehensive federal data privacy and security framework, and BBB National Programs appreciated the opportunity to leverage its decades more than 50 years of experience as a leader in this space to comment on the need for such a framework as well as our recommendations for its development.
Here are the three key recommendations we provided in our response to the RFI:
These recommendations underscore our belief that independent accountability is vital to the passage and ultimate success of a U.S. national privacy law.
Data privacy and security are pressing concerns for consumers, companies, and governments. A Publishers Clearinghouse study found that 86% of Americans are more concerned about data privacy and security than the state of the U.S. economy. This finding underscores the urgent need for a comprehensive federal privacy law that protects U.S. citizens and national interests.
A unified federal framework would replace the current patchwork of state-level regulations, providing consistency and clarity. Such a law could bolster national security, enhance global competitiveness, and help American businesses safeguard consumer data.
In 2023, digitally enabled services accounted for 64% of U.S. service exports and supported 8.9 million jobs. The digital economy is projected to grow to $16.5 trillion by 2028. A comprehensive federal privacy law would enhance the U.S.'s leadership role in the global digital economy.
A comprehensive law should also account for entity size, revenue, and risk level to determine compliance requirements. Streamlined pathways to compliance and independent accountability for low-risk small and medium-sized businesses can aid overall compliance, which is an option that has been included in previous iterations of federal privacy legislation.
To enhance transparency, we also recommend the FTC maintain a centralized public directory of enforcement cases brought by both state Attorneys General and the FTC.
With questions about any of these recommendations, please reach out to our team at GlobalPrivacy@bbbnp.org.
The request highlighted the $2.6 trillion U.S. digital economy, which depends on digital technologies but faces challenges from rapid innovation and conflicting state and federal data privacy and security regulations, complicating the creation of clear digital protections for Americans.
Leaders at our organization have often voiced the need for a comprehensive federal data privacy and security framework, and BBB National Programs appreciated the opportunity to leverage its decades more than 50 years of experience as a leader in this space to comment on the need for such a framework as well as our recommendations for its development.
Here are the three key recommendations we provided in our response to the RFI:
- Include independent third-party accountability programs to review industry compliance, with regular monitoring.
- Leverage existing successful frameworks such as the EU-U.S. Data Privacy Framework (DPF) and Global Cross Border Privacy Rules (CBPR).
- Incorporate a safe harbor model, similar to the Federal Trade Commission’s (FTC) Children’s Online Privacy Protection Act (COPPA) Rule approach, especially for small- and medium-sized businesses.
These recommendations underscore our belief that independent accountability is vital to the passage and ultimate success of a U.S. national privacy law.
Data privacy and security are pressing concerns for consumers, companies, and governments. A Publishers Clearinghouse study found that 86% of Americans are more concerned about data privacy and security than the state of the U.S. economy. This finding underscores the urgent need for a comprehensive federal privacy law that protects U.S. citizens and national interests.
A unified federal framework would replace the current patchwork of state-level regulations, providing consistency and clarity. Such a law could bolster national security, enhance global competitiveness, and help American businesses safeguard consumer data.
In 2023, digitally enabled services accounted for 64% of U.S. service exports and supported 8.9 million jobs. The digital economy is projected to grow to $16.5 trillion by 2028. A comprehensive federal privacy law would enhance the U.S.'s leadership role in the global digital economy.
Recommendation 1: Assess and Monitor Industry Compliance through Independent Third-Party Accountability Programs
- Entities processing, sharing, or selling data operate in various models, including business-to-business and business-to-consumer contexts. However, states differ in defining data roles (e.g., controller, processor, third party, vendor) and in setting thresholds for compliance. A federal law should establish consistent terminology and thresholds for applicability.
- Independent third-party evaluations can supplement compliance and enforcement by federal and state regulatory bodies. These external assessments encourage compliance and support the concept of "soft law" enforcement alongside traditional regulatory oversight.
- Controllers should create clear, easy-to-read privacy policies detailing the data collected, its use, and available consumer rights. Providing consumers with accessible dispute resolution mechanisms and having contracts in place for onward transfers are also essential.
- Processors and third parties must act according to clear standards, particularly when engaging sub-processors or handling sensitive data.
A comprehensive law should also account for entity size, revenue, and risk level to determine compliance requirements. Streamlined pathways to compliance and independent accountability for low-risk small and medium-sized businesses can aid overall compliance, which is an option that has been included in previous iterations of federal privacy legislation.
Recommendation 2: Leverage Existing Frameworks like the EU-U.S. DPF and Global CBPRs
- Existing frameworks such as the EU-U.S. Data Privacy Framework (~3,000 companies) and Global Cross Border Privacy Rules (~100 U.S. companies) provide effective models for certification and compliance. These frameworks, managed by the U.S. Department of Commerce, set robust standards for data controllers and processors. State laws like Tennessee's Information Privacy Act also cite the CBPR as a valid certification model.
- Dispute resolution mechanisms must be a core element of a federal privacy law. Consumers need clear avenues to address concerns, particularly for minor data issues such as deletions or corrections. As an Independent Recourse Mechanism (IRM), BBB National Programs resolves such disputes efficiently and at no cost to consumers, avoiding costly legal proceedings.
- Adopting security requirements from the Global Privacy Recognition for Processors (PRP) program ensures strong data protections. These requirements cover physical and technical safeguards and are verified through policy assessments during certification. Aligning with these standards facilitates global market access for American companies.
Recommendation 3: Incorporate a Safe Harbor Model
- Apply lessons learned from COPPA. A federal privacy law should integrate a safe harbor model into a federal privacy law, similar to that of COPPA. Under COPPA, third-party safe harbor programs, such as BBB National Programs' Children’s Advertising Review Unit (CARU), help companies, particularly small and medium-sized ones, comply with privacy laws and address gaps in practices.
- A safe harbor model also levels the playing field by granting smaller entities access to compliance expertise. And it signals good faith efforts to regulators, supports risk-based compliance, and allows government agencies to focus on egregious violations.
- Sole enforcement by a federal agency may be hindered by budget and staffing constraints. A joint model involving the FTC and independent third parties allows for real-time compliance monitoring and efficient resource allocation.
To enhance transparency, we also recommend the FTC maintain a centralized public directory of enforcement cases brought by both state Attorneys General and the FTC.
With questions about any of these recommendations, please reach out to our team at GlobalPrivacy@bbbnp.org.