Personal information (PI) may be an individual’s name, address, and phone number, and family members.  Personal identifying information (PII) may in addition to personal information include a social security number, or other federal tax identifier, school identification number, their date of birth, or other identifying number that can permit access to sensitive information about the individual.  Sensitive personal information (SPI) would include banking information, credit information, health information, education records, employment records, or any other information the individual or the government deems to be sensitive.  The higher the sensitivity of the data, the greater the protections must be imposed to protect the data.

With respect to the roles and responsibilities of entities that collect and process PI, PII, or SPI it is necessary that they have a certain path forward for how they are to be regulated in the handling of this data.  Currently, that certainty is absent until Congress enacts a comprehensive data privacy and security framework to guide any entity handling PII, as well as regulators on their roles and responsibilities.  During the 109th Congress, the Department of Veterans Affairs (VA) Information Security Enhancement Act of 2006 was included in P.L. 109-461.  The act increased information security at the VA following a data breach that impacted 26.5 million veterans, and cost the federal government $25 million in remediation efforts.[3]  Since the federal government is one of the largest collectors of data in the United States, and rather than acting after a breach, it must be proactive in requiring agencies that collect, process, collate, or sell PII maintain that data in a secure environment and have plans in place for remediation when PII is disclosed without the individual’s direct consent.

The scope of data collection and size of an organization must be considered as the committee develops legislation.  Small businesses and individuals should not be treated the same as large organizations in regard to penalties relating to a data breach.  Consumers should be made aware in plain language how their data will be collected, shared, and used and offered the opportunity to opt-out of such activities with a clear understanding of what impact opting out of the data sharing or use will have on their overall experience with the entity.

Consumers whose collected data has been compromised while in the possession of a covered entity should be notified of any breach of their data and offered up to two years of identity protection.  Entities should also make remediation efforts within 60 days of a breach notification to ensure the data is secured in the future to avoid further data breaches. 

To avoid excessive and frivolous litigations, Congress should not include a private right of action (PRA) in any law related to consumer data privacy and security.  A PRA allows trial lawyers to act in an enforcement capacity by bringing suits against a business where they deem that there could be a violation of the law and seek monetary restitution.  According to the U.S. Chamber of Commerce Institute for Legal Reform, “PRAs can lead to litigation abuse because plaintiff’s lawyers are financially incentivized to file as many lawsuits as possible, placing monetary gain over properly addressing potential harms.  Unfortunately, private rights of action do not enhance consumer privacy or protection but rather serve the interests of plaintiffs’ lawyers seeking large payouts.”[4]

According to the Civil Justice Association of California (CJAC), “Some PRAs can be brought even when there is no proof of damages or actual harm.  This allows lawsuits against businesses by merely alleging the business did something wrong.  Additionally, some PRAs can be brought when there has been a technical violation but insignificant harm, e.g., not listing the employer’s full name on the pay stub.”  CJAC further noted that PRAs frequently lead to “shakedown” lawsuits, with small businesses often being the targets of these suits.[5]  These are among the reasons that CCAGW believes Congress should not include a PRA in a federal data privacy and security law and consider pre-empting state laws that include a PRA. 

Since 2018, 34 states have either introduced or enacted their own set of data privacy protections.  This fragmentation of regulatory intervention creates uncertainty for businesses and may discourage some businesses from operating in certain states due to the cost of compliance.  The patchwork of laws makes it particularly difficult for smaller businesses that collect consumer information like names addresses, banking or credit card information, and preferences.  A 2022 Information Technology & Innovation Foundation report noted, “State privacy laws could impose out-of-state costs of between $98 billion and $112 billion annually.  Over a 10-year period, these out of state costs would exceed $1 trillion.”[6]  These costs would hit small businesses the hardest.

Because data is transmitted across state lines, the national comprehensive data privacy and security bill should become the primary privacy law of the land and pre-empt all state laws enacted prior to the date the law is enacted.  Otherwise, the bill will not hold the force of law, and the substantial, unnecessary, and wasteful costs from 50 individual state laws regulating consumer privacy and data security will continue.  

While there is not a single comprehensive data privacy law, there are laws that govern how personal information should be protected using an industry-by-industry approach, including the Communications Act of 1934; the Electronic Communications Privacy Act; the Children’s Online Privacy Protection Act; the Driver’s Privacy Protection Act; the Family Educational Rights and Privacy Act; the Fair Credit Reporting Act; the Gramm-Leach-Bliley Act; the Health Insurance Portability and Accountability Act; the Wire Act; and the Video Privacy Protection Act.  While a comprehensive law should not pre-empt or supersede these laws, Congress should review them to ensure that they are adequate to meet current and future privacy needs. 

As the committee reviews options for a federal consumer data privacy and security framework, members should review state laws.  The Connecticut Data Privacy Act (CTDPA) is an example of a reasonable and effective data privacy law, while the California Consumer Privacy Act (CCPA) is cumbersome and costly.

Signed into law on May 10, 2022, and effective on July 1, 2023, the CTDPA applies to entities that either conduct business in the state, or produce products or services targeted to Connecticut residents, and that during the prior calendar year controlled or processed the personal data of at least 100,000 consumers; or 25,000 or more consumers and derived more than 25 percent of gross revenue from the sale of PI.  There are separate requirements for entities that process health data.  The bill exempts state and local governments; nonprofit organizations; financial institutions subject to the Gramm-Leach-Bliley Act; national securities associations; entities subject to the Health Insurance Portability and Accountability Act; and higher education institutions.  Beginning on January 1, 2025, businesses covered under the CTDPA must honor universal opt-out preferences sent by Connecticut residents.[7] 

On the other side of the spectrum, the CCPA was signed into law on June 28, 2018.  It was rushed through the legislative process and imposed burdensome requirements on how companies must store and provide access to consumers’ personal information, as well as harsh restrictions on the types of product and service options and discounts companies might offer to their customers.  CCPA also included a private right of action, which gives individuals the ability to file suit against any company they believe violated their privacy rights.  As a result, businesses could be held hostage by thousands of single lawsuits that threaten to bankrupt them.[8] 

The California Privacy Rights Act (CPRA), signed into law on November 3, 2020, amended the CCPA by including the right to op-out and requiring a “Do Not Sell or Share My Personal Information” link.  CPRA also adopted the limits on the use of sensitive personal data similar to those imposed by the General Data Protection Regulation (GDPR), created new notice requirements, and further expanded the private right of action.[9]  Unfortunately, other states, including Maryland, have used the CPRA and CCPA as a baseline for their own data privacy laws.[10]

While the Connecticut law is an example of a thoughtful approach to consumer data privacy and security, it does not negate the need for a pre-emption of all state laws by a federal law.  Indeed, the variances across state lines exemplify the country’s need for a national standard. 

CCAGW believes that any comprehensive data privacy and security law enacted by Congress should be technology neutral.  The technology of today, in this instance artificial intelligence (AI), will be outpaced by newer technologies of tomorrow.  Providing a technology neutral approach to consumer data privacy and security will provide a more forward-looking approach to technology developments and allow innovation in this space to continue.  Congress should review state laws to determine whether they should also be pre-empted in a federal data privacy and security law if they either enhance or forestall the development of AI or other new technologies.

On November 8, 2018, Citizens Against Government Waste (CAGW) provided comments to the National Telecommunications and Information Administration (NTIA) with the organization’s recommendations on ways to advance consumer privacy while protecting prosperity and innovation.  These comments offered six recommendations for a consumer-based approach to privacy:

1. National Privacy Framework: Because of the unique nature of the internet ecosystem and its presence beyond state borders, a clear and concise national data privacy framework is necessary to provide consistency and certainty for businesses and consumers alike.
2. Consumer Choice and Control: Businesses should provide consumers with easy-to-understand privacy choices based on the sensitivity of their personal data and how it will be used or disclosed, consistent with the FTC’s privacy enforcement guidance. Businesses should provide consumers with an opt-out choice to use their non-sensitive customer information for personalized third-party marketing. Businesses should be able to continue to rely on implied consent to use customer information for activities such as service fulfillment and support, fraud prevention, market research, product development, network management and security, compliance with the law, and first-party marketing.
3. Transparency: Consumers should be provided with clear, comprehensible, accurate, and continuously available privacy notices by businesses collecting, using, or sharing consumer data that describe in detail the information being collected, how that information will be used, and whether the information will be sold or shared with third parties. Should customer information be sold or shared with a third party, customers must be notified about the types of third parties to whom their information has been given and for what purpose.
4. Data Minimization and Contextuality: Consumers should expect reasonable limits on the amount of personal data that organizations will collect, use, and disclose, consistent with the context in which that data is provided. Every effort should be made to de-identify and delete data as promptly as possible when it is no longer necessary.
5. Flexibility: Different types of data require separate methods and standards of protection. For example, sensitive health care data and financial data require a higher level of security than a social media account or a computer’s IP address. Therefore, policies must be consistent with the type of data being collected and how it is to be used.
6. Data Security and Breach Notification: Consumers should expect that the personal data they share with other entities is maintained in a secure environment. Information technology systems are under constant attack; breaches have and will continue to occur. In the event of a data breach in which there is a reasonable likelihood of misuse and consumer harm, consumers should expect timely notification of the event, and an offer by the entity breached as to the remedies available to make the consumer as whole as possible, including credit protection services, fraud alerts, and credit monitoring through credit reporting agencies.

The need to modernize current federal privacy regulations and laws led to the establishment of the Privacy Working Group in 2008, which meets monthly under the leadership of Citizens Against Government Waste’s (CAGW) Innovation and Technology Policy Center.  In addition, CAGW has written extensively on consumer data privacy, including Critical Waste Issues for the 119th Congress; “The Path to a National Privacy Framework;” comments to the Federal Trade Commission (FTC) regarding its Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security; comments to the NTIA in response to the agency’s request on Developing the Administration’s Approach to Consumer Privacy; and comments to the Federal Communications Commission regarding the agency’s 2016 Privacy Order.[11]

 Again, CCAGW appreciates your efforts to enact a comprehensive national consumer data privacy and security framework and look forward to working with the committee in furtherance of this cause.  If you have any questions, please feel free to reach out to me or CCAGW Vice President for Policy and Government Affairs and Executive Director of the Information Technology and Policy Center Deborah Collier.

Sincerely, 

Tom Schatz 
President, CCAGW