The heads of the largest U.S. companies are urging Congress to replace a widening array of conflicting state laws on the collection and use of personal data with a nationwide standard.
Some 80 percent of CEOs surveyed by the Business Roundtable, which represents the 200 biggest U.S. businesses with a combined payroll of 15 million people, say a federal statute is important, according to data published Wednesday. More than half of them described it as “very” important, with stringent new rules in Europe already and a rigorous California law taking effect next year.
“What our companies are facing now is not only disparate rules and regulations around the world, we’re beginning to face disparate regulations even in the U.S.,” Josh Bolten, president of the organization, told reporters. “If we have this crazy patchwork quilt of different privacy regulations across even all 50 states, then that’s a big impediment to business and to innovation.”
Companies worried about the the difficulties of complying with rules that vary from region to region, a costly proposition at best and one difficult to manage in the age of internet commerce where overlapping supply and distribution lines cover the globe, aren’t the only supporters of such a bill.
Privacy advocates worried by massive breaches at companies from credit bureau Equifax to hotel chain Marriott and social media giant Facebook want a federal standard, too, though they worry that Congress might ultimately weaken protections in states like California, whose new law will allow residents to review the data that companies hold on them and block firms from selling that information
The cyberattack that Marriott disclosed in late November affected 327 million people, a number large than the entire population of the United States, dwarfing even the theft discovered in 2017 at credit bureau Equifax, which sparked congressional scrutiny and the departure of then-CEO Richard Smith.
Facebook contributed to the momentum with the 2018 discovery that a consultant on President Trump’s 2016 campaign improperly gained access to information on 87 million users.
“I don’t want to regulate Facebook or any private social media company, but these platforms continue to compromise their users’ private data,” Sen. John Kennedy, R-La., said when he and Sen. Amy Klobuchar, D-Minn., introduced a bill this year giving consumers the right to disable data-tracking and collection, requiring terms of service to be written in plain language, and mandating that users be informed of data breaches within three days.
The Business Roundtable has embraced the plain-language concept in a detailed privacy framework that also calls for giving consumers more control over personal information and setting an unspecified deadline for companies to notify clients of data breaches.
Many of the principles in Europe’s General Data Protection Regulation are sound, said Jamie Dimon, the CEO of JPMorgan Chase and chairman of the Business Roundtable, though executing the policy is complicated.
Europe’s law requires companies to use “clear and plain language” in requesting agreement from users for the processing of their data, along with an explanation of what the business plans to do with the information, to notify users of a breach within three days and to erase that user’s information entirely upon request.
“They’re kind of ahead of us in trying to get this in the right place,” Dimon said, noting that consistency across regional boundaries is important.
“Think of how silly it would be to have a state-by-state law” governing a business like e-commerce, he added, when a California resident traveling in Missouri might buy goods online that are shipped from Arizona.
“This is an area, like many others, where we need national law,” Dimon said. “If you say that this is the right thing to protect the American consumer, why isn’t it the right thing to protect the consumer in all 50 states?”
