As Congress inches forward on federal privacy reform, small businesses worry about trading the current privacy patchwork for a kaleidoscope of complications.
Last Congress, the U.S. House Committee on Energy and Commerce came closer than ever to a bipartisan, bicameral compromise on a raft of new provisions that affect a wide range of stakeholders in different ways. This Congress, bipartisan, bicameral efforts are again on the move, but there are some key differences in this year's draft that raise significant questions for small businesses. The Energy and Commerce Committee's Innovation, Data, and Commerce Subcommittee recently advanced the new American Privacy Rights Act, and the full committee is poised to advance the measure in the coming weeks.
This point in the process is crucial and small businesses need to be heard.
Just like its predecessor, the APRA is complex. Forecasting how compliance will look for a given company requires either a lot of scratch paper, or pulling a Charlie Day with some red yarn and a cork board.
Surprisingly, though, this is not necessarily a complaint, as companies already must make these calculations under some combination of the 18 comprehensive privacy laws at the state level — along with any other federal and state requirements that apply to a given entity.
As a result, when we saw that the APRA attempts to completely carve out small businesses from the definition of "covered entity," we thought that might be a good thing for our member companies.
However, in effect, their apparent exclusion may actually hurt small businesses by denying them the benefits of preemption and leaving them open to opportunistic lawsuits through the private rights of action under the APRA and any future and existing state laws.
If policymakers want to achieve the objective of helping small businesses protect consumer data, they should revise the APRA to include small businesses, offer them a path to compliance, make the PRA less open to abuse, and strengthen the preemption provision.
Why carve small businesses back in? Let's break out the red yarn.
First, the boundaries of the definition of "small business" in the APRA invite litigation and disputes because of what crossing those boundaries implies. The definition excludes companies that transfer personal information in exchange for "anything of value," with some exceptions, and excludes entities that "collect, process, retain, or transfer" personal information on more than 200,000 individuals over the course of a year.
These are similar to exclusions that exist in state privacy laws, but crossing the APRA line is a more consequential notion for small companies for two main reasons: the state carveouts are generally predicated on a threshold number of residents of a specific state, which an app developer is less likely to reach; and the full slate of APRA requirements and prohibitions, nationwide PRAs and hefty civil penalties suddenly apply upon crossing the threshold.
Second, the definition of a "service provider" is not predicated on "covered entity." In other words, non-covered entities, including small businesses, are also service providers if they undertake the described functions on behalf of a covered entity. Realistically, a significant portion of App Association members would be both service providers subject to the APRA, and for parallel projects or lines of business, small businesses not subject to the APRA.
Third and relatedly, to the extent App Association members are not service providers and also not covered entities, they also probably do not benefit from the APRA's preemption provision. Finally, many App Association members would also lack access to any "safe harbor" compliance programs under Section 115, as they are available only for covered entities and not service providers.
With these considerations in mind, it seems unavoidable that carving small businesses out of the definition of a covered entity raises questions as to whether they would be covered by the APRA or must continue to navigate the existing and constantly evolving patchwork of state privacy laws. This would significantly disadvantage small businesses while enabling their larger counterparts to enjoy a single, uniform privacy standard.
Ironically, in order to benefit from preemption under the current APRA structure, a small business would need to start selling personal data — though by brokering data, it is true that the APRA would not reward them with a safe harbor.
As we have previously argued, instead of carving small businesses out of a comprehensive federal privacy framework, policymakers should offer them a path to compliance. Providing such, including via a safe harbor that provides a presumption of compliance with the law, ensures they will be held accountable for protecting consumers' privacy. This will additionally offer them some protection against predatory lawsuits and opportunities to rectify mistakes made in good faith.
A compliance program would ensure that App Association members are rightfully viewed as following a federal privacy framework, while alleviating liability concerns and other burdens.
In addition, the availability of a PRA to litigate the unclear inclusion of small businesses in the APRA creates opportunities for predatory lawsuits that hurt small businesses. The inclusion of a PRA essentially encourages a "sue-and-settle" approach, where the act of litigation serves as a business strategy for bad actors instead of a means to rectify actual wrongdoings.
To be clear, we have no problem with the idea of companies that are acting in bad faith being punished for privacy violations. However, we do not want to create a system in which harassing small businesses with unsupported claims is a profitable endeavor.
In light of these issues, Congress should revise the APRA to include the small business provision of the American Data Privacy and Protection Act that exempted them from certain requirements designed for larger businesses.
Further, policymakers should strengthen the bill's preemption provision by changing "covered by" to "relating to" and removing exceptions for state laws, such as Washington state's My Health My Data Act.
Finally, the APRA's PRA should include penalties and checks on meritless claims and be limited so that it does not apply to the ambiguous mandates most likely to invite abuse. The trickiest part of this process is that if lawmakers are able to carve small businesses back in, the framework must truly preempt state laws and avoid the sue-and-settle business models other PRAs have created in order for it to make sense for App Association members.
The APRA represents a welcome step towards the enactment of a comprehensive federal data privacy law, but significant work remains. By making changes to better account for the challenges small businesses face, policymakers can bolster data privacy protections while fostering a more equitable environment for businesses to thrive in the digital economy.
Morgan Reed is president of ACT | The App Association.
IAPP Resource Center
The IAPP's "American Privacy Rights Act cheat sheet" highlights some of the key and need-to-know proposals in the draft APRA.