Main Street Principles for Data Privacy Legislation

American businesses have no higher priority than earning and maintaining trusted relationships with their customers. To preserve those relationships, businesses must protect and responsibly use the personal information that customers share with them. As policymakers consider legislative and regulatory solutions to address data privacy concerns, our coalition urges adoption of the following principles.

Family checking at grocery store.

Guiding Legislative Principles

  • Establish a Uniform National Privacy Law
    Congress should enact a privacy law that benefits consumers and businesses alike by ensuring all personal data is protected in a consistent manner regardless of where a consumer resides.
  • Protect Consumers Comprehensively with Equivalent Standards for All Businesses
    Federal data privacy frameworks should apply requirements to all industries that handle personal data and should not place a disproportionate burden on certain sectors of the economy while alleviating others from providing equivalent protections of personal data.
  • Create Statutory Obligations (Not Contractual Requirements) for All Entities that Handle Consumers’ Data
    Given imbalances in contractual negotiating power, effective consumer protection cannot be achieved by relying on Main Street businesses to regulate the conduct of market-dominant service providers through contracts. Service providers and third parties must have statutory privacy obligations when offering data processing, transmission, storage, or other services to collectively millions of Main Street businesses.
  • Preserve Customer Loyalty Rewards and Benefits
    A federal privacy law should preserve the ability of consumers and businesses to voluntarily establish mutually beneficial business-customer relationships such as loyalty programs.
  • Require Transparency and Customer Choice for All Businesses
    Consumers deserve to know the categories of personal data that all businesses collect, how it is generally used to serve them, and the choices they have regarding those uses.
  • Hold Businesses Accountable for their Own Actions
    Privacy legislation should not include terms that potentially expose businesses, including contractors and franchises, to liability for the actions or noncompliance of a business partner.
  • Ensure Reasonable Data Security Standards
    Privacy legislation should include reasonable data security standards for all businesses handling consumer data, as well as a uniform rules for any businesses suffering a data security breach to notify affected individuals.
  • Establish Effective Accountability and Enforcement
    Effective enforcement must hold accountable all entities handling personal data to equivalent data privacy standards using the same enforcement mechanisms, thereby creating an even playing field and proper incentives across industry sectors to comply with those standards. Because “mistake-free” compliance is unlikely in this complex area of law, we support the approach adopted in all enacted state privacy laws of coupling exclusive governmental entity enforcement with the regulated entity’s ability to “cure” non-compliant practices within a limited period of time after timely and specific notice from the governmental authority.

Our Members