FEATURE
 covered businesses. And though none of those bills were passed into law in 2019, their proponents are almost sure to renew their efforts in 2020.
The passage by other states of their own comprehensive privacy laws creates the real possibility that companies will face inconsistent and potentially conflict- ing obligations on matters such as the content of privacy policies, the rights af- forded to consumers, and the process for receiving and responding to consumer requests to access or delete personal infor- mation. As one commentator has noted, these variations would be “exponentially more troubling” than the variations in current data-breach notification laws: “These [comprehensive privacy] laws ap- ply to companies at all times, not just after data breaches. And they require far more significant operational changes than breach notification, because data protec- tion laws dictate how data is handled and processed.”19
The Business Roundtable Framework
The CCPA’s passage, the prospect of other states adopting their own slightly different variations on its comprehensive privacy regime, and other high-profile privacy incidents (such as the Facebook- Cambridge Analytica scandal) have led to calls for a national privacy law from government, commercial and civil society stakeholders.
One prominent example is a proposed
Framework for Consumer Privacy Legisla- tion released in September 2019 by Busi- ness Roundtable, an association of chief executive officers of some of America’s leading companies.20 The Framework outlines a set of principles that the as- sociation proposes should undergird a federal privacy law. The Business Round- table sent the Framework to congressional leaders, urging them in a letter signed by more than 50 CEOs to pass “as soon as possible, a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.” 21
The Business Roundtable Framework highlights several key points that will
The passage by other states of their own comprehensive privacy laws creates the real possibility that companies will face inconsistent and potentially conflicting obligations.
drive the debate over a national privacy law.
1.) To Preempt or Not to Preempt?
The Framework advocates a broadly applicable consumer privacy law that would create a consistent, uniform frame- work applicable across industry sectors. And critically, the Framework contends that a national consumer privacy law should preempt any state or local law that addresses the collection, use or sharing of personal data.
Preemption is one of the most politi- cally controversial issues in the discussion about a national privacy law. Some stake- holders have concerns that preemption could diminish the protection offered by state laws such as the CCPA, and limit states’ opportunity to pursue innovative approaches to protect their consumers’ privacy.
Because of the fragmented nature of the current privacy legal landscape in the United States, preemption is also techni- cally complex, requiring consideration of numerous and varied state laws. Those include medical, financial and commu- nications privacy laws, and lesser-known state laws that address privacy risk, such as those that regulate the use and disclosure of Social Security numbers.22
For organizations facing the prospect of operationalizing the requirements of 50 different competing state privacy laws, however, preemption is critical, and in- deed essential to their support for a na-
tional law. Without preemption, a nation- al privacy law could become just one more opportunity for overlapping, inconsistent or conflicting rules for the handling of consumers’ personal information.
2.) Enforcement and the Private Right of Action
On the topic of enforcement, the Framework rejects — in no uncertain terms — the idea that the law should in- clude a private right of action, stating sim- ply that it should not. Like preemption, private rights of action have become a contentious issue in the debate over what a national consumer privacy law should contain.
The Framework takes the position that the power to penalize companies for vio- lations should be left to the Federal Trade Commission (FTC) and state Attorneys General. It explains that the FTC is the appropriate federal agency to enforce a na- tional consumer privacy law, and that care should be taken to avoid duplication of enforcement across federal agencies. The Framework also assumes that state AGs will have the power to bring actions in court to enforce the law on behalf of their states’ residents.
Privacy advocates typically favor in- cluding a private right of action in a national privacy law, viewing it as an important way to share the burden of enforcement between the public and under-resourced regulatory agencies with many competing priorities. Businesses, however, are justifiably concerned that private rights of action — especially when accompanied by statutory damages — will lead to frivolous, excessive and expensive lawsuits; inconsistent rulings across juris- dictions; and ruinous liability. And they question whether that outcome would mostly benefit the class action bar, rather than consumers.
3.) Governance and Corporate Privacy Practices
On the topic of how a national privacy law should regulate the collection, use and disclosure of personal information, the Framework advocates a risk-based ap- proach that would “apply greater protec- tions to data processing that may present higher risks to the rights and interests of consumers and ... address emerging
  8 DELAWARE LAWYER SPRING 2020