risks as business practices and technolo- gies evolve.” To that end, the Framework rejects an approach that would prescribe specific practices for the handling of con- sumer information. Instead, the Frame- work proposes that organizations should have flexibility to leverage recognized risk- based privacy practices, such as “privacy by design” and privacy impact assessments for high-risk processing, and should then implement policies and procedures to en- sure that their uses of data are legitimate and consistent with the notices provided to consumers.
In that regard, the Framework avoids a prescriptive approach to compliance that can disadvantage smaller organizations and stifle the development of beneficial new technologies and business offerings. Instead, it advocates an approach that, done correctly, can protect the privacy interests of consumers while also foster- ing continued innovation and economic competitiveness.
4.) Individual Rights
Taking a cue from the CCPA, the Framework proposes giving broad rights to consumers over their personal informa- tion. Those rights include:
• Reasonable access to clear and un- derstandable statements about an organi- zation’s processing of personal data;
• Opportunities to exert reasonable control over the collection, use and shar- ing of personal information, including the ability to make choices about the sale of personal data to non-affiliated third par- ties;
• A reasonable right to access and correct inaccuracies in their personal in- formation; and
• A right to require deletion of per- sonal information that is no longer re- quired to be maintained under applicable law or is no longer necessary for legitimate business purposes of the organization.
As is the case under the CCPA, un- der the Framework those rights can be limited or curtailed by an organization under certain circumstances. Under the Framework, those circumstances include complying with legal obligations, protect- ing the health and safety of individuals, preventing fraud and addressing security risks, supporting legitimate scientific and
research purposes, and satisfying business (including contractual) obligations.
5.) Data Security and Data Breach Notification
Returning to an area that is currently fraught with overlapping, inconsistent and sometimes conflicting requirements, the Framework advocates a national, uni- form data-breach notification standard that would do away with the 50 differ- ent state notification laws that apply to businesses today. In place of those laws, the Framework advocates a standard that would require notification of consumers within a reasonable timeframe if there is a “significant risk” of harm as a result of a personal data breach.
To help avoid data breaches, the Framework also suggests that a national privacy law should impose an affirmative obligation on organizations to implement reasonable administrative, technical and physical safeguards to protect against un- authorized use or disclosure of personal information. But importantly, the Frame- work rejects an approach that would pre- scribe specific security safeguards, tools, strategies or tactics. Instead, the Frame- work proposes that organizations have the flexibility to adopt safeguards that are ap- propriate to their circumstances, and that are proportional to the likelihood and se- verity of the harm threatened and the sen- sitivity of the personal data they handle. The Road Ahead
As the CCPA comes into effect and other states move toward adopting their own versions of that law, support for a national consumer privacy law will con- tinue to increase. The Business Round- table Framework reflects a reasoned and balanced approach to the key points of contention that will be at issue in any dis- cussion of such a law. It deserves serious consideration by Congress and the other stakeholders involved in what’s sure to be a vigorous debate over how consumer privacy should be regulated in the United States. 
NOTES
1. Rita Heimes & Sam Pfeifle, New California privacy law to affect more than half a million US companies, iapp.org (2018), https://iapp. org/news/a/new-california-privacy-law-to- affect-more-than-half-a-million-us-companies
2. State of California Department of Justice, Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations (2019), http://www.dof.ca.gov/ Forecasting/Economics/Major_Regulations/ Major_Regulations_Table/documents/ CCPA_Regulations-SRIA-DOF.pdf
3. Del. Code Ann. tit. 6, § 1201C et seq.
4. 740 Ill. Comp. Stat. Ann. 14/1 et seq.
5. Tex. Bus. & Com. Code Ann. § 503.001. 6. Wash. Rev. Code Ann. § 19.375.010 et seq.
7. See In re Facebook Biometric Info. Privacy Litig., No. 3:15-CV-03747-JD, 2018 WL 2197546 (N.D. Cal. May 14, 2018); Monroy v. Shutterfly, Inc., No. 16 C 10984, 2017 WL 4099846 (N.D. Ill. Sept. 15, 2017)
8. See, e.g., Dixon v. Washington & Jane Smith Cmty.-Beverly, No. 17 C 8033, 2018 WL 2445292 (N.D. Ill. May 31, 2018)
9. Vt. Stat. Ann. tit. 9, § 2446 et seq.
10. 2019 Nevada Senate Bill No. 220, Nevada Eightieth Regular Session, https://www.leg. s t a t e . n v . u s / A p p / N E L I S / R E L / 8 0 t h 2 0 1 9/ Bill/6365/Text
11. 2019 California Assembly Bill No. 1202, California 2019-2020 Regular Session, https://leginfo.legislature. ca.gov/faces/billTextClient.xhtml?bill_ id=201920200AB1202
12. Cal. Civ. Code § 1798.140(o)(1). 13. Id. § 1798.155(b).
14. Id. § 1798.150(a)(1).
15. Id. § 1798.185(c).
16. 2019 Massachusetts Senate Bill No. 120, The 191st General Court of the Commonwealth of Massachusetts, https:// malegislature.gov/Bills/191/SD341.
17. 2019 New York Senate Bill No. 5642, New York Two Hundred Forty-Second Legislative Session, https://www.nysenate. gov/legislation/bills/2019/s5642
18. 2018 New Jersey Assembly Bill No. 4902, New Jersey Two Hundred Eighteenth Legislature - Second Annual Session,
h t t p s : // w w w . n j l e g . s t a t e . n j . u s / 2 0 1 8 / B i l l s / A5000/4902_I1.PDF.
19. Jeff Kosseff, 10 reasons why California’s new data protection law is unworkable, burdensome and possibly unconstitutional (Guest Blog Post) - Technology & Marketing Law Blog Technology & Marketing Law Blog (2019), https://blog.ericgoldman. org/archives/2018/07/ten-reasons-why- californias-new-data-protection-law-is- unworkable-burdensome-and-possibly- unconstitutional-guest-blog-post.htm
20. Business Roundtable, Framework For Consumer Privacy Legislation (2019), https://s3.amazonaws.com/brt.org/privacy_ report_PDF_005.pdf (last visited Nov 26, 2019)
21. Letter from Business Roundtable CEOs to Congressional Leaders, Sep 9, 2019, https://s3.amazonaws.com/brt.org/BRT- CEOLetteronPrivacy-Finalv2.pdf
22. See generally Peter Swire, US federal privacy preemption part 2: Examining preemption proposals, IAPP Privacy Tracker (2019), https://iapp.org/news/a/us-federal- privacy-preemption-part-2-examining- preemption-proposals
 SPRING 2020 DELAWARE LAWYER 9