The U.S. Chamber of Commerce (“Chamber”) urges the Senate not to take up Senate Bill 359 (“SB 359”) this term unless changes are made to conform it with a more balanced approach as passed in states like Indiana, Virginia, and Texas. In today’s digital economy, it is critical that consumers have strong, uniform privacy protections and enjoy innovative products and services. SB 359 fails to meet these standards and would lead to an unworkable and anti-consumer patchwork of state laws.
Data privacy laws have a significant impact on small businesses. According to a recent Chamber report, Empowering Small Business, 70 percent of small businesses stated that technology platforms, such as payment apps, digital advertising, and delivery, help them compete with larger companies. Yet a majority of these entrepreneurs are concerned that a patchwork of state privacy laws will expose them to higher litigation and compliance costs, which their larger competitors are more apt to bear.[1] Consistency, uniformity, and workability are critical to ensuring small businesses are not disproportionately harmed by data protection laws.
Over 100 million Americans in states like Texas, Colorado, Indiana, and Virginia enjoy privacy protections under the “Consensus Privacy Approach.” This framework gives consumers the right to delete, access, and correct data as well as opt out of targeted advertising, sales, and certain automated profiling.[2] This approach strikes the right balance in empowering citizens over their privacy while fostering innovation.
Although the Chamber previously offered Senator Bayer, the bill’s sponsor, suggestions for harmonizing her bill with existing state laws in 2024, there remains several areas where we have identified that SB 359 still greatly differs from the Consensus Privacy Approach.
I. Applicability to Small Businesses
All states that have adopted comprehensive privacy legislation have attempted to reduce burdens on small businesses by establishing data subject number or revenue percentage thresholds a company must exceed to be considered covered entities. As discussed previously, small businesses will bear a disproportionate burden because they do not have the same compliance and legal resources as larger companies.
We agree with states that have adopted the Consensus State Approach, like Indiana, which have carved out small businesses that have data of fewer than 100,000 state residents or do not earn the majority of their revenue from data sales.[3] However, SB 659 does not harmonize with the Consensus State Approach because it would not exempt small businesses that derive any revenue from data sales. Given SB 659’s broad definition of data “sale,” many small businesses who are not operating as data-broker companies and sharing data for legitimate consumer-friendly purposes may lose their exemption.
II. Data Minimization Standard
The Consensus Framework approach generally allows companies to use data for what is reasonably necessary to provide a product, service, or a disclosed purpose. This contrasts with a “strictly necessary” approach in which companies may only use data to provide a good or service. A strict data minimization approach would significantly inhibit innovation as covered entities may have new societally and consumer-friendly business uses for data throughout different times of product and service development.[4] However, SB 359 would restrict the use of “sensitive data” to what is strictly necessary to provide a good or service. Such an approach may inadvertently prevent societally beneficial uses of data meant to promote inclusion for example. Additionally, this would make it difficult for Michigan companies operating across state lines to comply with new AI regulations in states like Colorado that have a disparate impact standard.
III. Customer Loyalty Programs
Consumers overwhelmingly support loyalty programs. Although we appreciate SB 359’s attempt to preserve bona fide loyalty programs when consumers exercise their privacy rights, we are troubled by the requirement that the program “benefit to the consumer is proportional to the benefit received by the [business] in collecting personal information from the reward, feature, discount, or program.” This requirement significantly diverges from the Consensus State Approach and the business community is concerned such a subjective standard will cause retailers, restaurants, and other loyalty program offerors to scale back these programs in Michigan because of the uncertainty of how the Attorney General will interpret what is proportionate and expose companies to unnecessary liability.
IV. Enforcement
SB 359 strikes the right balance by vesting enforcement authority with the Attorney General. We also believe that to encourage collaborative compliance, privacy legislation should provide for a right to cure period that does not expire to track what other states like Virginia, Indiana, and Texas have implemented.
For the reasons stated above to protect privacy, encourage innovation, and prevent a state patchwork, we call on you to ensure the Senate does not take up SB 359 and instead commit to passing privacy legislation consistent with existing state laws. We look forward to working with you and the legislature on this important issue.
Sincerely,
Michael Blanco
Director, State and Local Policy
Chamber Technology Engagement Center
U.S. Chamber of Commerce
[1]U.S. Chamber of Commerce, “Empowering Small Business,” (September 2024) at 14, 25 available at https://www.uschamber.com/assets/documents/Impact-of-Technology-on-Small-Business-Rep
[2]Jordan Crenshaw, “What Congress Can Learn from the States on Data Privacy,” (January 2024) available at https://www.realclearpolicy.com/2024/01/30/what_congress_can_learn_from_the_states_on_data_privacy_1008521.html
[3] See Ind. Code § 24-15-1-1(a).
[4] U.S. Chamber of Commerce, “Data for Good: Promoting Safety, Health, and Inclusion,” (January 2020) available at https://americaninnovators.com/research/data-for-good-promoting-safety-health-and-inclusion/
