The U.S. Chamber of Commerce last week gathered a diverse, bipartisan group of policymakers, regulators, industry representatives and thought leaders to discuss all things data privacy at #DataDoneRight, its 2019 privacy summit. Topics included the California Consumer Privacy Act, the possibility of federal privacy legislation and working with privacy regulators, and the summit featured a fireside chat with Georgia Attorney General Chris Carr. In addition to talking about privacy issues at the state level, AG Carr touched on a variety of other subjects, including how to work effectively with AGs.
On the privacy front, AG Carr emphasized how important it is for business and industry to have a seat at the table when legislation and regulations are being created. He discussed his office’s outreach to the business community and his approach to training and education of the business community on data privacy laws and best practices. He praised the “carrot” approach to incentivize businesses by providing legislative safe harbors when businesses take appropriate measures to protect personal information but are nevertheless subject to a data security incident, citing last year’s legislation in Ohio as a good example of this approach. He also discussed the possible inclusion in federal legislation of a private right of action, making it clear that he did not believe that it was advisable to farm out the consumer protection role of AGs and federal regulatory authorities like the FTC. Further, he indicated that lawmakers should ensure that any federal legislation does not stifle innovation and entrench incumbents who are already well equipped to comply.
On working with his office and his counterparts in other states, AG Carr made it clear that it is far better for companies to establish relationships with AGs before a crisis then when the company is trying to settle an investigation or resolve other issues of concern to the AG. He emphasized his obligations to all of his constituents, including firms doing business in his state, but stressed ensuring a fair application of the law only can occur when AGs understand specific companies and what they do.
Based on AG Carr’s remarks, privacy remains on his mind and those of his fellow AGs. As he made clear, any company that has any role in the privacy ecosystem – and in today’s connected world that includes just about every company – should have a strategy for working with AGs. Companies should not wait until AGs come knocking, but rather should be developing positive relationships today. As AG Carr indicated, “if you’re not at the table, you’re on the menu.” Don’t be on the menu.