An overly inclusive trigger would cause consumers to be burdened with unnecessary notifications,” the Direct Marketing Association, American Association of Advertising Agencies, Association of National Advertisers, Interactive Advertising Bureau, Online Publishers Association and 11 other organizations say in a letter to lawmakers.
The groups are asking Congress to avoid crafting a broad definition of “sensitive personally identifiable information.” The ad organizations specifically say that the type of information that's available in phone directories should be excluded from any definition of sensitive PII. “A balanced bill would also exclude public records and information derived from public records from its scope,” the groups write.
Forty-seven states already have laws requiring companies to notify consumers after a data breach. But the DMA and other organizations say that the hodgepodge of laws “frustrate efficient and uniform breach notification to consumers.”
The trade associations also say that any new law should prohibit consumers from suing privately.
The DMA has long supported a national data breach law, while also vocally opposing laws that would impose new obligations on data brokers.
The group has argued in the past that Congress should concern itself with practices that could leave consumers open to fraud, and not those that pose more intangible privacy concerns.
The OTA has long advocated for strong federal breach legislation and protect companies that adopt industry best practices to secure their data. In the absence of such safeguards they should not be afforded any protection from State enforcement or private lawsuits. More at https://otalliance.org include the related Senate Testimony.
As stated by many of these trade orgs the goal is to limit liability of data driven marketers who fail to be data stewards.