The U.S. Senate Committee on Commerce, Science, and Transportation took its latest privacy steps with a July 11 hearing, “The Need to Protect Americans’ Privacy and the AI Accelerant.” Morgan Reed, president of ACT | The App Association, testified alongside Dr. Ryan Calo, professor at the University of Washington School of Law and co-director of UW Tech Policy Lab; Amba Kak, co-executive director of the AI Now Institute; and Udbhav Tiwari, director of global product policy at Mozilla. The witnesses discussed a variety of issues related to privacy and AI, with Morgan explaining how policymakers should approach both to best support small businesses and foster innovation in the United States.

What set Morgan’s testimony apart from the others is that he insisted on small businesses being included in a federal privacy framework—not carved out. Notably, Committee Chair Maria Cantwell backs a draft bill, the American Privacy Rights Act (APRA). As it stands, APRA carves small businesses out of the definition of entities subject to the bill’s requirements. Morgan noted that this structural exclusion of small businesses calls into question whether they would benefit from the bill’s preemption provision. Although it may seem surprising at first that small businesses do not want to be completely exempt from a strong privacy framework, they have long sought a federal law that could help them both improve their prospects in the market and their ability to comply with privacy requirements. Without a federal framework, businesses must contend with 19 existing state privacy laws as well as the potential for future legislation from the remaining 31 states. To demonstrate the need for a preemption provision, Morgan offered the example of a small business in Kansas that has customers from Nebraska, Texas, Colorado, and more. Under a patchwork of state laws, this Kansas small business would have to follow differing requirements for protecting its customers’ data, which increases compliance costs and makes privacy protection more difficult. Enacting a federal framework that preempts state laws will simplify regulatory compliance, allowing businesses to focus more on their customers and less on navigating a complex legal landscape.

Senators then asked the witnesses about the state of competition in generative AI services markets. In response to Senator Ted Budd’s (R-NC) questions on the topic, Morgan explained how competition within the industry is thriving thanks to the innovative ways small businesses are integrating AI into their operations. Further, Morgan clarified how the Federal Trade Commission’s (FTC) proposed rule on Hart-Scott-Rodino would hurt small businesses by placing unnecessary new burdens, uncertainty, and costs on acquisitions and dissuading venture capitalists from investing in small businesses.

Witnesses also discussed the inclusion of a private right of action (PRA) in APRA. APRA currently contains a PRA that allows individuals to sue companies subject to the bill’s jurisdiction for certain violations. However, the PRA can also enable opportunistic litigation based on meritless claims that many small businesses cannot afford to fight. As Morgan noted, most small businesses have just enough money to pay individuals who sue under a PRA (via a settlement out of court) but not enough to fight them. A PRA is likely unnecessary in a federal privacy bill. However, if it must be a feature of a federal framework, it should be narrowly tailored and include safeguards to ensure it serves the purpose of giving consumers redress while avoiding abusive sue-and-settle business models that target small companies.

Some policymakers have advocated for the creation of a federal agency to regulate new technologies, including AI. However, Morgan argued that policymakers should empower existing federal agencies to address the risks posed by AI according to its various uses instead of creating a new agency focused on the technology itself. He specifically noted that hiring for a new agency would be difficult, especially as AI continues to develop. Current agencies, such as the FTC, already have the expertise to effectively regulate AI, protect consumers from harm, promote innovation, and bolster U.S. global competitiveness in technology.

Finally, senators and witnesses also discussed the many benefits of AI, especially for small businesses. As Morgan explained, small businesses, which often innovate at a rate faster than their larger counterparts, can use AI to replace laborious tasks. For example, small business owners can use AI to scan and track inventory, optimize business operations, and enable them to spend time on more pressing work.

In Conclusion

Morgan’s testimony built upon the four central pillars of the App Association’s federal privacy priorities and he returned to these themes several times throughout the hearing:

    1. Preemption: A federal privacy framework should include a preemption provision that covers related state laws so that small businesses do not have to contend with a patchwork of different privacy laws.
    2. Protection Against Unauthorized Access: A federal privacy framework should include data security provisions addressing how businesses should prevent unauthorized access to consumer data.
    3. Path to Compliance: Instead of carving small businesses out of a federal privacy framework, policymakers should offer them a path to compliance that helps them come into compliance with the new law while easing associated burdens.
    4. Private Right of Action Limitations: If policymakers include a private right of action in a federal privacy framework, they should ensure that it contains strict limitations and safeguards to protect small businesses from opportunistic litigation.