NAA and NMHC Joint Letter on Data Privacy Standards

Dear Chair McMorris Rodgers and Ranking Member Pallone:

On behalf of the members of the National Multifamily Housing Council (NMHC) and the National Apartment Association (NAA)[1] , we applaud the bipartisan, bicameral work done to establish a long-overdue federal data privacy standard that protects consumers and American businesses, including apartment firms. As the House Energy and Commerce Committee holds a markup of the American Privacy Rights Act (APRA), NMHC and NAA wish to thank you for the bipartisan leadership on these critical issues. We also write to express support for the underlying effort while needing to raise several areas of significant concern for the rental housing industry.

Rental housing owners and operators, and their service providers, rely heavily on highly sensitive, personal data about apartment applicants, residents and employees to run their day-to-day business. Therefore, they are actively engaged in these issues. Given the sensitivity of the information that apartment operators rely on and the ever-expanding cyber threat landscape we face, our industry has placed a high priority on strengthening defenses against vulnerabilities and protecting sensitive data and consumer privacy. In fact, apartment firms are dedicating tremendous resources to this cause.

As the Committee discusses the need for a national privacy standard and the ways in which the APRA would better protect consumers, NMHC and NAA want to share our perspective and raise several areas of concern.

• Federal Preemption: APRA outlines a federal preemption for most existing state data privacy and security laws. NMHC and NAA believe a clear federal preemption is essential to provide clarity for rental housing firms. The current patchwork of state laws creates a significant compliance burden for apartment firms and leaves consumers vulnerable to myriads of mistakes and unintended consequences. This is particularly true given the constantly evolving nature of state data privacy and security laws. As currently drafted, APRA does not include a uniform national privacy standard. A clear and full preemption of state law is an essential component of any meaningful federal privacy legislative effort, otherwise compliance with a continued patchwork of data privacy laws will continue to create significant compliance challenges. For this reason, NMHC and NAA support the inclusion of a stronger federal preemption in APRA.
• Private Right of Action: In addition to expanding FTC enforcement authority and allowing state attorneys general and state privacy authorities to bring civil actions on privacy matters, APRA creates a private right of action that would allow consumers the right to sue companies for a privacy breach. While well-intended, as drafted, this provision opens the door to costly litigation that could negatively impact housing operations and ultimately housing affordability, even when the rental housing owner or operator has done everything possible to secure the privacy and data of its residents. NMHC and NAA urge that the Committee remove the private right of action provision in APRA.
• Flexible and Scalable National Standard: Importantly, APRA recognizes the need to take into consideration the data collected and the size of the company upon enforcement. NMHC and NAA urge the Committee to ensure that any enforcement regime established under APRA provides adequate flexibility and scalability for firms of all sizes and accounts for the sensitivity of the data in question.
• The Ability to Continue to Perform Essential Business Functions: APRA encourages data collection minimization and rightfully acknowledges that entities may have an essential business need to utilize consumer data. Rental housing firms must maintain the right to collect, use and retain sensitive information necessary for business operations. This is particularly important to ensure the safety and security of apartment residents and employees through prospective resident screening while also ensuring compliance with regulatory requirements such as reporting under the Fair Housing Act. NMHC and NAA support APRAs preservation of this important business function and urge the full Committee to support its inclusion.
• Reasonable Time Frame to Respond to Consumers: APRA directs the Federal Trade Commission (FTC) to promulgate regulations for compliance by covered entities. Given the complexities of verifying any privacy or protection request and responding accurately, rental housing firms need sufficient time to carry out any request, including the option for an extension if necessary. NMHC and NAA encourage the committee to prevent the FTC and other regulators from implementing overly burdensome, and costly compliance requirements.
• Third Party/Assignment of Financial and Legal Liability: NMHC and NAA appreciate that APRA establishes the need to differentiate between a covered entity, their service provider or a third-party data collector. NMHC and NAA support a clear assignment of financial and legal liability to the entity that actually suffered the data breach or caused the consumer privacy violation, particularly in the case of third-party breaches or security incidents. While NMHC and NAA encourage rental housing operators to ensure that service provider contracts include strong and specific language governing data security, incident response and breach notification this is not always feasible. Lack of statutory clarity on these subjects opens the door to skyrocketing breach insurance, compliance, and litigation costs, and we urge the Committee to ensure that APRA is clear on this point to promote positive pro-consumer outcomes.

We thank you for the opportunity to present the views of the rental housing industry as you continue deliberations to enhance consumer privacy and data security standards. NMHC and NAA stand ready to work with Congress to create a federal data privacy and protection standard that recognizes the unique nature and needs of the apartment industry while ensuring the data that our members collect, use and maintain is secure.

Sincerely,

[1] 1 For more than 25 years, the National Multifamily Housing Council (NMHC) and the National Apartment Association (NAA) have partnered to provide a single voice for America's apartment industry. Our combined memberships are engaged in all aspects of the apartment industry, including ownership, development, management, finance and suppliers partners/service providers. NMHC represents the principal officers of over 1,500 firms that own, develop, manage and finance apartments. As a federation of more than 145 state and local affiliates, NAA encompasses over 95,000 members, 141 affiliates, and more than 11.6 million apartment homes globally. The apartment industry today plays a critical role in housing this nation's households by providing apartment homes to 40.1 million residents, contributing $3.4 trillion annually to the economy while supporting 17.5 million jobs.

View this letter as a PDF