NAA and NMHC Joint Letter on "The Need to Protect Americans' Privacy and AI Accelerant" Hearing
NAA and NMHC write a joint letter to the U.S. Senate Committee on Commerce, Science, and Transportation on the "The Need to Protect Americans' Privacy and AI Accelerant" hearing.
July 11, 2024
The Honorable Maria Cantwell
Chair
U.S. Senate Committee on Commerce, Science, and Transportation
511 Hart Senate Office Building
Washington, DC 20510
The Honorable Ted Cruz
Ranking Member
U.S. Senate Committee on Commerce, Science, and Transportation
167 Russell Senate Office Building
Washington, DC 20510
Dear Chair Cantwell and Ranking Member Cruz:
On behalf of the members of the National Multifamily Housing Council (NMHC) and the National Apartment Association (NAA) [1], we appreciate your leadership in exploring the intersection of data privacy and Artificial Intelligence (AI) in the hearing entitled, “The Need to Protect Americans’ Privacy and the AI Accelerant.” Furthermore, we appreciate the continued leadership of the Committee in seeking out bipartisan solutions to establish a long-overdue federal data privacy standard that protects consumers and American businesses, including rental housing firms.
Rental housing providers use emerging technologies, like AI, to reshape business operations, improve housing affordability and benefit millions of American renters. Today, AI and related technologies in rental housing have led to significant gains in meeting resident expectation and demand. Applications of this technology continue to grow rapidly but, to date, include virtual touring, enhanced resident screening and leasing, home automation, predictive maintenance, and even improved property level climate resilience. These tools offer benefits to housing providers and residents alike, driving modernization of historic practices forward and maximizing operational efficiency and improving housing outcomes. Yet, despite the promise of AI and related technologies, the cyber risk landscape cannot be ignored given that AI is also being deployed in the form of more advanced attacks from cybercriminals on businesses of all types.
Rental housing owners and operators, and their service providers, rely heavily on highly sensitive, personal data about apartment applicants, residents and employees to run their day-to-day business. Given the sensitivity of the information that rental housing operators rely on and the ever-expanding cyber threat landscape we face, our industry has placed a high priority on strengthening defenses against vulnerabilities and protecting sensitive data and consumer privacy. In fact, rental housing firms are dedicating tremendous resources to this cause.
To effectively regulate AI and emerging technologies used by the rental housing industry and beyond, NMHC and NAA strongly believe that it is necessary to first establish a federal data privacy standard. We are encouraged by the effort Chair Cantwell and this Committee have made towards this goal, including the introduction of the American Privacy Rights Act (APRA). However, NMHC and NAA also want to share our perspective and raise certain areas of concern regarding APRA and similar efforts.
- Federal Preemption: NMHC and NAA believe a clear federal preemption is essential to provide clarity for rental housing firms. The current patchwork of state laws creates a significant compliance burden for rental housing firms and leaves consumers vulnerable to myriads of mistakes and unintended consequences. This is particularly true given the constantly evolving nature of state data privacy and security laws. While we support the efforts made by Chair Cantwell and Representative McMorris Rodgers, as currently drafted, APRA does not include a uniform national privacy standard. A clear and full preemption of state law is an essential component of any meaningful federal privacy legislative effort, otherwise compliance with a continued patchwork of data privacy laws will continue to create significant compliance challenges. For this reason, NMHC and NAA support the inclusion of a stronger federal preemption in APRA.
- Private Right of Action: In addition to expanding FTC enforcement authority and allowing state attorneys general and state privacy authorities to bring civil actions on privacy matters, APRA creates a private right of action that would allow consumers the right to sue companies for a privacy breach. While well-intended, as drafted, this provision opens the door to costly litigation that could negatively impact housing operations and ultimately housing affordability, even when the rental housing owner or operator has done everything possible to secure the privacy and data of its residents. NMHC and NAA urge that the Committee exclude the private right of action provision in federal privacy legislation.
- Private Right of Action: In addition to expanding FTC enforcement authority and allowing state attorneys general and state privacy authorities to bring civil actions on privacy matters, APRA creates a private right of action that would allow consumers the right to sue companies for a privacy breach. While well-intended, as drafted, this provision opens the door to costly litigation that could negatively impact housing operations and ultimately housing affordability, even when the rental housing owner or operator has done everything possible to secure the privacy and data of its residents. NMHC and NAA urge that the Committee exclude the private right of action provision in federal privacy legislation.
- Flexible and Scalable National Standard: Importantly, APRA recognizes the need to take into consideration the data collected and the size of the company upon enforcement. NMHC and NAA urge the Committee to ensure that any enforcement regime established under a federal privacy standard provides adequate flexibility and scalability for firms of all sizes and accounts for the sensitivity of the data in question.
- The Ability to Continue to Perform Essential Business Functions: APRA encourages data collection minimization and rightfully acknowledges that entities may have an essential business need to utilize consumer data. Rental housing firms must maintain the right to collect, use and retain sensitive information necessary for business operations. This is particularly important to ensure the safety and security of renters and employees through prospective resident screening while also ensuring compliance with regulatory requirements such as reporting under the Fair Housing Act. NMHC and NAA support APRAs preservation of this important business function and urge the full Committee to support its inclusion.
- Reasonable Time Frame to Respond to Consumers: APRA directs the Federal Trade Commission (FTC) to promulgate regulations for compliance by covered entities. Given the complexities of verifying any privacy or protection request and responding accurately, rental housing firms need sufficient time to carry out any request, including the option for an extension if necessary. NMHC and NAA encourage the committee to prevent the FTC and other regulators from implementing overly burdensome, and costly compliance requirements.
- Third Party/Assignment of Financial and Legal Liability: NMHC and NAA appreciate that APRA establishes the need to differentiate between a covered entity, their service provider or a third-party data collector. NMHC and NAA support a clear assignment of financial and legal liability to the entity that actually suffered the data breach or caused the consumer privacy violation, particularly in the case of third-party breaches or security incidents. While NMHC and NAA encourage rental housing operators to ensure that service provider contracts include strong and specific language governing data security, incident response and breach notification this is not always feasible. Lack of statutory clarity on these subjects opens the door to skyrocketing breach insurance, compliance, and litigation costs, and we urge the Committee to ensure that APRA is clear on this point to promote positive pro-consumer outcomes.
- Preserving Innovation: As policymakers seek to determine how to best regulate AI and other emerging technologies, they should be cautious not to stifle innovation or inhibit the development of tech-driven, pro-consumer solutions. That said, it is also imperative for Congress to protect consumers, businesses, and national security from the threat growing threat of cybercrime. The most effective way to achieve both of these goals is through focusing on the development of a robust, flexible, and scalable federal data security and privacy standard.
We thank you for the opportunity to present the views of the rental housing industry as you continue deliberations on the regulation of AI and the importance of federal privacy and data security standards. NMHC and NAA hope to continue working with Congress to ensure that data security and privacy legislation recognizes the unique nature and needs of the rental housing industry while ensuring the data that our members collect, use, and maintain is secure.
Sincerely,
Sharon Wilson Géno
President
National Multifamily Housing Council
Robert Pinnegar
President & CEO
National Apartment Association
[1] For more than 25 years, the National Multifamily Housing Council (NMHC) and the National Apartment Association (NAA) have partnered to provide a single voice for America's apartment industry. Our combined memberships are engaged in all aspects of the apartment industry, including ownership, development, management, finance, and suppliers partners/service providers. NMHC represents the principal officers of over 1,500 firms that own, develop, manage, and finance apartments. As a federation of more than 145 state and local affiliates, NAA encompasses over 95,000 members, 141 affiliates, and more than 11.6 million apartment homes globally. The apartment industry today plays a critical role in housing this na- tion's households by providing apartment homes to 40.1 million residents, contributing $3.4 trillion an- nually to the economy while supporting 17.5 million jobs.