Last week, I traveled to Washington, DC with other senior executives from software companies to urge Members of Congress to enact a national privacy law. These meetings coincided with the one year anniversary of Europe’s new privacy law – the General Data Protection Regulation (GDPR)– and nearly a year since California enacted the California Consumer Privacy Act (CCPA). With GDPR, Europe took a significant step toward modernizing privacy and data protection rules for the digital age.  While narrower in scope than GDPR, the CCPA establishes significant privacy rules for companies doing business with California consumers. Many other states are now considering their own ambitious privacy legislation. At Autodesk, we believe all Americans deserve strong privacy protections no matter where they live and that’s why we support Congress enacting a national privacy law that raises standards throughout the country.

Our customers use our software to design and make iconic buildings, major infrastructure projects, cutting-edge manufactured products and captivating movies and video games. Data is at the center of how we help them make anything.

We are committed to protecting the privacy of the personal data our customers entrust to us and to using this data to deliver insights and value back to them— not as a product to sell to others.

• We are transparent about the personal data we collect from our customers and how we use it.
• We give our customers controls over their personal data, including the ability to access, update, delete, receive a copy of, or restrict our use of it.
• We disclose customer personal data to select third-parties to help us deliver software and services to our customers and to improve our products.
• We do not sell customer personal data, or what we know about our customers from their personal data, to advertisers or data brokers.

We also recognize that protecting customer privacy is an ongoing effort and we are committed to continually working to improve our privacy practices.

As Congress considers privacy legislation, it should build on GDPR and CCPA and address the following:

• Transparency: Provide consumers concise and understandable information about the personal data collected from them, what purposes it is used for and who it is shared with. Consumers cannot make informed choices about using products and services without this information. 
• Control: Give consumers better control over their personal data, including the ability to opt-in or opt-out of its use depending on the sensitivity of the data and to access, update, delete, receive a copy of, or restrict use of it. It also should prohibit using deceptive means, like “dark patterns,” to get consumers to consent to sharing their personal data. These practices undermine user consent and control.
• Data use: Personal data collected from consumers should only be used in ways that are compatible with the specified purposes for which it was collected. This is fundamental to earning consumer trust in providing us their data.
• Sharing personal data: Require that personal data shared with service providers and other third-parties processing the data on behalf of the party that collected it be used for limited purposes consistent with why it was originally collected and be subject to privacy and security obligations. The party determining the purposes and means of processing the data (the “data controller”) should have heightened obligations and liabilities under the law compared to the party processing the data at the controller’s direction (the “data processor”).
• Selling personal data: Mandate that consumers receive clear notice and be required to opt-in before their personal data, or profiles of them based on their personal data, is sold to data brokers or advertisers. Consumers expect personal data collected about them by a company to be used to provide value back to them. Consumers should be given control over the sale of their personal data to data brokers and advertisers that use the data for their own purposes.
• Privacy by design: Ensure that products are designed with privacy in mind from the start by requiring companies to take into account privacy risks as part of the product development process. Privacy should be integral to product development.
• Security: Establish federal standards that require organizations to maintain reasonable and appropriate security measures to safeguard the confidentiality, integrity and availability of personal data. This is critical because strong security practices enable the protection of consumer privacy.
• Enforcement: Provide the Federal Trade Commission with new rulemaking authority, resources and broader ability to levy civil penalties for privacy violations. It’s also essential that state attorneys general and other state consumer protection officials be granted authority to enforce a national privacy law to safeguard the privacy of their state residents.
• National standards: Ensure all Americans have the same strong privacy protections. We believe a national privacy law is preferable to a patchwork of different state laws. It will avoid conflicts between state laws that could increase compliance burdens, confuse consumers and create weaker levels of protection for some consumers based on where they live.

I and others at Autodesk are committed to working with Congress and the Administration to enact strong, consumer-focused privacy legislation that establishes strong national rules and standards for every American.