Congress Takes up the Consumer Privacy Debate in Hearings Double-Header
The debate regarding federal privacy legislation took a big step forward this week as Congress held a double-header of consumer privacy hearings. The House Energy & Commerce Subcommittee on Consumer Protection & Commerce was first up with a hearing on “Protecting Consumer Privacy in the Era of Big Data”. The following day the Senate Commerce Committee, which has multiple Members who have introduced or are drafting privacy legislation, discussed “Policy Principles for a Federal Data Privacy Framework in the United States”. At these hearings, Members of Congress heard testimony from witnesses representing industry groups, civil society, and academia. Participants engaged in far-reaching and substantial discussions over the rights, responsibilities, and enforcement mechanisms that should characterize the federal framework for protecting consumer privacy.
As DisCo has previously noted, there are several areas of consensus between the different privacy frameworks and legislative proposals that have been advanced thus far. Several important issues in the consumer privacy debate received serious attention during these hearings:
(1) Values at Issue
During both hearings, Members and witnesses repeatedly highlighted the importance of consumer privacy and the need for strong and consistent protections of personal information throughout the digital economy. The discussion over the importance of privacy also touched on first principles. House Energy & Commerce Ranking Member Greg Walden recognized that one challenge of the consumer privacy debate is that “privacy means different things to different people.” At the Senate Commerce hearing, Professor Hartzog of the Northeastern University School of Law emphasized that the concept of privacy should extend beyond control over personal information to include values such as individual autonomy, dignity, obscurity and relationships of trust.
Members and witnesses also recognized that the goals of federal legislation should not be limited to promoting privacy rights. Instead, there were repeated calls for legislation that balances intersecting values implicated by the collection and use of personal information. Values mentioned during the hearings included: civil rights and nondiscrimination; protecting vulnerable individuals; promoting investment and competition while minimizing burdens on small businesses; fostering innovation in digital services; and maintaining information security.
Witnesses agreed that consumers should have the right to know the categories of information that an organization collects, how that information is used, and how it is shared. Michael Beckerman of the Internet Association emphasized that when it comes to organizations’ data use, there should be “no surprises.” Members such as Senator Thune and Congressman O’Halleran asked questions about how a federal approach can promote simplifying privacy notices for consumers of all levels of technical knowledge.
However, several Members and witnesses also noted that transparency mechanisms are not always effective, and transparency alone is not a panacea for protecting privacy.
Professor Hartzog pointed to what he called a “transparency trap,” arguing that you can be transparent through general abstractions or by “dump[ing] the entire volume of data practices on people,” neither of which may fully inform users. Senator Schatz also addressed the limits of transparency, pointing out that “in an IoT universe” characterized by billions of connected devices and sensors, “it’s just not practicable to expect that people are actually in control of all the dials that have to do with the Internet.”
(3) Consumer Controls
Members and witnesses consistently supported consumer rights to request access, correction, and deletion of personal information that they have provided to an organization. Brandi Collins-Dexter, Senior Campaign Director of the Color of Change emphasized the importance of these tools by pointing out that the risks to individuals that can result from inaccurate data disproportionately fall on low income communities and people of color. The right of data portability — allowing users to obtain a machine-readable copy of data that they have provided to an organization for use with a different organization or service — received less attention during these hearings, but was explicitly supported during Chairman Wicker’s majority statement in the Senate Commerce hearing.
Witnesses also seemed to find broad agreement over the need to establish consumer rights to object to or opt-out of certain data uses. Victoria Espinel of BSA supported empowering consumers to “say no to data being used in ways that they don’t want” and endorsed requiring companies to obtain specific consent before using certain particularly sensitive categories of information. Dave Grimaldi of the Interactive Advertising Bureau (IAB) raised concerns about a one-size-fits-all opt-out system across the digital economy, noting the “massive disruption” this would cause to companies of all sizes.
Members and witnesses also agreed that the Federal Trade Commission (FTC) should be the primary enforcer of a new federal consumer privacy framework. In addition, there was apparent consensus that the authority and resources of the FTC should be augmented to enforce privacy laws and deter privacy abuses. In the Senate Hearing, witnesses from industry all agreed that federal privacy legislation should enable the FTC to levy civil penalties against first-time privacy violators, provide additional resources and staffing to the agency, and grant tailored rulemaking authority to the agency, subject to certain guardrails.
Multiple witnesses also cited the rulemaking and enforcement framework of the Children’s Online Privacy Protection Act, which provides for supplemental enforcement by State Attorneys General, as a viable model for baseline consumer privacy legislation. Senator Moran endorsed an approach that would establish “clear and measurable requirements in statutory text” paired with “appropriate flexibility in narrow rulemaking authority,” emphasizing that this would enable the FTC to respond to changing technology in protecting privacy.
As many commenters expected, the extent to which a federal privacy framework should override overlapping state laws emerged as a key sticking point in the debate and largely split along ideological lines. Republicans such as Consumer Protection & Commerce Ranking Member McMorris Rodgers emphasized that as “the Internet knows no borders… setting one national standard makes common sense and is the right approach to give people certainty.” She was echoed by Ranking Member Greg Walden, who emphasized the Internet’s fundamental role in interstate commerce and argued that while “there are many policy areas where it makes sense for states to innovate… your privacy and security should not depend on where you live in the United States.” Witnesses representing industry shared this view, for example Randall Rothenberg of the IAB stressed that preemption of state rules would provide for “consistency over chaos.”
Generally speaking, Democrats seemed more skeptical of preemption and appeared inclined to believe that the issue should be addressed following the establishment of consensus on strong baseline privacy rules. In the Senate hearing, Ranking Member Cantwell expressed concern that “the first thing people in DC want to organize is a preemption effort” in the consumer privacy debate. Professor Hartzog noted that there are “virtues to consistency,” but also pointed out that the United States has a history of dealing with 50-state patchworks in areas such as breach notification. Later, Senator Blumenthal drilled down on the relationship between the California Consumer Protection Act (CCPA) and the issue of preemption, asking industry witnesses whether the rights established by the CCPA should serve as a floor to a national privacy law. This question elicited responses that federal legislation should “go beyond California,” be “stronger and better” than California, and offer “more meaningful protection” of privacy interests.
(6) Beyond the ‘Notice and Consent’ Framework
Though the FTC has backstop authority to curb abusive privacy practices by virtue of its powers to police unfair and deceptive acts and practices in commerce, the traditional U.S. privacy framework is often characterized as a “notice and consent” regime. Organizations disclose their data collection and use practices in privacy notices, and consumers consent to these practices either through a check-box or by using the service. Several members and witnesses floated proposals for ways to move beyond this system to augment consumers’ privacy protections. For example, House Energy & Commerce Chairman Pallone spoke about the need for “legislation that shifts the burden off consumers and puts reasonable responsibility on those profiting from the collection and use of our data.”
This point was emphatically made by Nuala O’Connor of the Center for Democracy and Technology, who stated that “notice and choice are no longer a choice.” O’Connor supported the enactment of legislation that would “define digital rights,” prohibit the repurposing of sensitive data, and prevent data-driven discrimination. In the Senate hearing, IAB’s Rothenberg called for a “new paradigm for data privacy,” characterized by “clear prohibitions on a range of specifically identified harmful and unreasonable data collection and use practices.”