Senate Commerce Committee Hears Consumer Perspectives on Privacy Legislation
On Wednesday, the Senate Commerce Committee held its second full committee hearing of the year on consumer privacy. The witness panel featured representatives of civil society and was organized to “examine consumers’ expectations for data privacy in the Digital Age” and to discuss the “data privacy rights, controls, and protections” that should embody a new federal framework on data privacy.
The recent implementation of Europe’s General Data Protection Regulation (GDPR) and passage of the California Consumer Privacy Act (CCPA) have driven bipartisan calls and proposals from lawmakers, industry groups, and civil society for the establishment of a US federal baseline privacy framework. Proponents of federal privacy legislation aim to set consistent consumer rights and data controller obligations for the responsible treatment of personal information throughout the economy. The Senate Commerce Committee has emerged as the locus of this legislative effort by virtue of the Committee’s jurisdiction over the Federal Trade Commission (FTC), the primary enforcement agency charged with protecting consumer privacy.
Multiple bills to establish economy-wide data privacy standards have been introduced by Commerce Committee members, including Senator Blackburn’s “BROWSER Act,” Senator Cortez Masto’s “DATA Privacy Act,” Senator Markey’s “Privacy Bill of Rights Act,” and Senator Schatz’s “Data Care Act.” While none of these bills has yet to be taken up by the Committee, they have introduced new ideas into the consumer privacy debate and signaled likely areas of consensus and contention in the legislative efforts ahead.
The Committee also features a bipartisan working group that has been meeting since late 2018 to develop consumer privacy legislation. This informal group originally consisted of Senators Blumenthal, Moran, Schatz, and Chairman Wicker. Recently the group expanded to include Senator Thune and collaborate with Ranking Member Cantwell. The group hopes to have legislation ready for introduction by late May; however, key roadblocks remain on several critical issues as discussed below.
In February, the Commerce Committee held a hearing on “Policy Principles for a Federal Privacy Framework” that consisted primarily of industry representatives. These witnesses broadly agreed that federal privacy legislation should establish core consumer controls including rights of access, correction, and deletion of personal information and the need for an empowered FTC to carry out enforcement in conjunction with state Attorneys General. The hearing also surfaced tension between some Republican and Democrat lawmakers over whether and under what circumstances a federal privacy law should preempt similar legislation at the state level (for DisCo’s full hearing recap see here). February’s hearing also provoked criticism from privacy-oriented civil society and consumer rights groups who objected to the lack of any consumer advocates on the witness panel. Thus, Wednesday’s hearing provided an important opportunity for these stakeholders to emphasize their perspectives and legislative priorities for consumer privacy legislation to Committee members.
Over the course of Wednesday’s 2-hour hearing, the Committee received testimony from:
- Helen Dixon, Republic of Ireland Data Protection Commissioner
- Neema Singh Guliani, Senior Legislative Counsel at the ACLU
- Jules Polonetsky, CEO of the Future of Privacy Forum
- Jim Steyer, CEO of Common Sense Media
Commissioner Dixon described the values and principles underpinning the GDPR as well as the individual rights, controller obligations, and enforcement provisions that characterize Europe’s approach to data protection. She also shared that the Irish Data Protection Commission currently has 51 ‘large-scale’ investigations of alleged GDPR violations underway, 17 of which relate to large tech platforms. Dixon expects the first set of investigations opened following the implementation of the GDPR in May 2018 will be concluded over the Summer of 2019. Finally, Dixon discussed how the clarity and consistency of the GDPR’s privacy standards will evolve over the coming years through features such as the approval of codes of conduct prepared by various industry sectors and with the precedential value of enforcement actions taken by the Data Protection Commission.
Mr. Polonetsky contended that federal privacy law should have strong protections matching and exceeding those in the CCPA, including principles absent from the California law such as compatible use requirements and special restrictions on sensitive data. Polonetsky undertook a detailed examination of two difficult features of any privacy law: covered information and preemption. He posited that a nuanced law should apply different levels of rights and restrictions scaled to different categories of information, such as identified data, identifiable data, pseudonymous data, and de-identified data. He further argued that preemption should not be conceived of as a binary choice; instead, a federal privacy law should preserve state Unfair and Deceptive Acts and Practices Laws, preempt generally applicable laws such as the CCPA, and take a deliberative approach to sector-specific laws. Finally, Polonetsky asserted that a federal law should encourage legitimate, socially beneficial research and incentivize internal accountability mechanisms as well as the use of privacy enhancing technologies (PETs).
Mr. Steyer cited his experience in the CCPA legislative process to emphasize that consumer privacy should be a “totally bipartisan issue.” He further argued that children and teens are particularly vulnerable in the online space and deserve special legal protections, such as the CCPA’s establishment of distinct rights for children aged 13 to 16, beyond those that exist at the federal level under the Children’s Online Privacy Protection Act (COPPA). He also stressed that an ongoing public education and awareness campaign will need to accompany a new federal privacy law in order to explain to the public how to exercise their privacy rights.
Ms. Guliani highlighted four areas of concern for federal privacy legislation. First, she expressed deep skepticism about the preemption of state laws, which could be a “bad deal for consumers.” Guliani noted that states can be more proactive and nimble at responding to rapid changes in technology than Congress and that many federal laws, such as HIPAA, act as floors for consumer protection instead of ceilings. She also suggested that concerns over divergent state privacy requirements could be resolved through a “narrow and clear conflict-preemption provision” in a federal privacy law. Second, Guliani supported a private right of action arguing that gaps in federal enforcement will exist even if the size of the FTC was dramatically expanded. Third, Guliani raised discriminatory data practices, calling for federal law to be strengthened to prevent advertisers from offering different prices, services, and opportunities to individuals based on protected characteristics. Finally, Guliani called for federal privacy legislation to set guardrails on the collection, storage, and use of data, and for the elimination of ‘pay-for-privacy’ schemes.
Reading the Tea Leaves
Sixteen Senators took the opportunity to question the witnesses, including every member of the Committee’s privacy working group. This provided an opportunity to gauge the priorities of key lawmakers on critical aspects of consumer privacy legislation.
Senator Thune asked about the use of industry codes of conduct under the GDPR and whether these mechanisms enhance compliance with the law. He also raised questions about federal preemption and what specifically witnesses mean in supporting a federal regime “as strong as” the California CCPA. Senator Moran, who previously chaired a Subcommittee hearing on the impact of privacy legislation on small businesses, was interested in whether companies are increasingly competing on privacy attributes and services. He also asked how federal law could find a sweet spot in providing “clear and measurable requirements in statutory text” while enabling flexibility for responding to technological developments through “narrow and specific rulemaking authority.”
Democrats on the Committee’s working group emphasized different features of privacy legislation in their statements and questions. Ranking Member Cantwell called for data security to be a “part of the solution,” raising concerns about emerging threats such as compromised IoT botnets and supply chain vulnerabilities. Senator Schatz expressed his belief that transparency and control mechanisms will not be sufficient in an “IoT universe” and asked whether federal law could be future-proofed and backed-up through an underlying principle that “you may not harm people with the data you collect.” Finally, Senator Blumenthal highlighted what he saw as a “real danger” of federal privacy legislation undermining state protections. He expressed concern that some criticism of the CCPA “smacks of opposition” to the substance of the law’s protections, but recognized that businesses legitimately seek “common definitions and consistent rules” in privacy protection and management.
The Senate Commerce Committee’s consumer privacy hearings have revealed broad agreement among lawmakers of both parties, industry, and civil society on core consumer rights and the need for an empowered FTC to protect privacy in the digital age. However, it is less clear where consensus will emerge on the types of accountability mechanisms and obligations that will fall on controllers (and processors) of personal information. Open questions also remain, such as whether data security obligations will be included in a federal privacy law. Other complex issues such as the definition of covered information and scope of preemption will require carefully crafted legislation in order to protect data privacy and provide consistent expectations for consumers and covered organizations. While significant work remains to be done, proponents of federal privacy legislation should be encouraged by the Commerce Committee’s progress and the detail-oriented approach demonstrated in Wednesday’s hearing.
The House Energy & Commerce Committee will be the next to take up consumer privacy with an FTC oversight hearing on “Strengthening Protections for Americans’ Privacy and Data Security” scheduled for May 8. DisCo will continue to follow the federal privacy debate as congressional hearings occur, federal agencies take action, and new legislation is introduced.