Members of the Senate Commerce, Science, and Transportation Committee today criticized industry entities during a hearing on the need for a strong federal privacy framework, noting that their sectors have made it difficult to pass legislation in the past. The industry witnesses said their organizations support privacy legislation.
“The reason all the states are doing all this [introducing privacy legislation] is that we have done nothing here, and part of it is because the companies that you represent have been lobbying against legislation like this for years,” complained Sen. Amy Klobuchar (D., Minn.), who has introduced the Social Media Privacy and Consumer Rights Act (S 189) with Sen. John Kennedy (R., La.) (TR Daily, Jan. 18).
Ms. Klobuchar noted that her bill would require companies to report data breaches within 72 hours. She asked Michael Beckerman, president and chief executive officer of the Internet Association, to opine on the provision. He said that timely notification was important but that a 72-hour deadline could result in interference to an ongoing law enforcement investigation.
Sen. Marsha Blackburn (R., Tenn.) noted that she and other lawmakers worked on privacy issues when they were in the House.
“Big Tech has made a whole lot of money by exploiting the use of this data. And it’s one of the reasons that we have to come together,” she said. “You’ve spent a lot of money fighting this, and that goes back to 2013, when we started all of this,” the senator told industry witnesses.
She asked witnesses whether industry planned to provide more or less privacy protections to consumers.
“Consumers deserve more,” Mr. Beckerman replied, saying that IA supports privacy legislation governing both online and offline activities.
“We’re not seeing the action in the protections that are embedded in these processes,” Ms. Blackburn replied.
Mr. Beckerman said that his members are offering new tools that, among other things, enable the deletion of accounts and consumer data.
Ms. Blackburn asked how important building and maintaining consumer trust is to IA’s members.
“Trust is No. 1,” Mr. Beckerman replied.
“They don’t trust you now,” Sen. Blackburn said.
“The depth and breadth of data collection is like a vast galaxy out there unknown to most consumers. And I want to urge you to, in effect, put your money where your mouth is,” said Sen. Richard Blumenthal (D., Conn.). “We all know that industries involved here have a record of looking the other way or ignoring their obligations.”
He asked witnesses if Americans deserve at least the same level of privacy as a California privacy law provides.
The witnesses said the federal legislation should be stronger than the California law; the industry witnesses criticized that law during the hearing. In addition to Mr. Beckerman, the industry witnesses were Jon Leibowitz, co-chairman of the 21st Century Privacy Coalition, which represents major communications companies; Victoria Espinel, president and CEO of BSA-The Software Alliance; Randall Rothenberg, CEO of the Interactive Advertising Bureau; and Brian Dodge, chief operating officer of the Retail Industry Leaders Association. The last witness was Woodrow Hartzog, a professor of law and computer science at the Northeastern University School of Law and Khoury College of Computer Sciences.
Sen. Ed Markey (D., Mass.) said that the Children’s Online Privacy Protection Act needs to be updated to cover provisions regarding children between the ages of 13 and 15. He asked witnesses whether children should be treated differently in privacy legislation and tried to nail them down on specifics.
He noted that the California law includes opt-out consent provisions for adults but opt-in language for children under 16.
Mr. Markey asked witnesses if their organizations favored requiring opt-in consent for children between the ages of 13 and 15.
Ms. Espinel said the use of sensitive data by anyone should require opt-in consent, but she did not commit to supporting such a scheme for children between the ages of 13 and 15.
Mr. Leibowitz said opt-out consent should be the standard for children 13 and older “at the very least.”
Mr. Rothenberg said he was concerned with banning contact with all 15-year-olds, but Mr. Markey noted that was not under consideration.
“Kids have to be given an extra level of protection. They’re vulnerable, they’re targeted, and without building that [opt-in consent] in [federal legislation], I just think it makes no sense to preempt California law,” which industry wants, Mr. Markey said.
“One of the key components to this debate is transparency,” said Sen. John Thune (R., S.D.), chairman of the communications, technology, innovation, and the Internet subcommittee. “Transparency allows consumers to make informed decisions about the products and services they use. Many companies, some of which are members of the associations represented here today, note that transparency is a core value; however, the actions they take raise serious questions. Earlier this month, Google’s Nest home-security devices were found to have a built-in microphone which was not disclosed to consumers in any of the product material. Google stated that ‘the on-device microphone was never intended to be a secret.’ However, even if Google’s actions were not intended to mislead consumers, I do believe there should have been better transparency with respect to these practices.”
Mr. Beckerman said the built-in mic should have been disclosed to consumers. But he said the California law “puts ways too much of the burden on individuals.”
Sen. Brian Schatz (D., Hawaii), ranking member of the communications subcommittee, said that there should be a “backstop” in the law that imposes on companies “obligations not to harm the customer.”
He said he thinks the law should set out “broad principles in statute” with rulemaking authority for the FTC, fining authority, and additional staffing over time and asked the witnesses to weigh in.
Mr. Leibowtiz endorsed the additional resources and fining authority and said his coalition wants to see what the committee drafts regarding rulemaking authority, although he said it supports some of that authority with “guard rails.”
The other industry witnesses also said they support providing additional resources to the FTC and fining authority and said they also wanted to see committee language on rulemaking authority.
Sen. Ted Cruz (R., Texas) complained about “political censorship” of conservatives by technology platforms.
Mr. Beckerman said online platforms are useful to enable free speech and said the government should not step in to attempt to regulate it. He also said that each platform has “community standards,” adding that perhaps each can do a better job of educating users about those standards. He also said mistakes have been made concerning opinions on the left as well, although he said he didn’t have any immediate examples.
“There’s no transparency whatsoever,” Sen. Cruz replied, singling out Facebook, Inc., for its answers to his questions on this issue.
Committee Chairman Roger Wicker (R., Miss.) emphasized the need for a federal privacy framework.
“The economic and societal benefits generated by consumer data are undeniable. From this data, meaningful insights are gleaned about the needs, preferences, and demands of consumers and businesses alike. These insights spur innovation, help target investment, and create opportunities. The material benefits of data include increased productivity and efficiency, reduced costs, greater efficiency, greater convenience, and access to customized goods and services that enhance our safety, security, and overall quality of life,” Sen. Wicker said.
“While the benefits of consumer data are immense, so too are the risks,” he added. “Consumer data in the digital economy has become a target for cyber-criminals and actors that exploit data for nefarious purposes. This problem is exacerbated by the failure of some companies to protect consumer data from misuse and unwanted collection and processing. These issues threaten to undermine consumers’ trust in the Internet marketplace, diminishing consumer engagement in the online ecosystem.”
Sen. Wicker said that “Congress needs to develop a uniquely American data privacy framework that provides consumers with more transparency, choice, and control over their data. This must be done in a manner that provides for continued investment and innovation, and with the flexibility for U.S. businesses to compete domestically and abroad.
“It is clear that we need a strong, national privacy law that provides baseline data protections, applies equally to business entities – both online and offline – and is enforced by the nation’s top privacy enforcement authority, the Federal Trade Commission,” he added. “It is important to note that a national framework does not mean a weaker framework than those that have already passed in the U.S. and overseas or being contemplated in the various states. Instead it means a preemptive framework that provides consumers with certainty that they will have the same set of robust data protections no matter where they are in the United States.”
“While Congress has been successful in the past in addressing certain types of personal information, such as health or financial data or children’s information, consumers continue to see the challenges that they face with corporate practices that allow for collection, storage, analyzing, and monetizing their personal information,” said Sen. Maria Cantwell (D., Wash.), the committee’s ranking member. “In fact, just two years ago, Congress voted to overturn the FCC privacy rule that would have protected online users from internet service providers, but had yet to take effect.
“So, while we have gone backwards in some ways, there are others who are moving forward. In May of 2018, the European’s General Data Privacy Regulations went into effect, providing the EU and its citizens with an array of new protections from certain types of corporate data practices. And in addition, the state of California has recently passed the California Consumer Privacy Act, which also provided California’s citizens with new rights and protections. This law goes into effect 2020,” Sen. Cantwell noted.
“So, together the implementation of these two pieces of legislative policy, GDPR and CCPA, have brought new insights to the congressional efforts to pass meaningful privacy and data security laws. What is clear to me is we cannot pass a weaker federal law at the expense of states,” the senator stressed. “So, Mr. Chairman, I am certainly open to exploring the possibility of meaningful, comprehensive federal privacy legislation. I want to work with you and all the members of this committee, many of which have already introduced various pieces of privacy legislation, for thoughtful discussion about how we come to a resolution on these issues.”
During the questioning period, Ms. Cantwell told Mr. Hartzog that she was “a little more in your camp at the moment” after he suggested that preempting state privacy laws could be harmful.
Mr. Leibowitz, a former Federal Trade Commission chairman, said that a federal privacy framework should be based on a 2012 privacy report, with greater transparency, privacy by design, opt-in for sensitive information, opt-out for non-sensitive information, strong FTC enforcement authority that includes being able to impose civil penalties for first-time offenses, rulemaking authority with “guardrails,” and state preemption.
He said that 94 privacy proposals are pending in state capitals and said that a patchwork of state laws would create confusion among consumers. He also said that while the California law did some good things, it suffered from “drafting flaws.”
Mr. Beckerman echoed points made by Mr. Leibowitz, including the difficulty of having various state laws.
“A federal privacy law should be centered around the individual in three important respects. First, federal legislation should ensure that individuals have access to information about the personal information that is collected from or about them, including how that data will be used, shared, and protected. Second, federal legislation should support the development of tools to give users more control over their personal information. Third, federal legislation should give individuals the ability to access, delete, correct, and move their personal information,” Mr. Beckerman said.
“We are here today because the American people’s trust has been broken,” Ms. Espinel said.
“BSA companies want Congress to pass a clear and comprehensive national law that gives consumers the right to know, the right to control, and the right to choose what happens to their personal information; imposes obligations on companies to safeguard consumers’ data and prevent misuse; and provides strong, consistent enforcement,” she said. “Federal privacy legislation that includes these elements will protect consumer privacy interests, promote innovation, and promote global data flows.”
“As Congress establishes strong obligations for organizations to implement, providing clarity about an organization’s role and responsibilities in the complex, dynamic, data-driven economy can complement enforcement efforts by promoting business arrangements that reinforce those responsibilities,” Ms. Espinel said. “The distinction between controllers, which determine the purposes for which personal data is processed, and processors, which perform storage, processing, and other data operations on behalf of controllers, is key to allowing organizations that handle personal data to clearly define their responsibilities.”
Mr. Rothenberg said that “IAB asks for Congress’ support in developing a new paradigm that would follow these basic principles: First, in contrast to many existing privacy regimes, a new law should impose clear prohibitions on a range of harmful and unreasonable data collection and use practices specifically identified in the law. Second, it should distinguish between data practices that pose a threat to consumers and those that do not, rather than taking a broad-brush approach to all data collection and use. Third, it should incentivize strong and enforceable compliance programs, and thus universalize compliance, by creating a rigorous ‘safe harbor’ process in the law. And finally, it should reduce consumer and business confusion by preempting the growing patchwork of state privacy laws.”
“A new privacy framework will require choices and artful balancing of interests. RILA believes that a federal privacy framework should be designed to protect consumers and provide clear rules of the road for individuals, businesses, and the government,” Mr. Dodge said. “Retailers are prepared to accept the responsibility of new privacy requirements to create a national framework that applies to all parts of the data ecosystem and inspires consumer confidence.”
“First, I recommend that lawmakers should resist the traditional approach to data protection, which emphasizes transparency through notice to users and choice through user consent. It passes the risk of online interaction from data collectors onto people under an illusion of protection. This ‘notice and choice’ approach has failed,” Mr. Hartzog said.
Sen. Wicker asked Mr. Hartzog whether ensuring that federal legislation acts “as a floor, not a ceiling, for privacy rules,” as he advocates, would result in a continued patchwork of legislation.
The professor said it would. But he added, “I don’t see that as being insurmountable, because it’s what we have been dealing with all along with data breaches.”
Meanwhile, in a Medium posting today, Jonathan Spalter, president and CEO of the U.S. Telecom Association, called for the passage of a federal privacy framework.
“It has long been argued that technology companies?—?as much as anyone else?—?need clear and legally sustainable rules of the road. For our part, broadband providers strongly support consumers’ desire for a consistent and fair national privacy law. It’s a core expectation of our customers and an essential bulwark of consumer confidence in the digital economy. In fact, in a recent Harris poll, people were asked what should be among the top priorities of U.S. companies beyond growing the economy. Protecting consumer privacy took the top spot, besting even healthcare (65% to 61%),” Mr. Spalter said.
“So, consumers clearly want fundamental protections over their information. Similarly, all good actors that do business online?—?whether they exist on the edge or core, or as a platform for our internet, should appreciate the merits of federal rules of the road. After all, if there’s a bright line on that interstate, then it’s easier for everyone to know where they can safely drive,” he added. - Paul Kirby, [email protected]
Interested in submitting an article?
Submit your information to us today!Learn More