Witnesses at a Senate Commerce, Science, and Transportation Committee hearing on the need for federal privacy legislation today emphasized the similarities between federal data privacy bills introduced by the committee's chairman and ranking minority member, while lawmakers from both sides of the aisle urged cooperation on legislation, rather than viewing bills as competing.
Even in some areas of long-standing disagreement—such as possible preemption of state privacy laws—parties sounded more in agreement than in the past, with those who oppose preemption arguing it would weaken consumer protections and those supporting it saying that federal legislation should provide protections as strong or stronger than current state laws.
In his opening remarks, Chairman Roger Wicker (R., Miss.) urged his colleagues to work together to pass the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act that he introduced last week with committee members John Thune (R., S.D.), Deb Fischer (R., Neb.), and Marsha Blackburn (R., Tenn.) (TR Daily, Sept. 17).
The proposed SAFE DATA Act would establish consumer access, correction, deletion, and porting rights for personal data collected by businesses, require consumer consent to the processing or transferring of their sensitive data, set data minimization and secondary use limits, establish data security obligations, and require transparency about the use of algorithms. It would also prohibit "take-it-or-leave-it" practices requiring consumers to give up privacy rights if they want to use a business's products or services, and it would require businesses to adopt and disclose their privacy policies and to conduct privacy impact assessments.
The bill would authorize enforcement by the Federal Trade Commission and state attorneys general. It would give the Federal Trade Commission rulemaking authority to establish additional categories of sensitive data; require it to maintain a data broker registry; authorize it to oversee the data use practices of common carriers and nonprofit organizations, which are otherwise excepted from the agency's authority over unfair and deceptive business practices; and restore the FTC's authority to obtain monetary remedies for consumers.
Chairman Wicker emphasized the importance of data privacy in light of the COVID-19 pandemic and the resulting shift of many activities previously conducted offline to the Internet, as well as the need for consumers to trust in data privacy as public health authorities and others engage in contact tracing.
Chairman Wicker also said that he looks forward to holding a hearing before the end of year on the EU-U.S. Privacy Shield invalidated by the European Union Court of Justice earlier this year (TR Daily, July 16).
Committee ranking member Maria Cantwell (D., Wash.), who introduced the Consumer Online Privacy Rights (COPRA) Act last year with committee members Brian Schatz (D., Hawaii), Amy Klobuchar (D., Minn.), and Ed Markey (D., Mass.) (TR Daily, Nov. 26, 2019), said that other federal privacy bills "allow companies to maintain the status quo, burying important disclosure information in long contracts, hiding where consumer data is sold, and changing the use of consumer data without their consent...Most strikingly, these bills would actually weaken consumer rights around the country by preempting stronger state laws."
The COPRA Act would not preempt state laws. It would establish consumer rights to access data companies collect about them, to delete and correct that information, to opt-out of transfers of their data to a third-party, and to port their data to another provider of their choice. It would also bar deceptive and harmful data practices, require prior affirmative consent for the processing of transfer of sensitive data, impose data protection mandates on companies that collect consumer data, authorize the FTC and state attorneys general to enforce the bill, authorize private civil actions by individuals alleging a violation of the bill or its implementing regulations, and direct the FTC within 18 months to establish one or more acceptable procedures for covered entities to use in enabling consumers to opt out of the transfer of covered data.
Sen. Cantwell also said that a pending case at the Supreme Court has put at risk "the core protection" of section 13(b) of the FTC Act, allows the FTC to seek financial redress for consumers in the courts.
Last year the U.S. Court of Appeals for the Seventh Circuit (Chicago) reversed a long-standing holding by the courts that section 13(b) empowers the FTC to seek court orders "to freeze assets for trial that can later be used to provide redress to consumers." FTC Chairman Joseph Simons has supported the idea of Congress acting to clarify the agency's authority in that respect.
In her prepared testimony, former FTC Commissioner Julie Brill, now Microsoft Corp.'s chief privacy officer, emphasized that medical and financial recovery from the effects of the COVID-19 pandemic requires access to sensitive health and financial data, and that it is "vital for people to trust how their personal information is used."
Former FTC Chairman and Commissioner William Kovacic, now director of the George Washington University Competition Law Center, proposed a "model of concurrency," while acknowledging that allowing separate federal and state authority over data privacy entails "costs in coherency" and "costs in guidance." He proposed that states be allowed to act in areas not occupied by federal law. He also proposed "the creation in the law of a domestic national privacy network chaired by the FTC chairman."
Mr. Kovacic said that it will "cost a lot to come up with a real enhancement of capability" in overseeing data privacy, in terms of hiring additional technologists, economists, and attorneys, adding that his "bolder proposal is to give the FTC a billion dollars a year for 10 years."
Testifying remotely, former FTC Commissioner and acting Chairman Maureen Ohlhausen, now a partner in the law firm of Baker Botts and co-chair of the 21st Century Privacy Coalition, said that the pandemic and the taking effect of the California Consumer Privacy Act are among the factors that make the need for federal data privacy legislation all the more urgent now.
She called for clear transparency for consumers and said that federal legislation "should ensure strong enforcement that protects consumer information that could result in harm if disclosed or misused."
She added that "to be both future-proof and avoid tilting [the playing field], … it should be technology neutral" and should "recognize the inherent interstate nature of the Internet."
"Preempting state laws should not mean weakening consumer protections. A federal privacy law must be a strong one," Ms. Ohlhausen added.
However, she said a federal privacy law should not include a private right of action to obtain economic redress, as such provisions generally benefit attorneys but provide little economic benefit to consumers, she argued.
Former FTC Chairman and Commissioner Jon Leibowitz, now counsel at the law firm of Davis Polk & Wardwell LLP and co-chair of the 21st Century Privacy Coalition, said that shifting of activity online during the COVID-19 pandemic as "reminds us why a federal privacy law is critical."
He said that one federal privacy regime should apply everywhere in the U.S., and that preempting state laws should not mean weakening consumer protection. "A federal law can and should be stronger than CCPA or GDPR," he added, noting that the California law "doesn't speak to how data can be used" and that EU residents "have to click through a frustrating number of popup windows" outline privacy terms and seeking consent.
A federal data privacy law "must be tech-neutral," Mr. Leibowitz said, and it should require affirmative express consent for access to sensitive information and provide an opt-out right for the collection and use of non-sensitive data. It should give the FTC authority to impose civil penalties for a first offense.
He told Chairman Wicker and ranking member Cantwell that it is "heartening to see almost all of these tenets are incorporated into both of your bills, which have so much in common."
Also testifying remotely, California Attorney General Xavier Becerra said, "To keep pace we must all work from the same playbook but be nimble enough to adapt to conditions we encounter on the field. … Give us a playbook, but don't preempt smart, nimble adaptation to what we see coming at us."
He said that granting consumers a private right of action would complement his office's enforcement efforts.
During the question period, Chairman Wicker thanked Ms. Brill for speaking favorably about both the SAFE DATA Act and the COPRA Act.
"Commissioner Leibowitz, you mentioned that both bills have much in common. We need to keep that in mind," Chairman Wicker added.
He agreed that "federal preemption need not mean a weakening of consumer privacy protections."
Chairman Wicker asked Mr. Kovacic to explain how not preempting states' initiatives that go beyond the federal "would work."
Mr. Kovacic said, "It does introduce a degree of variation in the system, if you have the experimentation I talked about." However, he argued that states should have the ability to take action when confronted by "a harm or a problem that had not been anticipated" by the federal law.
Sen. Fischer asked whether the current lack of a federal data privacy law is causing the U.S. and U.S. companies to be "dismissed by foreign regulators."
Sen. Klobuchar sought and obtained agreement from various witnesses that provisions of the COPRA Act, such as a right to opt out and a mandate for plain language in privacy policies, are good ideas.
When, in response to a question from Sen. Klobuchar, both Mr. Kovacic and Mr. Leibowitz supported more funding to increase FTC resources to deal with privacy issues, Chairman Wicker noted that both the SAFE DATA Act and the COPRA Act would authorize more funding for the FTC.
"And under the Moran approach as well," Sen. Jerry Moran (R., Kan.) interjected. "And I'm an appropriator for the FTC and take that to heart," he added.
He said he believes that a federal privacy law "has to be technology neutral" and apply to all players throughout the Internet ecosystem.
Sen. Moran said, "While all of us want to talk about our bills—there's perhaps some pride of ownership—none of this will work unless there's an approach that brings us all together."
Sen. Schatz agreed, saying, "There is a sort of healthy competition between members on both sides of the aisle, but we're on the razor's edge between that competition being fruitful and keeping us from passing legislation."
Sen. Schatz suggested that a "duty of loyalty" on the parts of companies that collect data to look out for the interests of those whose data they collect when they consider sharing or selling it "works well" with opt-in and opt-out provisions, because people who opt in may not understand their data could be given to someone who will harm them.
Chairman Wicker asked where there is such a duty of loyalty provision in the CCPA. Ms. Brill said that there is not.
Chairman Wicker told Sen. Schatz that he appreciated his raising the issue, "and I'm working to bring this together."
Sen. Shelley Moore Capito (R., W.Va.) raised concerns about the need for privacy protections as children spent more time online during the pandemic.
Sen. Thune asked about filtering by online platforms so that "users are only shown content they believe in."
Ms. Brill said, "I think the filter bubble issue you've raised … is an incredibly important one." She added transparency and user choice are important with respect to filtering.
Mr. Kovacic said that the FTC "has excellent tools to examine this issue" and that it belongs on the agency's research agenda."
"I agree with both of my former colleagues," Mr. Leibowitz said.
Sen. Richard Blumenthal (D., Conn.) asked whether witnesses share his belief that the nominee to succeed Supreme Court Justice Ruth Bader Ginsburg, who died on Friday, should support privacy rights.
Mr. Becerra said that it would be good to have jurists protect the right to privacy "before we have a whole generation" who doesn't even know what privacy is.
Sen. Blackburn said she agreed with Mr. Becerra about the need to have a national standard on privacy "before we have a whole generation who doesn't have that."
Sen. Markey asked whether the FTC should "use its full section 6(b) powers to investigate what's going on right now" with privacy and online education. Section 6(b) authorizes the FTC to conduct studies outside of its enforcement authority.
Mr. Leibowitz said that "the FTC and next chairman should think very careful about using its 6(b) authority."
Chairman Simons's term does not end until 2024, but it is traditional for the chairman to resign if the control of the White House changes parties, and some observers expect him to resign even if President Trump is reelected because of perceived friction on some policy positions.
Sen. Ted Cruz (R., Texas) expressed concern that privacy legislation would be too big a burden for small businesses and startups.
Ms. Ohlhausen agreed the potential exists. "That is a big issue that we've actually seem documented when GDPR took effect," she said.
Ms. Brill said she would like to see a bill "that scales risk," rather than just company size. —Lynn Stanton, [email protected]
MainStory: FederalNews Congress FTC Privacy Covid19
Interested in submitting an article?
Submit your information to us today!Learn More