On September 26, the Senate Committee on Commerce, Science and Transportation conducted a hearing titled “Examining Safeguards for Consumer Data Privacy” to discuss the current state of consumer privacy and whether Congress should enact comprehensive federal legislation.  Industry representatives from Amazon, Apple, AT&T, Charter Communications, Google, and Twitter served as panelists. 

The hearing comes in the wake of numerous data privacy scandals embroiling top companies, as well as the implementation of the General Data Protection Regulation in the EU and the recent passage of the California Consumer Privacy Act (CCPA).

Senator Thune, Chairman of the Committee, opened the hearing by stating that “the question is no longer whether we need a federal law to protect consumers’ privacy, the question is what shape will that law take.”  The panelists agreed.

During the hearing all of the panelists expressed support for a single federal privacy framework and legislation that protects consumer privacy without stifling innovation, and all agreed that any federal legislation should preempt state privacy laws like the CCPA.  As one panelist put it: “federal legislation will be very little help if it becomes the 51st layering on top of 50 state rules.”      

The hearing, which lasted approximately two and one-half hours also addressed: (1) whether the FTC should be the primary regulator for any such legislation and whether its authority should be expanded; (2) the types of provisions federal legislation should include; and (3) how the Committee should consider the GDPR and the CCPA in crafting federal consumer privacy legislation.  

Some have criticized the hearing for including only industry representatives and not a wider set of key stakeholders, but Chairman Thune made clear that the Sept. 26 hearing would not be the only hearing on consumer privacy.  Next month the Committee will hold another hearing with privacy activists and other stakeholders, including Andrea Jelinek, head of the European Data Protection Board, and Alastair McTaggart, the lead proponent of the California ballot measure that led to passage of the CCPA.

The FTC as Primary Regulator

The panelists generally agreed that the FTC should be primarily responsible for enforcement of federal consumer privacy legislation and that if additional resources are needed Congress should provide them.  However, panelists were unwilling to categorically agree that the FTC should be given rulemaking authority or be able to impose monetary penalties in the first instance.    

Provisions for a Federal Privacy Law

Much of the hearing centered around the types of provisions that should be included in federal legislation, such as requirements for simple, plain language disclosures, provisions for consumers to withdraw consent, rights for consumers to prevent the selling or sharing of their personal information, and the ability of consumers to access their personal information.  The panelists were generally supportive of such requirements, many stating that they already do those sorts of things or provide consumers with those types of options.  However, none of the panelists appeared to support a 72-hour breach notification requirement.

One panelist diverged from the others and advocated for a default opt-in requirement for the collection and use of personal information other than to provide the service requested.  The others disagreed with a default opt-in arguing that it would stifle innovation and cause consumer fatigue similar to consumer fatigue with EU cookie tracking banners. 

A few Committee members focused on how to define personally information and how to ensure that the definition is adaptable to future technology.  All agreed that defining personal information will be important, with one panelist advocating for a “logical definition,” one that a reasonable user would expect, which he described as those pieces of information that can directly identify an individual such as name and email address. 

The GDPR and the CCPA

Senators were also interested in the panelists’ views on the GDPR and CCPA; the good and bad features of these laws that Congress should take into account when crafting its own privacy legislation.  One industry representative noted that the GDPR is overly prescriptive and burdensome and may hurt innovation, while the CCPA will encourage an unworkable patchwork of legislation and includes provisions that in practice will be quite detrimental to business.  On the plus side, another panelist noted, the GDPR applies uniformly across the EU, which is what industry is seeking with comprehensive federal consumer privacy legislation in the U.S.

One issue in particular that Committee members focused on was compliance costs for laws like the GDPR and CCPA and whether or how they create barriers to entry.  One panelist estimated that his company’s efforts to comply with the GDPR have cost millions of dollars and hundreds of years of human time.  The panelists noted that while they are large enough to absorb such costs, the Committee should carefully consider how compliance costs could affect small and medium-sized businesses as it develops legislation.  

Notably, Senator Blumenthal asked whether the panelists believed that Americans deserve less privacy than Europeans or whether Americans deserved less privacy than Californian’s.  He also asked if any of the companies had plans to pull out of the EU.  He noted that the companies present have complied with the GDPR and are making efforts to comply with CCPA, and questioned why Congress should not adopt the California or EU model?  He said the question would continue to linger as Congress considers federal privacy legislation.  While he acknowledged that the answer may be complex, he noted that despite the opposition the companies present at the hearing have expressed to these laws, they have shown that they can comply with them.