Continuing Congress’s efforts to craft comprehensive federal privacy legislation, the Senate Judiciary Committee on March 12, 2019, held a hearing on “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation.” The hearing focused on strengths and weaknesses of California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) in an effort to identify principles that could inform federal privacy legislation. A full transcript of the hearing is available here.

The two panels included representatives from industry, privacy advocacy organizations, and academia:

Panel I

• Will DeVries, Senior Privacy Counsel at Google
• Alastair Mactaggart, Chairman of Californians for Consumer Privacy and a principal drafter of the CCPA
• David Hoffman, Associate General Counsel and Global Privacy Officer at Intel
• Gabriel Weinberg, CEO and Founder of DuckDuckGo, a search engine
• Tom Lee, Policy Lead at Mapbox

Panel II

• Roslyn Layton, Visiting Scholar at the American Enterprise Institute
• Michelle Richardson, Director, Privacy and Data, at the Center for Democracy and Technology
• Jane Bambauer, Professor of Law at the University of Arizona James E. Rogers College of Law

Chairman Lindsey Graham (R-SC) opened the hearing by explaining that the committee wanted to learn more about the GDPR and the CCPA before drafting federal legislation. He expressed the view that consumers do not typically understand that their data is being monetized and lamented the fact that, in his view, social media companies are left to decide what information to publish without any guidance from government. He closed by noting the bipartisan interest in federal privacy legislation—a recurring theme throughout the hearing.

Ranking Member Dianne Feinstein (D-CA) also focused on consumer knowledge and approval. She touted the CCPA as an important effort and suggested that its consumer protections should serve as a floor for provisions in a federal law.

Many of the witnesses opposed opt-in consent requirements and expressed concern that the GDPR’s opt-in regime would stymie competition, since consumers might only opt in to using more established companies’ websites and online services. They also questioned whether the take-it-or-leave-it approach of opt-in consent would ultimately enhance users’ privacy. A number of the witnesses were supportive of the CCPA, which generally provides for opt-out consent requirements. The witnesses uniformly expressed support for federal action on privacy legislation.

The following issues generated significant discussion:

Opt-In Versus Opt-Out Consent

A main theme of the hearing was the relative benefits of opt-in versus opt-out consent regimes. A number of Senators expressed support for opt-in consent while a number of the witnesses maintained that this approach is undesirable. A number of witnesses argued that the CCPA’s opt-out regime is preferable because it will allow consumers to prohibit the sale of their data without preventing them from using particular websites altogether. Several Senators, including Senator Feinstein, questioned the desirability of opt-out consent. Senator Mazie Hirono (D-HI) raised the concern that privacy defaults are sticky—that is, that most consumers tend not to change default settings. All of the witnesses stressed that, in any case, users’ consent options should be easy to find and understand.

Federal Preemption

Committee members asked the first panel about federal preemption of state laws. Mr. DeVries, Mr. Mactaggart, Mr. Hoffman, and Mr. Lee favored preemption if the CCPA were treated as a floor rather than a ceiling. Mr. Weinberg agreed in theory but would not commit without seeing specific language.

FTC Authority

In response to questions from committee members, panelists did not express support for increased FTC rulemaking authority but appeared to acknowledge the need for enhanced FTC enforcement activity. Some proposals on that score have included allowing the FTC to seek civil penalties (now up to over $41,000 per violation) in enforcement actions in the first instance, an authority the FTC does not now have, but which it has sought across administrations for many years.
Ms. Richardson added during the second panel that if federal legislation were to apply to all companies, as opposed to just the largest ones, state attorneys general would need authority to work in collaboration with the FTC.

Small Businesses

Senator Sheldon Whitehouse (D-RI) raised the effect of privacy regulation on small businesses with the first panel, noting, by way of example, that many small companies may not know whether they are subject to the GDPR. Ms. Layton expressed concern that the GDPR stifles competition because compliance is too expensive for small companies; she asserted that some start-ups have refrained from serving EU customers for this reason. Professor Bambauer added that, in the United States, the cost of complying with many different state laws can also be burdensome for small companies.

Behavioral Advertising

Senator Graham raised concerns about the use of tracking of online behavior as a source of data for targeted advertising. Mr. Mactaggart noted that the CCPA’s drafters had considered the issue. While the CCPA does not prohibit collection of such information, it requires covered companies to disclose their collection or compilation of such information and provides consumers with the right to request deletion of such information and to prohibit its “sale,” a term defined broadly to include sharing for commercial purposes. Mr. Hoffman agreed with Mr. Mactaggart and referred the committee to Intel’s model legislation on this score.

Conclusion

WilmerHale’s Cybersecurity and Privacy Practice will continue to monitor and provide periodic updates on the development of comprehensive federal privacy legislation over the course of 2019.