Continuing Congress’s consideration of possible comprehensive federal privacy legislation, the Senate Commerce Committee’s Subcommittee on Manufacturing, Trade, and Consumer Protection held a hearing on March 26, 2019 on “Small Business Perspectives on a Federal Data Privacy Framework.” A full transcript of the hearing can be found here. The witnesses were:
- Justin Brookman, Director, Privacy and Technology Policy for Consumer Reports
- Nina Dosanjh, Vice Chair of the Technology Policy Committee at the National Association of Realtors
- Jefferson England, Chief Financial Officer of Silver Star Communications, a small telephone and internet service provider for rural counties in Wyoming and Idaho
- Evan Engstrom, Executive Director, Engine Advocacy and Research Foundation, a nonprofit organization representing startups
- Ryan Weber, President, KC Tech Council, an organization representing Kansas City’s technology industry
Subcommittee chair Senator Jerry Moran (R-KS) opened the hearing by noting the special challenges faced by small businesses and the importance of providing clear guidance to this engine of the U.S. economy. Ranking Member Senator Richard Blumenthal (D-CT) praised the recent momentum for bipartisan collaboration on federal privacy legislation and stressed the need for Congress to move quickly, both in light of recent controversies over some companies’ data handling practices and in light of action by the European Union (EU) and California. Senator Roger Wicker (R-MS), chair of the full Senate Commerce Committee, also made introductory remarks about the importance of moving forward with federal privacy legislation.
Senators’ questions and witnesses’ responses focused on a number of issues:
The witnesses representing businesses or business groups argued that uniform federal privacy legislation is necessary to avoid covered companies having to comply with a collection of inconsistent state laws. They emphasized the compliance challenges small businesses in particular face given their possession of fewer resources to devote to concerns beyond their core business operations. Ms. Dosanjh, for example, discussed how a single federal set of standards could help realtors, many of whom are independent contractors, because they often rely on “off-the-shelf” compliance solutions. Mr. Brookman, from Consumer Reports, also supported federal preemption of inconsistent state laws but with the caveat that states should be able to innovate in areas not addressed by federal law.
Definition of Personal Information
Several of the witnesses criticized the California Consumer Privacy Act’s (CCPA) definition of “personal information” as overbroad. Ms. Dosanjh contended that its breadth and vagueness would leave many small businesses unsure whether the data they collected was covered. But the witnesses did not offer specific proposals for an alternative definition.
FTC Enforcement Authority
Senator Blumenthal polled the witnesses about the best way to enforce federal privacy legislation. The witnesses all agreed that the FTC should have primary enforcement authority, and most supported authorizing the FTC to levy civil penalties for first-time offenders, a power the FTC currently lacks but has requested for many years. Ms. Dosanjh suggested that penalties should be capped. The witnesses also supported channeling additional resources to the FTC to support its enforcement efforts. Mr. Brookman suggested that most of the FTC’s privacy enforcement actions have been brought under its section 5 deception authority, which had encouraged companies to draft privacy policies in expansive language that avoided more precise and meaningful commitments to data protection.
The witnesses agreed that state attorneys general should have authority to enforce a new federal law so long as the law was clear and significant divergence between the FTC’s enforcement practices and those of state attorneys general could be avoided. Mr. Engstrom criticized the CCPA’s private right of action that allows for damages without requiring a plaintiff to prove actual harm beyond unauthorized disclosure itself. He argued that this approach could bankrupt many existing small businesses and reduce investment in new ones.
Senator Blumenthal raised a concern about data brokers and companies whose business model rests on building “robust profiles” of individuals. Mr. Brookman stated that “arguably the most important element of privacy legislation” should be “a prohibition on selling information about your customers to third-party data brokers.” He suggested the CCPA’s opt-out regime for this practice does not go far enough to protect consumers. Senator Thune (R-SD) also asked what should be done about data brokers at the federal level. Mr. Engstrom suggested that while regulation might be beneficial, Congress should ensure that the definition of “data broker” is narrow enough not to sweep in small businesses that interact directly with and provide real benefits to consumers.
Small Business Protections
Members of the subcommittee and the witnesses discussed a number of approaches to lightening the burden of new requirements for smaller enterprises. Those included carve-outs from some requirements based on company sized judged by employees or revenue, putting compliance obligations on tracking companies rather than websites, and drafting requirements in simple, precise terms. Mr. Brookman suggested that requirements that stress risk assessments, balancing tests, and other procedural considerations over clear substantive provisions would disadvantage smaller businesses because of the time and effort required to apply such considerations. He offered the following recommendations:
Privacy laws should be written simply, with clear, easy-to-understand and -apply per se obligations: Collect only the data you reasonably need. Don’t sell data about your customers. Get rid of outdated data. Use reasonable security to safeguard data. On the other hand, privacy law should also explicitly carve out some limited first-party secondary uses of personal information—such as for internal analytics and marketing—so that companies know what is authorized by the law, and so they don’t need to subject their customers to unwanted and unnecessary user prompts for consent to engage in unobjectionable practices.
WilmerHale’s Cybersecurity and Privacy Practice will continue to monitor and provide periodic updates on the development of comprehensive federal privacy legislation over the course of 2019.