Yesterday’s Senate Commerce Committee hearing on consumer data privacy was a welcome improvement. The last time the Committee convened around this topic, all of the witnesses were industry and corporate representatives. This time, we were happy to see witnesses from consumer advocacy groups and the European Union, who argued for robust consumer privacy laws on this side of the Atlantic.
The Dangers of Rolling Back State Privacy Protections
Last time, the panel of industry witnesses (Amazon, Apple, AT&T, Charter, Google, and Twitter) all testified in favor of a federal law to preempt state data privacy laws, such as California’s new Consumer Privacy Act (CCPA).
Today was different. Chairman Thune kicked off the hearing by reminding the Committee of the importance of hearing from independent stakeholders and experts. We were also glad to hear Chairman Thune say that industry self-regulation is not enough to protect consumer privacy, and that new standards are needed.
A single weak federal privacy law will be worse for consumers than a patchwork of robust state laws.
The first witness forcefully argued that strong consumer privacy laws do not hurt business. Alastair Mactaggart, who helped pass the CCPA, reminded the Committee that he is a businessman with several successful companies operating in the Bay Area alongside the tech giants. He argued that the CCPA is not anti-business. Indeed, the fact that no major tech companies have made plans to pull out of Europe after the watershed GDPR went into effect earlier this year is proof that business can co-exist with robust privacy protections. The CCPA empowers the California Attorney General to enact—and change—regulations to address evolving tech and other issues. Mactaggart argued that this flexibility is designed to ensure that future innovators can enter the market and compete with the existing giants, while also ensuring that the giants cannot exploit an overlooked loophole in the law. While we have concerns about the CCPA that the California legislature must fix in 2019, we also look forward to participating in the Attorney General’s process to help make new rules as strong as possible.
The President and CEO of the Center for Democracy & Technology, Nuala O’Connor, acknowledged that some businesses want a single federal data privacy law that preempts all state data privacy laws, to avoid the challenges of complying with a patchwork of state laws. O’Connor cautioned the committee that the “price of pre-emption would be very, very high”—meaning any federal law that shuts down state laws must provide gold-standard privacy protection.
A single weak federal privacy law will be worse for consumers than a patchwork of robust state laws. As explained by Laura Moy, Executive Director and Adjunct Professor of Law at the Georgetown Law Center on Privacy & Technology, a federal law should be a floor, not a ceiling.
As we’ve said before, current state laws in Vermont and Illinois, in addition to California, have already created strong protections for user privacy, with more states to follow. If Congress enacts weaker federal data privacy legislation that blocks such stronger state laws, the result will be a massive step backward for user privacy.
Asking The Right Questions
We were heartened that several Senators understood the complexity of creating a strong, comprehensive federal consumer privacy framework, and are asking the right questions.
In his opening statement, Senator Markey stated that a new law must include, at minimum, “Knowledge, Notice, and No”: Knowledge of what data is being collected, Notice of how that data is being used, and the ability to say “No.” This is a great starting point, and we look forward to seeing his draft of consumer protection legislation.
Senator Duckworth asked the witnesses if it is too soon to know if existing laws and regulations are working, and wanted to know how Congress should assess the impact on consumer privacy. These are hard questions, but the right ones.
In the hearing with company representatives two weeks ago, Senator Schatz questioned whether companies were coming to Congress simply to block state privacy laws, and raised the prospect of creating an actual federal privacy regulator with broad authority. This time, Senator Schatz again accused some of the companies of trying to “do the minimum” for their consumers, focusing his questions on adequate and robust enforcement.
While all the witnesses agreed that robust rulemaking from the FTC is necessary, it is not clear that the current enforcement or penalty structure is where it needs to be. O’Connor said that only 60 employees at the FTC are tasked with enforcing consumer privacy for all of the United States, which is not nearly enough. Senator Schatz also called for stiffer financial penalties, as under the GDPR, explaining that even a $22.5 million fine is only a few hours of revenue for Google.
Right to be Let Alone
Dr. Andrea Jelinek, Chair of the European Data Protection Board, reminded the Committee of the writings of U.S. Supreme Court Justice Louis Brandeis. Long before he was on the Court, Brandeis wrote in the Harvard Law review in 1890, “Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual … the right ‘to be let alone’ … Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”
Technology has changed and continues to change, but the right of an individual to privacy and to be let alone has not. Congress should continue to allow the states to protect their citizens, even as it discusses how to build a stronger national framework that supports these efforts.