At a February 27, 2019 hearing on “Privacy Principles for a Federal Data Privacy Framework in the United States,” Republican and Democratic members of the Senate Commerce, Science, & Transportation Committee offered different perspectives on whether new federal privacy legislation should preempt state privacy laws.

Chairman Roger Wicker (R-MS), who described the hearing as a chance to “set the stage” for bipartisan legislation, stressed the importance of preemption, as did Sen. Marsha Blackburn (R-TN).  Wicker noted that a national standard would provide greater certainty for consumers, and that a preemptive framework does not necessarily mean “weaker” protections than those included in state privacy laws.  Ranking Member Maria Cantwell (D-WA), by contrast, said the focus on preemption (rather than new rights for consumers) was “disturbing,” and wondered if U.S. companies were trying to “shut down” the California Consumer Privacy Act (“CCPA”).  Similarly, Sen. Richard Blumenthal (D-CT) warned that U.S. companies must convince Congress that they want “something more” than just preemption.

Despite their apparent differences on preemption, committee members broadly agreed that the “notice and choice” approach to privacy protections is insufficient.  Cantwell and Sens. Deb Fischer (R-NE) and Brian Schatz (D-HI) both made that point explicitly.  As an alternative approach, Schatz said new federal legislation should contain “broad principles” requiring companies to not harm the customers with whom they interact.

Senators also focused on whether new legislation should grant the Federal Trade Commission (“FTC”) new rulemaking authority.  Sen. Schatz supported broad FTC rulemaking authority, while Sen. Jerry Moran (R-KS) suggested that he favored a more “narrow” authority.  Sen. Mike Lee (R-UT) was even more cautious, warning that FTC rulemaking authority could have “unintended consequences” and unduly burden businesses.  Separately, Sens. Schatz and Moran agreed that a new bill should allow the FTC to impose fines for first-time violations.

Democratic committee members signaled their belief that new legislation should also contain data security protections alongside new consumer rights.  Sen. Jacky Rosen (D-NV) stressed the importance of protecting physical data centers, where consumer data is stored, while Sen. Tammy Baldwin (D-WI) inquired about the importance of setting security standards in new legislation in order to foster consumer trust.  Sen. Amy Klobuchar (D-MN) suggested a new law might include a 72-hour requirement for notifying consumers of data breaches.

The witnesses who testified at the hearing were Jon Leibowitz, Co-Chairman, 21st Century Privacy Coalition; Michael Beckerman, President and Chief Executive Officer, Internet Association; Brian Dodge, Chief Operating Officer, Retail Industry Leaders Association; Victoria Espinel, President and Chief Executive Officer, BSA – The Software Alliance; Dr. Woodrow Hartzog, Professor of Law and Computer Science at Northeastern University School of Law and Khoury College of Computer Sciences; and Randall Rothenberg, Chief Executive Officer, Interactive Advertising Bureau.  Their testimony is available here.