On September 26th, the Senate Committee on Commerce, Science, and Transportation held a hearing on data privacy, focusing in part on the potential for federal privacy regulation. The discussion centered on two issues: (1) the potential for Congress to pass a federal privacy law, including the scope and model for any such law, and (2) the role of the Federal Trade Commission (“FTC”) in regulating data privacy practices. Representatives from Apple, Amazon, AT&T, Charter Communications, Google and Twitter testified.
Chairman John Thune (R-SD) opened the hearing by saying that the Senate is only beginning to address issues of consumer privacy. According to Senator Thune, the hearing “grows out of recent concerns about consumer privacy,” but “is not intended to be a ‘gotcha’ hearing.” Rather, he said, the hearing “represents the beginning of an effort to inform our development of a federal privacy law.”
On the topic of a potential new federal privacy law, technology company representatives appeared to agree on certain broad privacy principles that could be incorporated into legislation. Damien Kieran, Global Data Protection Officer and Associate Legal Director at Google, referenced that company’s data privacy framework, which was released prior to the hearing. A number of industry associations also released federal privacy principles in advance of the hearing, including BSA | The Software Alliance, the Chamber of Commerce, and the Internet Association. Several of those principles call for a federal framework that preempts state laws, with the Chamber supporting preemption of state data privacy laws and the Internet Association supporting preemption of both state consumer privacy and data security laws. In addition, the BSA and Chamber principles urge any framework to support the free flow of data across international borders, with BSA stating any framework should “enable and encourage global data flows.”
At the hearing, senators disagreed about the model for any potential new federal privacy law. Senator Jerry Moran (R-KS) pushed back on suggestions that a new federal law should adopt either the approach embodied by the EU General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act (“CCPA”). Rather, he argued that adopting those laws in the United States could harm “innovative and entrepreneurial businesses.” Senator Thune also expressed concern that privacy laws favor incumbents over new entrants in the marketplace. At the same time, Democrats like Senator Brian Schatz (D-HI) emphasized that a privacy law must be “meaningful” and at least as strong as the CCPA if federal law would preempt such state legislation.
Technology companies testifying at the hearing also disagreed on what form any federal privacy law should take, including whether it should include an opt-in or opt-out consent model. Several technology company witnesses voiced concerns with adopting a framework similar to the GDPR, which they viewed as onerous. Len Cali, Senior Vice President for Global Public Policy at AT&T, suggested that the CCPA would be a better model than the GDPR, but said that several provisions of that law, such as the non-discrimination provision and the broad definition of personal information, should be reconsidered before using it as a model for potential federal legislation. All technology company witnesses agreed that any new federal law should preempt state regulation in this area.
In addition, Senator Bill Nelson (D-FL) and Senator Schatz focused on the FTC’s role. Senator Nelson asked if industry believed the FTC was the appropriate body to regulate data privacy and whether the FTC should be vested with more authority. Although all technology company representatives agreed that the FTC was the appropriate regulatory body, none voiced support for increasing the agency’s authority, while Senators Nelson and Schatz indicated that they believe increased FTC authority is appropriate.
Congress and federal agencies are expected to increase their focus on these issues in coming months and Senator Thune said the Senate Commerce Committee would hold further hearings on data privacy. In the House of Representatives, Representative Suzan DelBene (D-WA) has already introduced legislation that would require the FTC to issue new regulations requiring companies that collect, storage, process or share sensitive personal information to enact data privacy and use policies that provide specific types of notice to consumers, enable consumer opt-outs, and obtain third-party audits of their privacy controls, among other requirements.
At the agency level, the Department of Commerce National Telecommunications and Information Administration (“NTIA”) issued a request for comment on September 26, the same day as the Senate Commerce hearing. The NTIA seeks comment on seven proposed outcomes for federal action on consumer privacy policy and on eight high-level goals for federal action to protect privacy. The NTIA also seeks comments on related issues including “next steps and measures the Administration should take to effectuate . . . user-centric privacy outcomes,” such as Executive action, procurement requirements, or non-regulatory actions. NTIA also asks for comment on whether changes are needed to the FTC’s statutory authority, resources, or processes, in order for the FTC to achieve the goals set out in NTIA’s request for comment.