On October 10, the Senate Committee on Commerce, Science, and Transportation held second hearing on data privacy that invited advocates and experts to discuss a federal privacy law. The panelists included Andrea Jelinek, director of the European Data Protection Board; Alastair Mactaggart, chair of Californians for Consumer Privacy; Laura Moy, executive director of the Georgetown Law Center on Privacy and Technology; and Nuala O’Connor, president of the Center for Democracy and Technology. Consistent with the previous hearing on data privacy, the discussion focused on two issues (1) potential components of a federal privacy bill, particularly data breach notification, preemption of state law, and the scope of consumer rights and (2) enforcement authority under a new federal privacy regime.

First, the witnesses generally agreed on the main components to be included in a new federal privacy law.  The witnesses expressed the need for stronger data breach requirements, which was met with enthusiasm from Senators Hassan (D-NH) and Klobuchar (D-MN). Senator Klobuchar asked the witnesses how they would view a 72-hour notification requirement like the one in her proposed bill, the Social Media Privacy Protection and Consumer Rights Act of 2018 (also discussed in a previous Inside Privacy post), and the witnesses generally expressed agreement. Dr. Jelinek added that the General Data Protection Regulation (“GDPR”) requires companies to keep data only as long as it is needed, a requirement that could result in less data being at risk in the event of a breach. Professor Moy noted that the current U.S. regime misaligns data retention incentives because companies have strong financial motivations to keep data as long as possible. She noted that clear rules and effective enforcement are essential to limit the amount of data that can be compromised.

The witnesses generally agreed that a federal privacy law should not be weaker than state privacy laws. Mr. Mctaggart stressed that a federal law must be at least as protective as the California Consumer Privacy Act (“CCPA”). He emphasized that a federal law should be a “floor,” not a “ceiling,” meaning that states could institute additional privacy requirements above those required by the federal law. Ms. O’Connor stressed that a “patchwork of state laws” at the state level and a sectoral approach to protect data based on its type (health data, financial data, children’s data) may have made sense a decade ago, but it now leaves a significant amount of personal information unprotected.

The witnesses also generally agreed on consumer rights related to data. Ms. O’Connor stated in her written testimony that a new federal privacy law should limit some types of data collection and processing to uses germane to the service requested by the user, such as collecting precise location information, biometric information, healthcare information, and children’s information. Further, both Ms. O’Connor and Professor Moy emphasized that a new law should prohibit discrimination using data. As Mr. Mctaggart clarified in response to Senators’ questions, a non-discrimination provision would not prevent consumer loyalty programs, but a price differential between allowing a company to collect data and not allowing a company to collect data under the CCPA cannot be coercive.

Second, the hearing discussion focused on the need for meaningful, effective enforcement. Ms. O’Connor and Professor Moy stressed the need for stronger enforcement in response to questions from Senators Markey, Klobuchar, and Schatz. They both recommended that the FTC be vested with greater authority, including rulemaking power and the ability to levy monetary fines. To support this recommendation, they explained that rulemaking power allows the FTC to be agile as technology changes and as new rules need to be developed. As Professor Moy phrased it, meaningful fines elevate privacy and data security issues to a position of importance for company strategy. In addition, Ms. O’Connor and Professor Moy both stressed that state attorneys generals should also be provided with the power to enforce the federal privacy law. Not only can state attorneys generals enforce smaller violations that do not necessarily rise to the attention of a national enforcer like the FTC, but states attorneys general also have been successful at working to help businesses and communities understand their obligations, Professor Moy stated.

This hearing is expected to be one of an ongoing series of hearings on data privacy hosted by the Senate Committee on Commerce, Science, and Transportation.