Democratic and Republican legislators have made it evident that there is a bipartisan appetite for federal privacy legislation. But how we get there, that’s the hard part.
In two hearings this week, legislators from the Senate and the House of Representatives grilled representatives from industry groups and consumer advocacy organizations about what federal privacy legislation should look like and how comprehensive it should be. The clock is ticking—tech companies and industry groups are eager to see a federal bill passed before the California Consumer Privacy Act (CCPA), a comprehensive data privacy rule that is slated to shake up businesses operating in the state, goes into effect in January 2020.
Tuesday’s hearing was the first major one focusing on the tech industry’s practices since Democrats took control of the House of Representatives, and legislators from both sides of the aisle signaled the importance of implementing a federal privacy bill that would protect consumers.
“It’s time that we move past the old model that protects the companies using our data, and not the people,” Rep. Frank Pallone Jr., a Democrat from New Jersey who chairs the House Energy and Commerce Committee, said Tuesday.
Republican lawmakers have voiced support for a federal rule that would preempt state-level legislation on privacy, something that big tech companies and other industry groups have supported. Rep. Greg Walden, an Oregon Republican, said consumers should not have different privacy and security protections depending on where in the country they are.
Denise Zheng, the vice president for technology and innovation at the industry group Business Roundtable, voiced the industry line that varying state legislation could pose “massive barriers to investment for innovation” that would be “unworkable” for businesses.
Democrats, on the other hand, have voiced concern over federal preemption, saying that a federal bill could water down more stringent state-level privacy protections. Rep. Darren Soto, a Florida Democrat, chastised the House’s “lack of action in legislating that has created this vacuum in which states have decided to act” on passing privacy laws, he said.
Some lawmakers have pointed to the European Union’s General Data Protection Regulation or the CCPA as a model for federal rules, and witnesses representing the tech and advertising industry pleaded against using those regulations as a blueprint. Roslyn Layton, the visiting scholar at the conservative think tank American Enterprise Institute, implored House members not to follow the path of the European Union, asserting that the legislation put a strain on small- and medium-sized businesses, and both Dave Grimaldi, evp for public policy at the trade association IAB, and Randall Rothenberg, IAB’s CEO, voiced concerns with modeling legislation off GDPR and the CCPA.
On Wednesday, the Senate Commerce Committee held another session focused on data privacy, asking questions of preemption, more FTC enforcement authority and the scope of federal data privacy rules. Rothenberg testified before the Senate, as did representatives from industry groups for tech and software companies, retailers and telecom companies. The telecom giant AT&T hosted a fundraiser for Sen. Roger Wicker, the Republican chairman of the committee, the night before the hearing, according to The Hill.
During the Wednesday hearing, Wicker said a preemptive federal framework need not be weaker than state-level legislation, and he encouraged the drafting of regulations that were not burdensome to companies and which provided room for “continued investment and innovation and for the flexibility for U.S. businesses to compete domestically and abroad,” he said. Sen. Maria Cantwell, a Washington Democrat who serves as ranking member of the Senate Committee, warned against passing a weaker federal law at the expense of states, and expressed support for an overhaul of the existing privacy norms.
“Just notice and consent are no longer enough,” Cantwell said. “I don’t think that transparency is the only solution.”
Representatives from industry groups and trade associations on Wednesday echoed many of the same issues raised on Tuesday: The industry is in favor of a federal privacy law that preempts state-level rules, offers incentives for good behavior and does not put in place the same requirements as legislation like GDPR. And they want it to happen—fast.
“We support getting this kind of legislation to the president’s desk and signed into law this year,” Michael Beckerman, the president and CEO of the Internet Association, a tech industry group, said Wednesday.
Consumer groups bemoaned the number of industry representatives at the hearings this week, and organizations like the Electronic Frontier Foundation said they worried that the sheer number of tech company representatives would drown out other perspectives on the issue. But there were a few voices less affable to industry talking points who voiced their concerns during the hearings. On Tuesday, two consumer advocacy groups implored House members not to squander an opportunity to develop rules that would protect consumers. Brandi Collins-Dexter, the senior campaign director of the social justice group Color of Change, and Nuala O’Connor, the president and CEO of the advocacy group Center for Democracy and Technology, implored lawmakers to consider digital civil rights, stressing that rules around notifying customers and providing more transparency were not enough.
“The goal should be to define our digital civil rights,” Connor said. “What reasonable behavior can we expect from companies that hold our data? What rights do we have that are so precious they cannot be signed away?”
Woodrow Hartzog, a law and computer science professor at Northeastern University, told senators Wednesday that current privacy norms “asks too much of people and too little of those entrusted with our data.” He urged legislators not to give consumers the “illusion of choice” through terms-of-service agreements, and said federal legislation should “act as a floor, not a ceiling” for state-level rules.
“While consistency is nice, I think the patchwork actually has been not something that has been insurmountable insomuch that I teach my students to deal with 50 state patchworks all the time,” Hartzog said. “… It’s what we’ve been dealing with all along.”
Don't miss Adweek NexTech, live this week, to explore privacy, data, attribution and the benchmarks that matter. Register for free and tune in.