On Wednesday, September 26, representatives from some of the United States’ largest technology and communications companies appeared before Congress to testify regarding consumers’ data privacy. The Senate Committee on Commerce, Science and Transportation held a hearing entitled Examining Safeguards for Consumer Data Privacy to examine data privacy policy issues and to discuss how Congress should respond to the rapidly changing privacy landscape, including the possibility of enacting comprehensive federal legislation. Senior executives from leading technology and communications companies provided testimony at the hearing.
Witnesses endorsed federal data privacy legislation, with the caveat that tech and communications industry stakeholders are given an opportunity to contribute to the contents of any legislation that the Committee intends to seriously consider. In his opening remarks, Committee Chairman John Thune (R-South Dakota) stated that this hearing was one of several that the Senate Commerce Committee will hold in order to hear from privacy advocates, consumer advocates and business stakeholders regarding potential legislation. Further, he signaled that legislation was a legislative priority for lawmakers. Among his opening remarks, Thune stated that “[t]he question is no longer whether we need a law for consumer data privacy, the question is what shape these laws will take.”
During the hearing, lawmakers cited that federal data privacy protections fell behind the California Consumer Privacy Act (“CCPA”), California’s recently enacted privacy law, which takes effect beginning in 2020, and the European Union’s recently implemented General Data Protection Regulation (“GDPR”). Witnesses agreed that their companies supported federal data privacy legislation with the stated goal of preempting the California privacy law. Senator Brian Schatz (D-Hawaii) stated during the hearing that while companies’ “holy grail is preemption,” lawmakers do not intend “to replace a strong California law with a weaker federal one.”
With respect to jurisdiction, companies and lawmakers broadly expressed that federal legislation would be beneficial for consumers, as compliance with the most restrictive aspects among the patchwork of state laws is cumbersome for the range of companies that are subject to these state laws. Panelists also agreed that the Federal Trade Commission (“FTC”) should have primary responsibility for enforcement of the federal data privacy law that ultimately materializes; however, there was not consensus among the witnesses on whether the FTC should have rulemaking authority or if the legislation should expand the FTC’s authority to level fines. Some lawmakers raised concerns that tech companies’ voluntary participation would yield the desired level of consumer protection. For example, during the hearing, Senator Richard Blumenthal (D-Connecticut) remarked that “[v]oluntary rules have proved insufficient to protect privacy.”
The panel contemplated other related issues, such as what provisions should be included in a federal law. Among the proposals discussed for inclusion were plain language disclosures, consumer access to personal data, a 72-hour breach notification requirement, and a consumer right to opt-in or opt-out of having one’s personal information collected and used for a purpose other than to provide the service requested. Many of the panelists stated that their companies already have implemented aligned measures and none of the panelists appeared to support the 72-hour breach notification requirement.
Additionally, lawmakers contemplated how to define personally identifiable information (“PII”) in federal legislation and how to ensure that the definition of PII could be adapted for emerging technology in the future.
Finally, Senator Blumenthal’s remarks during the hearing are most aligned with the challenges that companies can expect to face as legislation is developed. The Senator said that despite opposition from a number of companies, companies have been able to comply with GDPR and are making strides to comply with CCPA. Further, Blumenthal queried why Congress should not adopt federal legislation that simply mirrors GDPR or CCPA, and noted that industry’s perceived ability to comply would be an outstanding question throughout the congressional debate on federal data privacy legislation.
