At a House Committee on Energy and Commerce hearing Tuesday, industry professionals and advocates made their pitches for what should be contained within a federal privacy bill — one that seems increasingly likely to pass Congress (at some point) given the advent of California's landmark privacy bill and, on its heels, a bill out of Washington state.
The difference in tone at this particular hearing versus those of days gone seemed to be that lawmakers no longer questioned whether a federal bill was a good idea, but rather what kind of federal bill Congress should pass. Based on comments from House representatives, that sentiment is spurred not only because of recent activity in state legislatures, but also because of high-profile data breaches, including Cambridge Analytica and Equifax. And while certain sectoral laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act, govern the use of consumer data, no one law protects consumers holistically, noted Committee Chairman Frank Pallone, D-N.J.
The rub, as anyone following these hearings would surely attest, came down to how prescriptive a federal law should be. Industry representatives argued, as has become commonplace and some might say even redundant at hearings such as this, that a law as prescriptive as the EU General Data Protection Regulation will have adverse effects on not only commerce and industry, but also consumers. Advocates, meanwhile, argued that ignoring or denying consumers' digital rights in effect denies their human rights in the analog world.
Novel at this particular hearing, however, was the representation of minority and low-income voices by Brandi Collins-Dexter, senior campaign director for media, democracy and economic justice at Color of Change, an online civil rights group. Collins-Dexter emphasized that a federal privacy bill, like the GDPR, should contain a right for data subjects to access and correct the data companies collect and store about them online. Particularly, she said, because those impacted by misinformation (inaccuracies on credit scores, debts owed, criminal records, etcetera) are minorities or low-income individuals who don't have or can't afford the tools to fight the system and clear their names.
It was a sentiment echoed by the Center for Democracy and Technology President and CEO Nuala O'Connor, CIPP/G, CIPP/US, who called for "equality for all Americans" within a new federal bill. The CDT has introduced its own draft proposed privacy bill, which calls for the right to access, correct and delete personal information; strong penalties for noncompliance enforced by state attorneys general; and federal pre-emption of state laws. It also calls for a shift beyond the "notice and consent" framework U.S. companies have relied on for the last 20 years or so.
"Notice and choice is no longer a choice," O'Connor said.
But seated next to O'Connor at the witness table was the Interactive Advertising Initiative's David Grimaldi, executive vice president on public policy, who, on behalf of the organization, has a different approach in mind.
Grimaldi wants to see a federal law, too, but he wants something a bit more flexible than what O'Connor presented.
He cited the recently passed California Consumer Privacy Act as an example of what not to do when passing legislation.
Grimaldi said the "CCPA poses the same risks as the GDPR in denying consumers services," and then instead of following in the path of either law, Congress should set a new paradigm, one that focuses on a risk-based approach that distinguishes between the practices that harm consumers and those that don't. He also called for a "strong and enforceable" self-regulatory program with safe harbors carved in.
O'Connor responded that while she agreed with some of those tenets, the days of relying on a self-regulatory program are long gone. They were "revelatory in 1998," O'Connor said, "but it is no longer going to work."
Grimaldi had a couple of witnesses in his corner, both in Denise Zheng, vice president of technology and innovation at Business Roundtable, and Roslyn Layton, a visiting scholar from American Enterprise Institute in the European Union, who says she hopes a U.S. framework will avoid mistakes of the GDPR, which favors big business and hasn't resulted in European citizens having increased trust online.
Layton referred to data that since the GDPR went into effect, Google has enjoyed an entire percentage-point of market share, as many small- and medium-sized enterprises simply folded due to the compliance costs associated with the sweeping reform.
Grimaldi said prescriptive law would impose compliance costs that favor big companies over SMEs and that noncompliance will incite a barrage of lawsuits resulting in not only SMEs folding, but also on fewer advertisers entering into the ecosystem due to fears on the cost of noncompliance. That's not what we want out of a federal law, Grimaldi said.
Representatives and witnesses at the hearing also discussed whether the current protections allocated to children, via the Children's Online Privacy Protection Act, should be enhanced, and whether the threshold COPPA covers — those under the age of 13 — is arbitrary or should be reconsidered.
Whatever the final bill, said Color of Change's Collins-Dexter, the focus must remain on the end goal: protecting U.S. consumers.
"If we fail in the mission to ensure online rights, we stand to render many of our offline rights meaningless," she said.
The conversation continues today with a hearing at the U.S. Senate Committee on Commerce, Science, and Transportation titled "Policy Principles for a Federal Data Privacy Framework in the United States."
If you want to comment on this post, you need to login.