There has been no shortage of hearings on privacy this year as U.S. Congress tries to figure out its approach to protecting consumers in the digital age. But with recent bills released by both Sens. Maria Cantwell, D-Wash., and Roger Wicker, R-Miss., bills that seemingly have more in common than not, there's a sense within Senate hallways that perhaps congressional consensus on what federal legislation might contain — and what it won't — is closer than some predicted. As D.C.-insider and former Department of Commerce General Counsel Cameron Kerry wrote in a recent blog post, "These proposals demonstrate that legislators are catching up and are engaged in a process of classic legislating that is rare in these times." 

The Dec. 4 hearing in front of the Senate Committee on Commerce, Science and Transportation sought to revisit topics that lawmakers have discussed in detail in the past, this time with a more sophisticated agenda; the questions are no longer about whether the U.S. needs a bill or whether it should look like the EU General Data Protection Regulation. Conversations are focused on the places that are likely going to get sticky before bills start getting votes: Should citizens be granted a private right of action for violations of the law? What constitutes "sensitive" data? Should it be treated differently?  

At the outset, Wicker said he aimed to ask witnesses "ways to refine" current proposals. Cantwell said any new legislation should give consumers the right to opt out of having their data sold or deleted, as well as contain anti-discrimination provisions and mandate companies are transparent about what happens through their websites. 

"All of these things are tangible and meaningful for consumers," Cantwell said. "I say they just need to be clear as a bell so that people understand what their rights are and so they know how to enforce them."

There was largely agreement among the five witnesses on what legislation should look like. Everyone agreed with the basic ideas that a federal bill should mandate corporate responsibility, grant data subject access and redress rights, require corporate transparency on data collection and greater powers for the Federal Trade Commission to enforce.

Where the panel failed to agree was how much power consumers should have to punish companies for failure to comply. 

"We have a lot of bills, but we have no federal law. I want a law. There'll be more bills," said Sen. Richard Blumenthal, D-Conn. "Here's a bulletin from outside the beltway: People are angry, and scared, more than ever before. And they don't care whether it's a federal law or a state law. They want a law. And you will see state laws all around the country ... that's where we're going if we fail to act. And the reason they're angry and scared is, they feel, rightly, this data belongs to them. And they are losing control over it. They want that control back." 

While all witnesses agree there should be strong enforcement of a law, Blumenthal, a fierce privacy advocate, couldn't get them to agree that it should preserve the kinds of powers enshrined in state laws with private rights of action already, like the California Consumer Privacy Act and Illinois' Biometric Information Privacy Act. 

Microsoft Chief Privacy Officer Julie Brill wasn't ready to agree to that. 

"I do believe in a federal law we need to focus on consumer redress, and I think there are lots of ideas about how to do that," Brill said. "I'm not certain that I would agree that all of those mechanisms that exist in all these states should be added upon in a federal law." 

But, Blumenthal pushed, "Shouldn't there some provision for relief to stop ongoing harm?"

"Yes, I do think that injunctive relief — having individuals have the ability to achieve injunctive relief — is important," Brill said. "I also think it's important to require companies to have a process internally, so that if someone is seeking their data or wants to delete it or correct it, and they're not satisfied with the initial decision about that access right, they have the ability to elevate that within the company, as well. An administrative process, if you will." 

Maureen Ohlhausen, who served as Republican Chairman of the FTC during Brill's era there and now co-chairs the 21st Century Privacy Coalition, agreed. 

"One of my concerns about a private right of action is that I think when you have a strong law, like the one that's being considered, that gives the FTC additional resources, additional tools, and empowers 50 states attorneys general to bring these actions. It's a comprehensive and clear framework," she said. "A private right of action, and I don't see how it gives consumers additional benefits."  

But Sen. Marsha Blackburn, R-Tenn., came back with, "Well, and the [Telephone Consumer Protection Act] taught us that the road to protecting consumers is many times paved with good intentions ... but very difficult and fraught with peril." 

Brill added she had concerns. "We need strong enforcement. Strong federal enforcement at the FTC, strong state attorneys general enforcement. We think that consumer redress is important, but we need to keep it targeted on what consumers actually need." 

The witnesses testified that strong federal enforcement would include adding staff to the FTC to better match its counterparts — data protection authorities in every EU member state — as well as giving it more funding.

Rep. Dan Sullivan, R-Alaska, said he is also skeptical of a private right of action and asked Ohlhausen and Brill what they'd recommend to ensure adequate enforcement absent that. 

It is this issue of enforcement that is also causing some splits among lawmakers: Some say the FTC should be the primary enforcer, while others say it isn't equipped to handle the onslaught of cases that would surely come if consumers are granted data subject access rights. In that case, there is some debate over whether state attorneys general should supplement federal enforcement or if — as Georgetown Law Associate Professor Laura Moy called for at the hearing, and as lofty a goal as it may be — an entirely new agency should be created to enforce federal privacy. To be clear, Moy isn't alone in her calls for a new agency, but it seems to be an idea on the margins.

Ohlhausen said the FTC needs not only staff, but also "tools that it can use through the legislation, such as first-time civil penalty authority for violations, the ability to get a consumer redress fund so that it can pass out redress quickly and promptly to consumers." She also called for the FTC to have authority over common carriers as a method for consumers having more control. 

Brill said the FTC should have its staff increased to 500, as well as add expertise to its small staff of technologists. Ohlhausen noted it would be difficult to scale up from under 50 to 500. But Brill said, "There's a reason for it. ... Most [DPAs] for much smaller companies are much better staffed than the FTC. And when you try to do it on a per capita basis, I mean it really gets scary when you see the really paltry resources that the FTC is able to devote to this issue. The FTC does need to scale up very quickly if a law like this gets passed." 

For now, the Senate must decide how to navigate the divide over whether consumers should have a private right of action as a potential remedy for when they're aggrieved. It's possible, some close to the matter believe, that disagreement here could be the impasse that prevents Congress from standing up a federal bill anytime soon. 

Read witnesses' written testimonies or watch the hearing in full here.