U.S. lawmakers took the opportunity Wednesday morning to ask consumer groups how they should craft a federal law in a way that gives users tools and resources to control their data in ways that align with their expectations. Also on hand at the "Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework" hearing was Irish Data Protection Commissioner Helen Dixon to share her perspectives on enforcing the EU General Data Protection Regulation in its infancy and how the U.S. might follow or diverge from that strategy. Witnesses at the hearing advocated for algorithmic transparency, special provisions for children and nuanced regulations on data sets depending on their sensitivity.
The consensus from the panelists was, as usual, a federal law is overdue. No surprise there. The most interesting points came from the nuance panelists — like Jules Polonetsky, CEO of the Future of Privacy Forum — on how the U.S. might give users meaningful controls over their data and what those controls might look like.
Notably, lawmakers were keen to ask Dixon whether she has issued fines against companies subject to the GDPR and what those fines might be. Ostensibly, they wanted to gain insights as to how the U.S. might regulate. But among insiders who have been tracking the GDPR since it came into force in May 2018, the question sounded more like: What's the hold up on enforcement? Why there hadn't been a fine levied by her office? Companies are surely breaking the law, why no punishment?
Dixon indicated that the investigations her office have undertaken take time. They are extensive, she said. In addition, there are complaints to handle.
However, given that her country has jurisdiction over such companies as Facebook, for example, headquartered in Ireland, she did give up a teaser: She expects fines to be levied this summer and that they will be "substantial."
Also at the hearing, lawmakers sought answers from consumer privacy advocates on hand about how prescriptive the law should be, whether it should apply specific provisions to children and teens, how it should be enforced and by whom.
It's expected that a federal law will be modeled after the recent adoption of the California Consumer Privacy Act, as many states consider similar legislation. As a result, the CCPA acted as the backdrop for much of the hearing. Should the U.S follow its lead or back off a bit?
A common refrain heard from critics of the CCPA is that the law will actually see companies storing more data than they would if not for the CCPA because of the need to comply with consumers' right to access and correct data stored on themselves. Chairman Roger Wicker wanted to know if that's a risk.
"What if a law with consumer rights means more data collection?" he asked.
Polonetsky pointed to the GDPR, in response, and said we can "effectively provide people strong rights of access and deletion if we make it clear we're not going to require companies to do more tracking to provide that data."
In addition to the frequent refrain that the CCPA's provisions will cause companies to excessively collect and sore data, the voices have been just as loud about concerns about small- and medium-sized business and the impact heavy compliance obligations could have on them. But Dixon explained that the GDPR only requires organizations to take measure appropriate to the risk and scale of the data they're collecting.
Meanwhile, the tech behemoths, said Common Sense Media's Jim Steyer, are now using privacy as a competitive advantage.
"Big tech firms have decided this is both the right thing to do and the right thing to do for their business," he said. "So, the wave is coming."
As anyone following Sen. Ed Markey's, D-Mass., career might predict, he used his time to question witnesses on whether a federal bill should include special provisions for kids and teens. Markey, the author of the Children's Online Privacy Protection Act, has introduced "COPPA 2.0," a bill Steyer and his organization, Common Sense Media, supports.
Steyer, who helped architect the CCPA, called for any federal legislation to build on the CCPA's provisions.
"The people pushing [federal] pre-emption are companies that want to weaken the CCPA," Steyer said.
In his written testimony, Steyer called for a federal law to go beyond consent and that it be an opt-in regime and for certain data uses to be completely off-limits — specifically, "manipulative user designs that subvert user autonomy or behaviorally targeting marketing to kids."
For its part, the American Civil Liberties Union echoed Steyer's call for a federal standard to be a "floor — not a ceiling — for consumer protections. It does not want to see a federal law pre-empt state laws. It also called for any bill to include strong enforcement power for both the Federal Trade Commission and state attorneys general — which the Future of Privacy Forum and Common Sense Media also supports — a private right of action provision that includes statutory damages for "all violations of privacy rights," and guardrails to prevent against "discrimination in the digital ecosystem," including requirements for companies to allow outside researchers to look at their algorithms for risk assessments on potential harms.
Polonetsky's written testimony pointed to the U.S.'s "shrinking window of opportunity to regain momentum at both the national and international level." The Future of Privacy Forum is calling for a more nuanced approach to federal legislation: It wants data to be regulated depending on its level of sensitivity and whether it's pseudonymized or anonymized. It calls for a regime that would require opt-in consent for "sensitive" data, such as opt-out consent for non-sensitive data. However, it calls for the law to include carve-outs for academic research, as well as incentives for privacy enhancing technologies.
As for which of these recommendations the Senate Commerce Committee decides to take action on, that's anyone's guess for now.