There has been no shortage of hearings on Capitol Hill about a potential U.S. federal privacy bill, and often the same old story is told: Industry wants any emerging law to pre-empt state laws, advocates want stronger consumer protections, including opt-outs, and lawmakers rarely understand the nuance of the topics at hand.
But at a Senate Committee on Commerce, Science, and Transportation hearing Wednesday, it seemed lawmakers had done some homework and were ready to move beyond using their five-minute windows to score solid press sound bites or use witness testimony to define simplistic terms and instead came prepared with questions that aimed to advance the national dialog on how we protect consumers in a digital era when industry has the upper hand and consumers have so much to lose.
Historically speaking, the hearing seemed poised to showcase the same buzzwords spouted at hearing after hearing — so much so that some stakeholders designed a "privacy bingo" board via Twitter for those following along, stocked with words like "patchwork," "balance" and "innovation — instead, lawmakers wanted to drill down on issues like consumers' rights to redress, special protections for children, and whether industry was ready to pay more than lip service to the consumers who put their trust in them by electing to use their services and, in doing so, offering up their data.
That said, while early on things looked bleak when Committee Chairman Roger Wicker, R-Miss., opened his line of questioning on the concept of pre-emption — which, to date, has stalled many conversations about a federal bill given that industry and advocates can't agree there — it wasn't a place Sen. Maria Cantwell, D-Wash., was going to dwell.
Cantwell expressed, in her opening comments, her dismay that pre-emption — the idea that any federal bill could effectively overrule state privacy laws — was what hearings on the Hill had obsessed over to the detriment of further progress. Cantwell said she doesn't believe pre-emption is necessary for an effective federal bill, despite industry's push for it.
Professor Woodrow Hartzog of Northeastern University was quick to counter industry arguments that a pre-emptive baseline law was the only way to ensure that both consumers had a fair hand and industry could comply. In fact, Hartzog told Wicker, "While consistency is nice, patchwork isn't insurmountable. It's what we've been dealing with all along."
But Jon Leibowitz, of the 21st Century Privacy Coalition and former chairman of the U.S. Federal Trade Commission, had a different take. Imagine, he said, if there were different Federal Aviation Administration standards for every state in the country. There would be "disasters in the air. That's what's at stake in letting states craft policies piecemeal."
Leibowitz cited 94 proposals currently pending in U.S. states.
Where lawmakers could find agreement among witnesses — which also included representatives from the Interactive Advertising Bureau, the Internet Association, the Retail Leaders Industry Association, and the Software Alliance — was that the FTC should be the primary enforcer of a federal bill and to do so would need additional resources. Leibowitz said the FTC's budget has remained flat since his time at the agency in 2010.
Victoria Espinel of BSA, the Software Alliance, while primarily advocating for FTC enforcement, said state attorneys general should also play a role. She said the FTC needs the ability to fine on a first offense, however. Currently, the agency can only bring monetary penalties, under Section 5 of the FTC Act, if a company violates a prior settlement or consent decree. She wants more.
Among her industry peers on the panel, Espinel was the most vocal about the need for a strong federal law, testifying that it's time for the industry "to clean it up" around here.
Sens. Richard Blumenthal, D-Conn., and Marsha Blackburn, R-Tenn., both came out strong on that very front. They wanted answers from industry representatives on what they were willing to do to rectify the status quo, creating a more equal relationship between consumers and business.
"We've got a trust gap here," Blumenthal said. "Data collection is a vast galaxy to consumers, and I want you to, in effect, put your money where your mouth is. I don't mean that disrespectfully in any way ... but the record is businesses have looked the other way. You have to convince us you want something more than pre-emption, and the overwhelming evidence is you're willing to look the other way to put profits ahead of people here."
Later, Blackburn followed Blumenthal's lead.
"What are you doing to encourage companies to be more transparent?" she asked. She told industry representative that there has been "lots of lip service," and the result is that "people don't trust you now." She asked what industry is doing to fix that.
The Internet Association's Michael Beckerman said it, for one, doesn't take consumer trust for granted and is "taking steps every day" to ensure consumers could feel that, adding mechanisms that would allow consumers to delete their information from its systems, for example.
That's something Espinel supports. She said, specifically, consumers should have the right to deletion and that the collection of sensitive data should be an opt-in choice for consumers. Sen. Ed Markey, D-Mass., pulled on that thread, asking the panel whether there should be special provisions for children. The author of the Children's Online Privacy Protection Act, passed in 1998, wanted to know if a federal bill should require opt-in consent for children under 13. Leibowitz said that, at the very least, children should have an opt-out provision. Interactive Advertising Bureau CEO Randall Rothenberg, however, wasn't willing to commit to supporting an opt-in provision, saying that's something that should be considered further.
Inevitably, the lawmakers questioned whether the U.S. should look to the EU and its passage of the General Data Protection Regulation as a model, or, perhaps, the California Consumer Privacy Act.
Panelists did agree that the CCPA should act as a floor from which to build on, but Rothenberg was quick to caution against using such models too closely.
"Yes, data exchanges can be used to violate consumer privacy," he said. "But let's not use the GDPR or CCPA models. ... Opt-outs aren't the seat belts or the airbags of the information superhighway," he said.
Importantly, lawmakers also questioned how heavily consumer choice should factor into a federal law. To date, the U.S. has relied on a framework of "notice and choice" for consumers; that is: Give consumers a policy on what you'll do with their data and ask them to click "yes" before they can use the service. But some questioned whether that's an effective method anymore.
Hartzog, who has published extensive research on the topic, vehemently pushed back against the idea that simply giving consumers choice is a fair way to do business.
He said the internet has gifted users with a "dizzying array of options, but it's too much. The problem with thinking about privacy as control is that if we are given our wish for more privacy, it means we are given so much control that we choke on it."
If you missed the hearing and want to watch it in full, find the video archive and witnesses' written testimonies here.
If you want to comment on this post, you need to login.