During the 36th hearing held in U.S. Congress on privacy and data security over the last five years, members of the House Energy and Commerce Committee's Subcommittee on Innovation, Data, and Commerce again heard calls for comprehensive privacy legislation, namely the American Data Privacy and Protection Act.
The hearing, held Thursday, 27 April, focused on the need for a federal law to fill what Subcommittee Chair Gus Bilirakis, R-Fla., called a "piecemeal sector-specific approach" with existing U.S. laws — the Gramm-Leach Bliley Act, Children's Online Privacy Protection Act, Health Insurance Portability and Accountability Act, and Family Educational Rights and Privacy Act — that do not protect consumers "in a way that is consistent with their expectations."
The House Energy and Commerce Committee sent the ADPPA to the full House of Representatives last year, following a near unanimous 53-2 vote, but the bill did not advance from there. It is anticipated to be reintroduced this session.
"Ultimately, privacy enforcers need better tools. When Tom Hanks' character was stranded on a remote island in the movie Castaway he used an ice skate to remove a tooth. What the (U.S. Federal Trade Commission) needs is not more ice skates, tools that don't fit the job and cause more pain than is necessary," said witness President of ACT | The App Association Morgan Reed. "The FTC, and my members, need a statute that specifically prohibits privacy harms resulting from processing, collection and transfer that go against consumer expectations."
Reed said The App Association's companies are building products that help consumers manage their health, finances and education, while navigating a "regulatory silo" that he said includes intersections between existing regulations and COPPA's "very narrow scope." Members hear that consumers want access to their health, educational and financial information in digital form, and they want their expectations around privacy and security to be met.
"That is a tall order, but one that is made more difficult by the lack of federal privacy legislation. The current odd silos of privacy regulation that put parts of their personal data under HIPAA, others under FERPA, some under GLBA in what consumers feel like is a random mishmash really devalues the trust that we need in the system," he said. "Our consumers need to trust our members are delivering the next wave of digital tools and services in a manner that protects privacy and secures data against bad actors."
Both HIPAA and GLBA apply to a narrow, defined group of entities, while overlap between FERPA and requirements under COPPA create confusion and uncertainty for parents, the commercial industry and educational institutions, he said. Vice President, Associate General Counsel and Head of Salesforce's Global Privacy Team Edward Britan added HIPAA does not cover health related data collected by noncovered entities, like through connected devices and online platforms that monitor health and fitness.
For children, Public Interest Privacy Center President Amelia Vance said "serious shortcomings in federal law" and a patchwork of state laws have created "outdated and confusing" protections.
"Even when these laws have been successful and have not created confusion, we're still left with a legal landscape riddled with far more gaps than many people realize," she said. "When addressing general consumer privacy protections, it's critical to remember children are uniquely vulnerable to certain harms and we must create meaningful protections to safeguard them."
Rego Payment Architectures Senior Advisor for Cybersecurity and Privacy Donald Codling, CIPP/E, CIPP/US, said federal laws and regulations have also not kept up with a cashless society. Most fintech companies providing financial service products to children adhere to the GLBA, which requires an opt-out option for nonaffiliate data sharing.
"This means the default setting for these websites and financial apps allows for the collecting and sharing of data of children between the ages of 13 and 17 with nonaffiliated third parties unless the parent proactively opts-out. In fact, there's often no ability for the parents to opt-out of sharing their children's financial transactions between affiliated companies," he said.
Rego created a COPPA and EU General Data Protection Regulation compliant financial platform for families and children of all ages. Codling said it is built around the concept of data minimization and only the birth date of children under age 17 is collected, as required by Google and Apple app stores. Its digital wallet experience cannot function without explicit parental approval and consent, he said.
"We support the enactment of strong, comprehensive and bipartisan federal privacy legislation, like ADPPA, that includes strong data minimization and the data security standards and will update privacy laws to protect children," he said.
Britan said a federal law should include enhanced protections for sensitive and children's data, mandatory data impact and algorithmic assessments, and restrictions on third-party targeted advertising. Preemption of state laws is also "critical."
"We need to set a national standard for privacy. Privacy can't depend on zip code and we can't have more powerful states dictating rights for other states," he said. "It has to be a clear national standard that sets the rules of the road for the country."
The ADPPA reflects "a hard-fought compromise that would meaningfully protect privacy, increase trust in industry, and position the U.S. as a world leader on tech issues," he said.
"Presently the world is looking to EU regulators and the GDPR to write the rules of the road for emerging technologies like generative (artificial intelligence). With ADPPA, the U.S. has proposed important ideas that should be part of the global conversation," he said. "The path to providing world leading privacy protections for all Americans is clear. Now is the time for Congress to pass a comprehensive privacy law that builds upon the existing global standard and reasserts U.S. leadership on privacy and data protection."