At a Senate commerce committee hearing Oct. 10, the government questioned U.S. privacy advocates and an EU-based privacy regulator on what kind of bones a federal privacy bill in the U.S. should be built.

That is, if one were to be built. 

In a rather brief, two-hour hearing, the committee questioned Andrea Jelinek, chair of the European Data Protection Board; Alastair Mactaggart, board chair of Californians for Consumer Privacy; Laura Moy, executive director at Georgetown Law's Center on Privacy & Technology; and Nuala O’Connor, CIPP/G, CIPP/US, president and CEO at the Center for Democracy & Technology. 

At the outset, Sen. Ed Markey, D-Mass., laid out his expectations for a potential bill. He said it should ban "take-it-or-leave-it" policies, in which companies require consumers to opt in to data collection in order to use the service. He said companies shouldn't coerce customers into giving up their personal information. He added that current policies relying on simply "notice and consent" should be just the starting point versus the entirety of transaction. 

There seemed to be broad agreement among both senators and witnesses that a federal privacy bill is not only due but late. While the European Union has taken a global leadership position in passing the General Data Protection Regulation, the U.S. can only point to a variety of state and sectoral laws aiming to protect consumer data.

"We have tried self-regulation," O'Connor said. "It's high time, if not past time, to consider a federal law." She added that patchwork state laws create uncertainty for consumers, but it also doesn't "get us standing in the global dialogue," she said, noting that Europe is leading the way. "We need a law that would be a floor and not a ceiling" and some leadership from Congress.

And, in fact, the passing of the California Consumer Privacy Act of 2018 seems to have kick-started a movement in the country to get out ahead of a potential windfall of states following suit. 

Mactaggart was there yesterday to describe how the CCPA, which supplanted a state ballot initiative he and two cohorts had drafted, came to be and what of its provisions might be useful at a federal level. For Mactaggart, it really all comes down to transparency. The CCPA, which has been called the strictest privacy bill in the country, allows consumers to request from companies the data that companies hold about them and with whom it's being shared. That's something that was important to Mactaggart about the California bill: The digital ecosystem currently involves so many actors, and it's rare a consumer knows about a first party's data-sharing agreements with other entities. Whether a similar provision is included in a federal bill was not thoroughly addressed at the hearing. 

But one CCPA provision that did see significant endorsements by witnesses and senators alike, including Markey, was the ability of the law's enforcement agency to have rule-making authority. Under the CCPA, the California attorney general, which will enforce the CCPA when it's effectuated in 2020, has the right to issue regulations. 

"I think that's so important to give rule-making authority to the enforcement authority," Mactaggart told the Senate committee. "The right to issue regulations will allow the bill to be flexible with time." 

In the case of a federal bill, both senators and witnesses indicated the enforcement agency would likely be the Federal Trade Commission and noted the agency would need to be given rule-making authority to effectively enforce a potential federal privacy law. 

Sen. Richard Blumenthal, D-Conn., said the cause is "long overdue," adding, "Until we have a federal enforcer, consumers will continue to be at risk." (Blumenthal, in his five-minute allowance, also noted he planned to send a letter to the FTC asking it to investigate the latest breach at Google. And today it's been reported this Senate committee penned a letter to Google's CEO seeking information.)

There was some concern, among lawmakers, about just how aggressive regulation might get, particularly on fines. Under the GDPR, for example, companies can be fined up to four percent of global turnover. 

But maybe it's time for some significant fines. After all, Google paid a $22.5 million fine for privacy violations in 2012, noted Georgetown's Moy, which amounted to "a few hours of their business." 

Moy added any potential fines "must be substantial" so CEOs are paying attention to the risk instead of it being just something tech folks worry about. 

But Sen. Jerry Moran, R-Kansas, had concerns about how fines might impact the smaller players, including startups. How did the EU approach that problem, he wondered?

Jelinek said, "The fines are only the last step, it's not a problem. We can make warnings and reprimands, not only fines. The second issue is the fines have to be proportionate, if it's a big or small company and how they tried to comply with the law. It's not that it's possible to fine a small company as a big company, because a small company has a different revenue." 

She also touted that under the GDPR's one-stop-shop mechanism, a startup must only deal with one regulator, versus the 28 regulators of each member state. It's really an advantage, she said. 

Asked to report on enforcement since May 25, when the GDPR was effectuated, Jelinek reported that as of Oct. 1, there have been 272 cases opened.

In the end, O'Connor said, both consumers and companies want to know the rules of the road. Noting technologists she's worked with in earlier roles at corporations have told her, "Give me one clear rule, I can code to that," she said it's time to do so. "Waiting until we test what the boundaries of harm are is not working for consumers in this country today." 

Sen. Maria Cantwell, D-Wash., called on her peers to take action. 

"This committee is here to protect these consumer rights," she said. "We have to remember our duty and responsibility to protect consumers on their privacy rights that I believe are very strong in our Constitution." 

Jelinek agreed, saying, "U.S. citizens don't deserve less privacy than the Europeans." 

It's up to Congress and the stakeholders drafting frameworks, now, to determine whether that's a foregone conclusion.