U.S. Senate aspirations to establish long-debated comprehensive federal privacy legislation are percolating once again. A privacy-focused Senate subcommittee gathered a panel of key stakeholders to unpack what "core principles" should be considered or included in the chamber's next attempt to draft a federal privacy framework.
The 30 July hearing by the Senate Committee on the Judiciary Subcommittee on Privacy, Technology and the Law marked the first time in more than a year senators dedicated a hearing solely to federal privacy law consideration. The last Senate hearing 11 July 2024 came as Congress was debating the proposed American Privacy Rights Act, which stalled in both chambers and is not being considered in the current congressional term.
The U.S. House has carried the momentum for a new federal framework thus far in the 119th Congress, with the House Committee on Energy and Commerce launching a privacy working group and running a request for information earlier this year. Meanwhile, the Senate focused its recent digital policy work on children's online safety initiatives, which included passage of the Children and Teens' Online Privacy Protection Act out of committee in June.
Subcommittee on Privacy, Technology and the Law Chair Marsha Blackburn, R-Tenn., said the Judiciary hearing was the first in what will be an ongoing series focused on "the virtual you" and individuals' digital rights. She called data privacy "one of the most consequential issues up for discussion" despite the absence of a finalized legislation.
Lawmakers remain at odds — between parties and chambers — over how to approach federal preemption, a private right of action and thorny scope issues like applicability and definitions. However, a focus on consumer rights and protection keeps the bipartisan dialogue open and fluid.
"Foundational to the conversation is who owns an internet user's data and what is the scope of that ownership," Blackburn said. "Where does it begin? Where does it end?"
States as reference points
The five witnesses participating in the Judiciary hearing agreed the status quo of relying on a state privacy law patchwork is untenable.
Nineteen states have comprehensive laws while a greater number are passing targeted or sector-specific privacy statutes covering data brokers, sensitive health data and other areas. The variance brings state-to-state impacts that challenge businesses and consumers alike.
Blackburn and Subcommittee Ranking Member Amy Klobuchar, D-Minn., sought views from the witnesses on what common state law provisions could be foundational to a federal standard.
Business Software Alliance Managing Director Kate Goodloe pointed to affirmative user rights and the spectrum of user opt-out capabilities as areas of broad state-level consensus. She also called out common business obligations.
"For controllers, it's things like asking for consent to process sensitive data. We have 17 states that require companies processing sensitive data to conduct privacy assessments looking at the sensitive issues arising from that processing," Goodloe said. "When it comes to processors, there is broad consensus that they have a separate set of rights to handle data on the behalf of a controller pursuant to their instructions and to do so confidentially."
Main Street Privacy Coalition General Counsel Paul Martino opined that instead of gleaning consensus provisions across states, a federal framework might also be built on areas where the state laws diverge from one another.
"The state laws, besides I believe Colorado, don't require Big Tech service providers to actually secure the data they are processing on behalf of businesses. They are only required to assist the controllers in their own data security," Martino said. He also covered how few states allow for businesses to object to a given use case or sharing by a sub-processor or sub-contractor.
Business uncertainty around privacy enforcement is another area a federal standard could shore up. State enforcers in California, Connecticut and Texas are beginning to use authority under comprehensive privacy laws, but other states without a comprehensive statute are invoking consumer protection laws to tackle privacy issues.
University of California Berkeley Center for Consumer Law and Economic Justice Senior Fellow Sam Levine, who served as director of the U.S. Federal Trade Commission's Bureau of Consumer Protection during the Biden administration, said the current U.S. privacy enforcement regime empowers companies to "basically do whatever they want, so long as they disclose it in their privacy (notice)."
He indicated a prescriptive federal law aimed at clarity and one reference point for enforcers would be beneficial for all stakeholders.
"The FTC's enforcement, state enforcement and privacy enforcement would be far more effective with bright line rules on what companies can collect, how they can use data and how it can be shared," Levine said. "Without that, you're going to continue to see a whack-a-mole approach that doesn't do enough to protect Americans' privacy."
Joe Duball is the news editor for the IAPP.