On Wednesday, the Senate Committee on Commerce, Science and Transportation conducted a hearing to revisit the potential for a national data privacy standard. While the Committee had met last December to discuss what Congress should consider when drafting a federal privacy bill, the game has since changed. Given that COVID-19 has drastically altered life as we knew it, now with working from home, remote learning, and the whole country trying to curtail the spread of and recover from the pandemic, what was considered “merely urgent” 10 months ago, is now “absolutely critical.” On the table was the Committee’s Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act, introduced on September 17, 2020, which served as a backdrop for the discussion.
From the start of the hearing, it was evident that the witnesses, comprised of four Former Commissioners of the FTC and the California Attorney General, as well as the other hearing participants, unanimously agreed that now is the time for a comprehensive U.S. privacy legislation for several reasons:
COVID-19. A majority of workers are still working remotely, and children are starting school this Fall in online classrooms. As we rely – now more than ever – on social media, videoconferencing, chat rooms, and our smart phones to stay connected, and as we spend most days inside, surrounded by our Alexas, Nest thermostats and other IoT/connected devices, we’re starting to realize just how much data is being collected from us and what little protection and power we have. Individuals would also be more likely to provide health and location data and use “contact tracing” apps to help track the coronavirus, if that data were protected.
Current Data Privacy Laws Have Gaps. COPPA only protects the data of children under the age of 13. But as the Committee members pointed out, teenagers and young adults need protection too, especially in light of the shift to remote learning and the use of social media platforms such as TikTok. Likewise, HIPAA only applies to certain covered healthcare entities, leaving the data provided by consumers on health and fitness apps/devices unprotected. As technologies continue to advance and we enter the world of 5G, the law lags behind. And opt-in consent for everything (like the cookie banners and privacy policies we encounter on nearly every website) won’t cut it.
The “Patchwork” of State, Federal, and Industry-Specific Laws Isn’t Working. Consumers travel across the U.S. and, as of now, have different privacy rights in every state, leading to confusion for consumers, businesses, and law enforcement alike. Furthermore, the internet and data know no (state) bounds. Internet service providers cannot be expected to create different systems for each geographic area.
The U.S. Risks Losing Its Competitive Edge. Without a federal privacy law, the U.S. will take a backseat on the global stage, and the GDPR will become the global privacy standard, with no input from thought leaders in the United States. And with the EU-US Privacy Shield now invalidated, we need to address alternative means for international data transfer for U.S. businesses that operate overseas, and reduce skepticism and concern from Europeans (and the rest of the world) about our own privacy regime.
As to what the framework of the U.S. privacy law should look like, the Committee members generally agreed that it should:
- Give consumers more control over their personal data, with the rights to access, modify, delete, and opt-out of the sale of their personal information (provided that consumers are provided meaningful choices and are not discriminated against for exercising their privacy rights);
- Use clear and plain language so that consumers can understand their rights;
- Be drafted to allow for flexibility with regard to advancing technologies and innovative data collection (such that the law is adaptable to future technologies); and
- Expand the enforcement and rule-making authority of the FTC, along with increased funding and a larger staff. While some Committee members floated the idea of an independent Data Protection Authority, the general consensus was that we should build on the experience of the FTC. The panel also recognized that the FTC’s other functions, antitrust and consumer protection, have a strong nexus with privacy.
Despite the consensus on the need for federal privacy regulation and the overall objectives of the legislation, there were still points of contention that must be resolved in order for a federal bill to pass:
Should citizens be granted a private right of action for violations of the federal law?
- YES: As one Congressman stated throughout the hearing, “a right without a remedy is no right at all.” Those in favor of a private right of action stated that it was critical for individuals to have the power to enforce their own rights. And as California Attorney General Xavier Becerra stated, attempting to enforce the rights of every private citizen is a massive undertaking, and state AGs just don’t have the capacity to do this.
- NO: Those against a private right of action cited concerns such as an increase in frivolous lawsuits (especially if the consumer is not required to show harm resulting from a privacy violation), class actions lawsuits that only benefit lawyers and give little to actual victims, and the stifling of small businesses, which would not be able to engage in expensive defense litigation. The naysayers further noted that consumers would already be protected with the expanded enforcement authority of the FTC and administrative remedies within the company.
Should the federal law preempt state privacy laws?
- YES: “Preempting state laws should not mean weakening protections for consumers.” Those in favor of preemption argued that the federal law should/will be strong and robust enough to protect consumers without significant gap-filling by the states (referring to similarities with HIPAA and COPPA). Having a federal law that doesn’t preempt state laws creates the risk of some states going above and beyond the federal law, requiring all companies that operate in that economy to comply- again, just another patchwork of strong state laws against the backdrop of a weak federal law, with different expectations, rights, and compliance efforts across regions.
- NO: Those against preemption expressed concerns that all of the recent efforts by states to protect their consumers’ privacy rights (e.g., the CCPA in California, Illinois’s BIPA, Maine, Nevada, etc.) would be erased. As California Attorney General Xavier Becerra argued, the federal law should serve as “floor” rather than a “ceiling,” and create a privacy baseline on which states can provide more stringent data protection.
Should the federal law apply equally to all businesses that collect consumer data?
- YES: Several of the speakers agreed that the federal legislation should be “technology-neutral,” and apply equally to any company collecting personal data.
- NO: Those against a uniform application of the law argued that compliance is easier for larger or international companies, especially those which have already implemented steps and procedures to comply with the GDPR and CCPA. Small businesses and startups, on the other hand, may struggle with such implementation and may not be able to survive a potential violation and subsequent lawsuit. There should be distinctions for compliance based on company size, how much personal data the company collects and uses, and whether that data is particularly sensitive or risky.
Other notable arguments made at the hearing that may impact the U.S.’s federal privacy response:
- As Senator Blumenthal (D-CT) noted, the late Supreme Court Justice Ruth Bader Ginsburg was a leader in the protection of privacy rights (citing her dissent in Spokeo v. Robbins). Several Committee members agreed with him that the new Supreme Court nominee should also be an advocate for increased consumer privacy.
- As a country, we need to address systemic inaccuracy and racial bias issues before making laws that allow for the use of biometric technologies in law enforcement (citing a NIST study that found that facial recognition tools found that Black, Brown, and Asian individuals were up to 100 times more likely to be misidentified than white male faces).
- We also need to address how to protect consumers from being manipulated by algorithms used by online platforms, and data filtering, which some argued is contributing to a growing polarization in the country.
The hearing left much to be discussed, but as the Committee Chairman, U.S. Senator Roger Wicker (R-Miss.), stated – we’re moving in the right direction. Members of the panel also noted that the SAFE DATA Act and the other proposed privacy bills share a lot of common ground, offering hope that a federal privacy law will be here sooner versus later.