This past Wednesday, the Senate Commerce Committee held another hearing on consumer data privacy, this time giving voice to prominent privacy advocates. Previous testimony in September from leading technology businesses focused on concerns with the complexity of having to comply with a patchwork of different state privacy regulations, broad definitions of “personal information” in the California Consumer Privacy Act (CCPA), and a desire to see Federal legislation enacted that would preempt state laws and create a single, unified US privacy law.

While a national privacy law would simplify compliance, in Wednesday’s hearing Nuala O’Connor, the President and CEO of the Center for Democracy & Technology, cautioned the committee that the “price of preemption would be very, very high”, and Laura Moy, Executive Director and Adjunct Professor of Law at the  Georgetown Law Center on Privacy & Technology, laid out in her written testimony six strong recommendations that we should expect to see in any proposed national standard:

  • There are appropriate and inappropriate collections and uses of Americans’ information –  baseline obligations should attach to all collections and uses of consumer data, and inappropriate use should be clearly defined.
  • Privacy protections should be strongly enforced by an expert agency – she specifically cited past requests for civil penalty authority by the FTC, and the need for additional staff and resources if this agency were to be the FTC.
  • Privacy protections should also be enforced by state attorneys general – if there is to be a national standard, then State Attorneys General should also be able to enforce that standard, as they currently are able to do with other national legislation that requires large-scale enforcement, like the Fair Credit Reporting Act (FCRA.)
  • Privacy and data security protections should be forward-looking and flexible – any new privacy and data security standards must be able to keep up as technology advances.
  • Protections for Americans’ private information should take into account the context in which information is shared – this echoes the “Respect for Context” protection included in the “Consumer Privacy Bill of Rights” proposed in the Obama administration publication Consumer Data Privacy in a Networked World: a Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.
  • Congress should not eliminate existing protections for Americans’ information – any new legislation should take care not to weaken or eliminate existing protections that are already benefiting Americans in state or other federal laws.

Full transcripts of the Majority Statement and the witness panel testimony can be found here:
https://www.commerce.senate.gov/public/index.cfm/2018/10/consumer-data-privacy-examining-lessons-from-the-european-union-s-general-data-protection-regulation-and-the-california-consumer-privacy-act

Video footage also available via C-SPAN:
https://www.c-span.org/video/?452550-1/senate-panel-data-privacy-protection

We expect to see continued attention to proposals at the federal level and will provide updates as new developments occur.