On December 4, the Senate Commerce, Science, and Transportation Committee held a hearing titled ”Examining Legislative Proposals to Protect Consumer Data Privacy” a week after two competing proposals were released: the “United States Consumer Data Privacy Act of 2019“ (CDPA) and the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968).
Chair Roger Wicker (R-MS) stated “[f]or the past year, members of this committee have worked to develop a strong, national privacy law that would provide baseline data protections for all Americans.” He stated that “[g]iven the 2018 implementation of the European Union’s General Data Protection Regulation, the passage of the California Consumer Privacy Act, and near-daily reports of data breaches and misuse, it is clear that Congress needs to act now to provide stronger and more meaningful data protections to consumers and address the privacy risks that threaten the prosperity of the nation’s digital economy.” Wicker stated that “[t]he input of a large number of stakeholders, including consumer advocacy groups, state and local governments, nonprofits, and academia, have all been successful in this effort.” He said that “[r]epresentatives from private industry, such as retailers and convenience stores, software, internet, and cloud service providers, technology companies, small businesses, and several other job creators in my home state of Mississippi and across the country, have also provided thoughtful insights to this committee.”
Wicker stated that “[t]hroughout this process, we have heard many ideas about how best to protect data from misuse and unwanted collecting and processing.” He remarked that “[t]hese ideas involve providing all Americans with more transparency, choice, and control over their data, as well as ways to keep businesses more accountable to consumers when they seek to use their data for other purposes.” Wicker stated that “[w]e have heard proposals about how to strengthen the Federal Trade Commission to ensure it has the tools and resources it needs to take swift action against bad actors in the marketplace and effectively respond to changes in potentially harmful technology. That is the FTC’s role as the primary enforcement authority over consumer data privacy.”
Wicker stated that “[a]n important element of this conversation has been how to achieve each of these goals while preserving the economic and social benefits of data.” He said that “[t]hese benefits not only drive increased productivity, convenience, and cost savings, but they also spur job creation and promote U.S. leadership in technology developments…[and] ultimately, to foster continued innovation among our country’s entrepreneurs and job creators, Americans need to maintain trust and confidence that their data will be protected and secure.”
Wicker stated that “[t]oday marks another step forward in the committee’s efforts to create a national data privacy law…[and]some of the proposals we will cover today seek to establish consumers’ rights and protections over their data in a manner that would provide certainty and clear, workable rules of the road for businesses in all 50 states.” He remarked that “[t]his hearing provides an opportunity to hear from expert witnesses on ways to refine these proposals. That should include a discussion on:
(1) The benefits of creating a strong, national, and preemptive privacy law that provides consumers with certainty that they will have the same set of meaningful data protections no matter where they are in the United States;
(2) Secondly, the best way to make sure consumers know about, and have a right to opt-out of, the data collection practices of businesses they deal with;
(3) How requirements on businesses to limit the amount of data they collect and retain about consumers may impact product development and innovation, or what content a consumer is able to view or engage with online;
(4) How heightened protections over more sensitive personal data, such as information about financial records and biometric information, would help prevent fraud, identity theft, and security breaches. And, whether companies should be required to provide similar heightened protections to non-sensitive data;
(5) The merits of creating accountability measures for businesses, including requirements to conduct privacy impact assessments when creating new products and services, and designating data privacy and security officers to oversee ongoing data practices;
(6) How empowering consumers with rights over their data and providing additional resources and authorities to the FTC would help strengthen data protections and confidence in the safety and security of the internet marketplace; and
(7) Finally, what enforcement mechanisms are the best way to ensure requirements in a law and see that privacy protections are enforced.
Ranking Member Maria Cantwell (D-WA) stated that “Cyber Monday was just a couple of days ago, and it set a record – nine billion in sales and an increase of 19% over last year.” She said that “[f]or the first time ever, it was three billion dollars that came from people using smartphones to make those purchases.” Cantwell stated that “[s]o it’s not just Cyber Monday that’s reminding us, because we all know that we buy groceries, fill prescriptions, pay bills, connect to home devices to the internet, apply for loans, stay connected with family and friends, and social media, and so much more of our lives are lived online.” She contended that “[w]hich means more information is shared, which means deeply, sometimes personal, information is shared…[a]nd that information can be used to be targeted or to exclude consumers, to be sold, or even worse, it can be stolen.” Cantwell added “[a]nd that’s why we’re here today…[b]ecause we want to protect consumers’ privacy rights…[and] [w]e believe to do that you need strong enforcement and mechanisms to make sure that those rights are protected.”
Cantwell stated that “[t]he risks that we face online are real…[and] [w]e know that companies today are using ads that might be only for the purposes of targeting what they think is a correct population – young men to work in software – but others can see those ads as discriminatory, or not making themselves available to what information is out there on a job.” She claimed that “Google’s Nest camera was involved in an alarming situation where a hacker was able to hack into a couple’s baby camera, shouting obscenities before they were able to disable the device.” Cantwell stated that “there’s the huge issue of marketed and stolen information: Social Security numbers, login information, drivers’ licenses, passports, all now going in the thousands of dollars on the dark web, and in fact in 2005 more than eleven billion consumers have had their information breached.”
Cantwell stated that “[i]t is Congress’ job to make sure Americans are protected and that this information, that is an ever-connected, ever-evolving world, is protected…[a]nd that is why a few weeks ago Senators [Chuck] Schumer (D-NY), [Sherrod] Brown (D-OH), [Patty] Murray (D-WA), [Dianne] Feinstein (D-CA), and myself, joined together to talk about a privacy framework, legislation from all of those committees, that we think would be important for the milestones, the privacy goals that we think should be met.” She noted that “[l]ast week, Senators [Brian] Schatz (D-HI), [Amy] Klobuchar (D-MN), [Ed] Markey (D-MA), and myself also introduced [COPRA], that guarantees rights to consumers and strong enforcement.” Cantwell stated that “[a]s the Chairman mentioned, many of our colleagues here – Senator [Richard] Blumenthal (D-CT), Senator [John] Thune (R-SD), Senator [Marsha] Blackburn (R-TN), and others – have been involved in these privacy discussions as well, and we welcome everyone’s input on how we move forward.”
The important things that we think should be there is that you should have the right to make sure your data is not sold. That you have the right to make sure your data is deleted. That you have the right to make sure that you’re not discriminated against with data, and the right to have plain old transparency about what is being done on a website. All of these things are tangible and meaningful for consumers. I say they just need to be clear as a bell so that people understand what their rights are and so they know how to enforce them.
Cantwell stated that “[s]o today we’re here to hear from a group of witnesses who are going to tell us how those issues might be interpreted for the future…[b]ut I think the director of the New York Law School’s Innovation Center, Ari Ezra Waldman, recently made a statement that really resonated with me…[h]e said, “we can pass any laws we want, but if there’s no way to enforce them, then what’s the point?”
Cantwell stated that “[s]o today we also have to talk about enforcement, because enforcement is going to be the key to making sure that privacy rights are actually upheld, that the consumer is truly protected…[a]nd if we want the consumers to have that protection, then we also have to make sure that there’s accountability, that there’s whistleblowers, that there is cases against abuses that might happen. If your privacy rights are violated, you need to be first able to find out about it, and then you need to have the power to do something about it as well, and that is why we think our strong legislation does so.”
Cantwell stated that “[b]ut I also want to say how much this issue is evolving…[and] [t]oday’s Seattle Times features a very large announcement by the Knight Foundation and the University of Washington, and Washington State University, on this issue of the public being fooled by online manipulation – whether that is news stories, digital forgeries, or fakes.” Cantwell stated that “[t]hey want to focus on developing research and tools to resist misinformation, promote an informed society, and strengthen the discourse and discussion in America.” She added that “I’m so proud that these institutions are taking on this challenge, and that this kind of national initiative in our legislation, with NIST, the National Institute of Standards and Technology, at the Department of Commerce, would be empowered in the legislation we introduce to help with this effort.”
Former Commissioner of the Federal Trade Commission and Microsoft Corporate Vice President and Deputy General Counsel Julie Brill stated that “Microsoft believes that comprehensive federal privacy legislation should adhere to four key principles: transparency, consumer empowerment, corporate responsibility, and strong enforcement:
- Transparency. Transparency is a centerpiece of virtually all data privacy laws existing today. American consumers should have the right to be informed, in a concise and understandable manner, about what personal information companies collect about them, and how that information is used and shared. Companies should provide this information in a context-appropriate fashion at the most meaningful times during the consumer’s experience.
- Consumer Empowerment. User control is also a central feature of strong privacy laws. American consumers should be empowered to control their personal information and to express their privacy choices in accordance with rapidly-emerging global norms. In particular, consumers should have rights to access, correct, and delete their personal information, and to move their data to other providers. In addition, Microsoft believes that federal privacy legislation should specifically regulate practices that consumers do not expect and that have a particularly high impact on consumer privacy, such as the collection and sharing of personal information by data brokers that operate behind the scenes, and are unknown to consumers. To ensure that consumers can meaningfully exercise their privacy rights with respect to data brokers, federal privacy legislation should build on concepts from the data broker laws enacted by Vermont and California. The federal law should require data brokers to register with the federal regulator, and to provide information about the kinds of data they collect and sell, the location of the consumers whose information is affected, and details about how consumers can exercise their data control rights.
- Corporate Responsibility. Companies should act as responsible stewards of consumers’ personal information, and should be accountable for their actions. This should include affirmative obligations for companies to minimize the amount of personal information they collect—limiting it to the data that is reasonably necessary for the purposes of collection—and to apply technical and other measures to protect that information. Companies also should be required to analyze and improve their internal systems to ensure that they are using consumer data appropriately and in accordance with reasonable consumer expectations, and to document and make these assessments available to an oversight authority upon request. Ultimately, the higher the risk inherent in the proposed use of data, the greater a company’s responsibility should be to protect that data. And, as noted above, companies should have affirmative duties to reasonably secure personal information from unauthorized access, and to guard against unlawful discrimination in violation of federal and state laws.
- Strong Enforcement. Congress should empower a strong central regulator, such as the FTC, to issue rules and to appropriately enforce the federal privacy law, and should provide the regulator with sufficient authority, technical capability, and funding to do so. This will help to ensure that the regulatory agency has sufficient capacity and expertise to engage in robust enforcement across the many diverse companies and industries that will be in scope. A strong federal law should also empower the State Attorneys General to enforce the provisions of the law.
Former Acting-Chair of the Federal Trade Commission, 21st Century Privacy Coalition Co-Chair, and Baker Botts Partner Maureen Ohlhausen stated that “[w]e strongly believe that Congress needs to enact federal privacy legislation that includes three key attributes:
1. Reflect consumer preferences through simple choices based on the sensitivity of data
- We believe that an optimal approach would balance ease of use and transparency by giving consumers clear and simple privacy choices based on the nature of the relevant information itself— its sensitivity and the risk of consumer harm if such information is the subject of an unauthorized disclosure. A federal privacy law should promote consumer control and choice by imposing requirements for obtaining meaningful consent based on the risks associated with different kinds and uses of consumer data. We also believe that consumers should have certain rights of access, correction, and deletion where appropriate.
- So-called sensitive personal information, such as health and financial information, real- time geo-location information, social security numbers, and children’s information, should be subject to the highest protections. In turn, to reflect consumer expectations and preferences, there should be less-stringent requirements on non-sensitive personal information, as well as information that is de-identified or aggregated because such information has a lower risk of consumer harm or association with a particular individual. And, for certain types of routine operational uses, consent should be inferred. As recognized by the FTC in its 2012 Report, these uses, which include order fulfillment, fraud prevention, network management, and some forms of first-party marketing, are expected by consumers and provide them a variety of benefits, including knowing about promotions and discounts tailored to their existing services and products.
2. Provide a national and uniform set of protections and consumer rights throughout our digital economy
- As discussed above, a new federal privacy law should provide meaningful consumer control and choice over consumers’ personal data based on the sensitivity of such information. Such strong privacy protections need to apply to consumers regardless of where in the United States they live, work, or happen to be accessing information. By its very nature, the Internet connects individuals across state lines. Put simply, data (and, increasingly, commerce) knows no state boundaries. For this reason, state intervention in this quintessentially interstate issue is problematic, no matter how well intentioned it may be. A proliferation of different state privacy requirements would create inconsistent privacy protections for consumers, as well as significant compliance and operational challenges for businesses of all sizes. It also erects barriers to the kind of innovation and investment that is a lifeblood of our nation’s economy and to many beneficial and consumer-friendly uses of information. Indeed, even the authors of California’s 2018 privacy law recognized the wisdom of preempting municipal privacy laws.
- Federal legislation should also be technology-neutral and apply to all entities across the internet ecosystem that make use of consumer data, whether technology companies, broadband providers, or retailers, all of whom are represented on today’s panel. What matters is not who collects the data, but what data is collected, how sensitive it is, and how it is protected and used.
3. Ensure strong accountability and enforcement that best protects consumer interests
- The Members of this Committee recognize that Congress must develop a law that guarantees strong privacy rights to consumers and adopts best practices from state laws, while creating uniformity across the nation. But preempting state laws should not mean weakening protections for consumers. A federal consumer privacy law needs to be a strong one. The Coalition believes that states, as well as the FTC, have a critical role to play in protecting and enforcing those rights.
- The FTC should have the primary authority to enforce a national privacy law. As privacy concerns become weightier and more complex, the FTC is reaching the limits of its current tools. Under its existing legal regime, in which the FTC polices privacy under its Section 5 authority to prevent unfair and deceptive acts or practices, when the FTC goes after a company for an initial privacy violation, it can require the company to change its practices through a consent order. In very limited circumstances, the FTC can obtain (non-punitive) monetary redress for consumers if the agency can show direct consumer losses. Only if a company later violates that order—and a judge agrees there has been such a violation—can the FTC impose a financial penalty (as opposed to obtaining consumer redress).
- We believe the FTC needs to be able to fine companies for first-time violations of the new, comprehensive privacy law to provide sufficient incentives for companies to take the necessary steps to ensure responsible use and protection of consumer data. In certain cases, Congress should also give the Commission the authority to issue rules to fill in gaps in the law and to keep up with developments in technology. These rules will add clarity to the law so that companies understand what kind of behavior is out of bounds as technology and business practices evolve.
- Congress must also provide the FTC with more resources to protect consumer privacy in America. Despite the ever-growing need for privacy enforcement, the FTC’s budget has been flat since 2013. The number of full-time employees lags behind where it was in the early 1980s— nearly four decades ago, when the phrase “big data” meant an encyclopedia and the United States had one hundred million fewer people. The Internet and the collection, use, and sharing of consumer data have grown enormously without a similar boost in FTC resources. We urge Congress to address that widening gap if we are serious about tackling an issue as important and complicated as consumer privacy.
Georgetown University Law School Associate Professor and Communications & Technology Law Clinic Director Laura Moy said she wanted to “make six points:
1.Congress must accept that a strong consumer privacy law will force business practices to change. That change will be costly for companies. Companies may protest a strong privacy law, but Congress should take its lead from people, not companies. Congress should accept that meaningful regulation requires an adjustment period.
2. Privacy legislation must contain use restrictions. It is not enough to require companies merely to disclose what they plan to do with consumer data; rather, they should be restricted to uses that are reasonable. And some applications of consumer data should simply be off-limits.
3. Congress must not accept legislation without civil rights protections. The most troubling use of data is to facilitate discrimination. Congress should prohibit uses of data that selectively deny access to—or awareness of—opportunities in housing, education, finance, employment, and healthcare.
4. Congress should not step on states’ toes. As Congress considers establishing new privacy and data security protections for Americans’ private information, it should not eliminate existing protections that already benefit Americans at the state level. Nor should it preempt the states’ right to develop new ways to protect their citizens. States are innovating in this space right now and making valuable contributions.
5. There are valuable provisions in multiple bills before this committee. The Committee should be commended for working diligently and creatively to develop legislation that meets growing demands for privacy protection.
6. If Congress cannot agree on legislation that embodies the Public Interest Privacy Legislation Principles, it should not act. One option before Congress is to hold its pen. If Congress cannot produce a bipartisan bill that synthesizes the valuable provisions across bills to embody the principles advanced by public interest organizations over a year ago, perhaps it should wait—and allow states to continue to fill the gap.
Center for Democracy and Technology Privacy and Data Director Michelle Richardson highlighted “a number of key issues” and discussed “how they can be addressed in legislation:”
- Covered entities. It’s crucial that any comprehensive privacy law cover all private sector entities that collect, use, and share personal information. This includes not only the prominent tech companies that have captured our attention recently, but also not-for-profit entities and the communication providers that are currently under FCC jurisdiction for privacy and security enforcement. Creating a single federal standard will ensure that individuals can rely on the same baseline rights as they move across the digital ecosystem. To that end, Chairman Wicker’s staff discussion draft is one of the more comprehensive proposals. We also recommend that legislation not categorically exempt small businesses.
- Covered data. It is also important that legislation cover all personal data even if the Committee decides that there may be tiers of sensitivity that warrant different substantive requirements. We strongly recommend that the committee define covered personal information consistent with current FTC guidance which is best reflected in Ranking Member Cantwell’s draft bill as “information that identifies, or is linked or reasonably linkable to an individual or consumer device, including derived data.” The additional qualifier that this data “can be used on its own or in combination with other information held by, or readily accessible to, the covered entity” as proposed in the Wicker staff draft may be overly restrictive. Distinguishing between data that is linkable and that which is not serves two purposes. First, to discourage first parties from unnecessarily associating information with real people, but second, to offer down stream protections when information is shared with affiliates, third parties, or even in the instance of a data breach. These additional reasons for storing and using data in de-identified format will be frustrated by a definition that so heavily focuses on first party linkability.
- Data use. Both Chairman Wicker and Ranking Member Cantwells’ bills begin to address the exceptionally hard question of whether and how to regulate the use of data beyond any opt-in requirement. The FTC continues to develop a body of common law to prohibit certain data uses on a case by case basis, but a federal privacy law can and should go one step further to categorically prohibit some of the riskiest data uses.
- Artificial intelligence and civil rights. Both bills recognize the importance of providing oversight of artificial intelligence programs and reinforcing longstanding discrimination laws that may be undercut by current data practices. Despite their differences, we hope this signals a commitment to addressing these issues in any final privacy and security legislation. CDT prefers the breadth and depth of Ranking Member Cantwell’s approach and looks forward to working with the committee on refining these requirements as necessary as the legislation moves forward.
- Data security. CDT commends Chairman Wicker and Ranking Member Cantwell for including data security requirements in their draft bills. Close to half of US states do not have a general purpose data security law, and FTC enforcement under its Section 5 authority will always be limited to what its resources allow. We recommend combining the two and adding one additional provision. First, the committee should adopt Chairman Wicker’s base text in section 204 regarding the requirements of a reasonable data security program. Second, the committee should adopt Ranking Member Cantwell’s scoping of data to be covered. Her draft protects not only sensitive information, but all personal information. Because both bills impose a reasonableness standard that will peg to the size and complexity of the organization and the sensitivity and use of the data, it is unnecessary to exempt certain data sets from the overall security requirement. Third, this section should provide overall rulemaking for the FTC. Right now, the Wicker and Cantwell bills require guidance or limited rulemaking, but it is time for the longstanding guidance of the FTC to be written into regulation. To the extent that some in the corporate sector have criticized the FTC’s data security requirements as too vague despite long-standing guidance in this space, they will benefit from having regulations on the books to better describe requirements.
- Opt in requirements for sensitive data. Both bills include a comprehensive list of sensitive data that is subject to affirmative, express consent. The differences are minimal but the definitions should be amended in a few key ways. First, the committee should adopt an expansive definition of health information, and we recommend borrowing from CDT’s model legislation which incorporates not only data that reflects a person’s mental and physical status, but data that is processed for health or wellness purposes. As Senator Klobuchar and Murkowski recognize in their Protecting Personal Health Data Act, apps, wearables, and devices are creating and collecting intensely personal information that can be used in ways that greatly affect a person’s mental and physical well-being. Any definition should ensure that these resulting data sets receive heightened protection.
- Product development exception . In general, the list of exceptions to the opt-in right contains reasonable data use that is core to offering the product an individual signs up for. They fairly recognize that some data processing is absolutely necessary to offer safe and effective products and cannot be opted out of either individually or at scale. However product development as listed in Chairman Wicker’s staff discussion draft is meaningfully different from the rest of the data uses. It permits companies to collect data without someone’s consent even if they have no understanding of how it will be used or whether they will benefit from the use at some point in the future. Since product development is solely for the benefits of the companies who collect the data – unlike everything else on this list of exceptions– it should not be done without an individual’s consent. To the extent the Committee does not want to inhibit innovation, it should further explore why the de-identification carve out is insufficient for product development, and whether some middle ground should be created for processing data this way.
- Access correction deletion portability. The individual controls are comprehensive. Our only suggestion is that the Committee include the timelines drafted into Wicker’s staff discussion draft to ensure that rights are afforded on a reasonable timeframe.
- Data broker registry. We commend the Wicker staff draft for including a data broker registry housed at the FTC. A registry will ensure that individuals can discover and exercise their rights against data brokers who have amassed incredible amounts of sensitive data on the average American. While many of the provisions in both the Cantwell and Wicker drafts may slim down the amount of information that eventually ends up in data broker databases, these entities are likely to continue collecting information and will still be holding data that has been accrued over decades of largely unregulated data use. That someone can exercise their access, correction, and deletion rights against these entities is the best protection against future data abuse.
- Enforcement. Both Chairman Wicker and Ranking Member Cantwell’s drafts include meaningful enforcement mechanisms, but they differ in a few important ways. First, Ranking Member Cantwell includes a private right of action (PROA) for all violations of the law. CDT believes a targeted private right of action is necessary for meaningful enforcement. This is not only because the number of entities that will be swept under new regulations will necessarily dwarf the resources of the FTC and state attorney generals, but because our history is full of instances where government actors simply did not have the wherewithal to be first movers on important social issues. Because private litigation has served such an important function in civil and consumer rights enforcement in the past, it should be reserved in some form in federal privacy legislation. It is important to note that all 50 state unfair and deceptive practice laws include some form of a private right of action, even if substantially limited. If a privacy bill seeks to categorically move privacy and data security out of these laws, it should ensure that consumers are at least equally positioned to defend their rights as they are now. The proper balance likely lies between the Cantwell and Wicker drafts in a specific delineation of what provisions can be enforced by PROA and under what conditions. State and federal laws are full of examples where PROAs are crafted to limit litigation to the most important harms. We recommend that the Committee consider this approach to find the right way to maximize accountability and minimize nuisance litigation. Such litigation controls could include opportunities to cure, harm requirements, reduced or nonexist damages or prior agency review, for example. We look forward to working with the Committee further on finding the right way forward on PROAs.