In late September and early October, the Senate Commerce Committee held a pair of hearings with tech companies and consumer advocates to explore the possibility of federal data-privacy legislation. The Committee invited representatives from tech giants such as Google, Amazon, and Twitter to testify in September, then in October invited Dr. Andrea Jelinek, Chair of the European Data Protection Board; Professor Laura Moy, Executive Director of Georgetown Law’s Center on Privacy & Technology; California data-privacy activist Alastair McTaggart; and Nuala O’Connor, President of the Center for Democracy & Technology. Both panels supported adoption of federal data-privacy legislation, but advanced different visions of what that legislation should look like.
The tech companies generally testified in support of legislation that would empower consumers to consent to data uses, ensure that consumers know what they are consenting to, and give consumers control over their data. The panel advocated for a law that would apply these principles uniformly (i.e., regardless of revenue model), would preempt state laws, and would be enforced by an FTC endowed with some (closely constrained) rulemaking authority. The companies unanimously opposed adopting the GDPR’s requirement that companies notify affected consumers within 72 hours of a data breach. Most of the panel supported an “opt-out” consent system, with only Charter supporting a consumer “opt in” for consenting to data use. Finally, the companies all cautioned that comprehensive regulatory regimes like the GDPR and the CCPA carry a significant cost of compliance, burden start-ups, and entrench market-dominant actors. For example, Google Chief Privacy Officer Keith Enright estimated that Google employees spent hundreds of years of human time trying to comply with the GDPR.
While some Senators – particularly Republicans – appeared to share the tech companies’ concerns regarding compliance costs, the industry panel faced tough questioning about its companies’ data practices. Senators Hassan and Baldwin both expressed concern that companies with data-for-services business models would fight meaningful data-privacy measures given the companies’ obligations to maximize profits. Senator Baldwin suggested that this conflict warranted closer regulation of companies with such business models. Several senators also criticized the industry for not doing enough to comply with the Child Online Protection Act and for broadly sharing consumers’ data with advertisers and other third parties. Some Senators also singled out Google for its rumored work on a search engine for China.
The consumer advocates panel urged the Committee to adopt a more robust privacy bill. They believed that any legislation should prevent companies from using consumer data to discriminate in providing important services like healthcare and education, protect consumers from unwarranted third-party data usage, and prohibit companies from collecting and storing more data than is necessary to perform their services. The panel disagreed with the tech companies’ preference for uniformity, arguing instead that companies with data-for-services revenue models require closer scrutiny. The panel also supported imposing a 72-hour breach notification like the GDPR, increasing regulation of online political advertisements, and instituting data-portability measures. On enforcement matters, the panel supported endowing the FTC with broad rulemaking authority and enforcement powers, including direct fining authority. The panel had some disagreement on the issue of federal preemption, but generally believed that State Attorneys General could be utilized to police smaller data breaches and to communicate with local stakeholders.
The consumer advocates also disagreed with the industry’s portrayal of the GDPR and the CCPA. Dr. Jelenik argued that the GDPR is advantageous for start-ups, and considered the industry’s complaints about the cost of compliance to be overblown. She noted that the number of hours Google says it devoted to GDPR compliance was reasonable given the company’s size, and that tech companies would have had lower compliance costs had they been abiding by the EU’s earlier data-privacy directive. Along the same lines, Mr. McTaggart explained that the CCPA does not harm start-ups because it exempts companies with less than $25 million in revenue from several of its requirements.
The Senate Commerce Committee hearings show that the consensus on federal data privacy legislation extends to its need, but not to its details. Tech companies support a regulate-with-caution approach. They are worried about compliance costs, and, more fundamentally, about disrupting the data-for-services model that is both lucrative for the companies and (at least when performed responsibly) beneficial for consumers. Accordingly, they would put the onus on consumers to determine how companies can use consumer data – for example, with opt-out consents – and would minimize the scope of federal regulatory authority. On the other hand, the consumer advocates are skeptical of replacing a robust data-privacy measure in California with the comparatively lax federal approach backed by the tech companies. They see a fundamental disconnect between the data-for-services revenue model and data-privacy regulations, and accordingly want an enforcement mechanism with some teeth. They would also put the burden on large tech companies to ensure that consumer data is secured and used strictly for the purposes intended by the consumer. Whether these differences will prevent federal data privacy legislation from coming to fruition remains to be seen.