Businesses, consumer advocates and policy makers are largely in agreement that it's time for Congress to pass nationwide data privacy rules. This week, legislators in the House and the Senate will consider what exactly those rules should say. The conversation kicks off on Tuesday with a hearing in a subpanel of the House Energy and Commerce Committee. One day later, the Senate Commerce, Science and Transportation Committee will tackle the issue.
"Americans treasure their right to privacy," said Jan Schakowsky, D-Ill., who will oversee Tuesday's hearing as head of the Consumer Protection and Commerce Subcommittee. However, "we have seen time and again that self-regulation is not protecting consumers," she said in a statement, citing the massive 2017 Equifax data breach and Facebook's Cambridge Analytica scandal. "Congress needs to act, and this hearing is an important first step."
While stakeholders on all sides seem to agree that Congress should do something, one major point of contention is likely to be whether new federal rules should supersede state-based regulations. Lawmakers in California have already passed the California Consumer Privacy Act, which starting in 2020, will entitle Californians to what learn companies know about them and stop those companies from collecting or selling that information. Other states like New York and Washington are considering similar measures.
So far, it appears that Democrats -- who control the House but are the minority in the Senate -- want to give states the ability to set their own rules.
"States have been at the vanguard of protecting Americans," Drew Hammill, a spokesman for House Speaker Nancy Pelosi, told the Wall Street Journal. "All Americans have benefited from state privacy and data breach laws, so their role as policy innovator and law enforcer must be respected."
In December, a group of 15 Democrats in the Senate introduced a bill called the Data Care Act that would enact new data protections and limit the ways companies can use personal data. It would also let states to pursue their own legal actions against companies for privacy violations -- with room for federal regulators to intervene.
On the other side of the aisle, Sen. Marco Rubio, R-Fla., recently introduced the American Data Dissemination Act, which would compel the FTC to draft up new data privacy rules for congressional approval. In an op-ed, Rubio wrote that "a state-by-state patchwork of laws is simply not an effective means of dealing with an issue of this magnitude."
States have taken the lead on this matter because that there's no federal law that governs the collection, use, and dissemination of consumer information. There are multiple federal laws that regulate certain industries, or the handling of certain kinds of information -- but there are no comprehensive data privacy laws. In a recently-released report, the nonpartisan Government Accountability Office (GAO) urged Congress to pass new rules, noting that the Federal Trade Commission (FTC) needs more authority to protect consumers online.
On Tuesday, members of the House will hear from industry representatives who say federal rules should supersede state rules -- and consumer advocates who say otherwise.
Denise Zheng, the vice president for technology and innovation at Business Roundtable, says in prepared testimony that lawmakers should aim for "a comprehensive national law that ensures consistent privacy protections and avoids a state-by-state approach that leads to consumer confusion and makes compliance nationwide very challenging."
The Business Roundtable represents more than 200 CEOs of the largest American companies from a wide range of industries. Its tech sector members include the leaders of Apple, Amazon and Salesforce.
Zheng says in her testimony that a federal law should promote "a core set of individual rights," in part by giving consumers "the right to exert control over their data based upon the sensitivity of the information, including the ability to control whether their data are sold to third parties," as well as the right to delete personal data.
Dave Grimaldi, EVP for Public Policy at the Interactive Advertising Bureau (IAB), will similarly urge Congress to step in and preempt "a patchwork of ambiguous and inconsistent state laws that will create uncertainty for business and uneven protections for consumers."
However, the IAB doesn't think Congress should focus on consumer control. "Instead, Congress should develop clear rules that describe which data practices are permitted and prohibited," Grimaldi says in his testimony.
"Notice-and-consent" laws, he says, "impose significant burdens on consumers, such as rampant over-notification leading to consent fatigue in consumers and creating an indifference to important notices regarding their privacy."
The nonprofit advocacy group the Center for Democracy and Technology (CDT) also opposes a "notice-and-consent" framework. However, unlike the business groups, the CDT endorses giving states more independence.
"State attorneys general must be granted the authority to enforce the federal law on behalf of their citizens," CDT President Nuala O'Connor says in her prepared testimony.
"A law with the scope CDT are proposing will bring large numbers of previously unregulated entities into a proactive regime of new privacy and security requirements," she says. "There will simply be no way for a single agency like the FTC to absorb this magnitude of new responsibilities Additionally, each state has a unique combination of demographics, prevailing industries, and even privacy values, and many privacy or security failures will not affect them equally."
Brandi Collins-Dexter, of the online civil rights organization the Color Of Change, will similarly testify that "What we need is clear, federal baseline legislation that does not preempt innovative state policy laws but ensures basic rights for everyone in the United States."