On October 10, the Senate Committee on Commerce, Science, and Transportation held second hearing on data privacy that invited advocates and experts to discuss a federal privacy law. The panelists included Andrea Jelinek, director of the European Data Protection Board; Alastair Mactaggart, chair of Californians for Consumer Privacy; Laura Moy, executive director of the Georgetown Law Center on Privacy and Technology; and Nuala O’Connor, president of the Center for Democracy and Technology. Consistent with the previous hearing on data privacy, the discussion focused on two issues (1) potential components of a federal privacy bill, particularly data breach notification, preemption of state law, and the scope of consumer rights and (2) enforcement authority under a new federal privacy regime.

First, the witnesses generally agreed on the main components to be included in a new federal privacy law.  The witnesses expressed the need for stronger data breach requirements, which was met with enthusiasm from Senators Hassan (D-NH) and Klobuchar (D-MN). Senator Klobuchar asked the witnesses how they would view a 72-hour notification requirement like the one in her proposed bill, the Social Media Privacy Protection and Consumer Rights Act of 2018 (also discussed in a previous Inside Privacy post), and the witnesses generally expressed agreement. Dr. Jelinek added that the General Data Protection Regulation (“GDPR”) requires companies to keep data only as long as it is needed, a requirement that could result in less data being at risk in the event of a breach. Professor Moy noted that the current U.S. regime misaligns data retention incentives because companies have strong financial motivations to keep data as long as possible. She noted that clear rules and effective enforcement are essential to limit the amount of data that can be compromised.

The witnesses generally agreed that a federal privacy law should not be weaker than state privacy laws. Mr. Mctaggart stressed that a federal law must be at least as protective as the California Consumer Privacy Act (“CCPA”). He emphasized that a federal law should be a “floor,” not a “ceiling,” meaning that states could institute additional privacy requirements above those required by the federal law. Ms. O’Connor stressed that a “patchwork of state laws” at the state level and a sectoral approach to protect data based on its type (health data, financial data, children’s data) may have made sense a decade ago, but it now leaves a significant amount of personal information unprotected.

The witnesses also generally agreed on consumer rights related to data. Ms. O’Connor stated in her written testimony that a new federal privacy law should limit some types of data collection and processing to uses germane to the service requested by the user, such as collecting precise location information, biometric information, healthcare information, and children’s information. Further, both Ms. O’Connor and Professor Moy emphasized that a new law should prohibit discrimination using data. As Mr. Mctaggart clarified in response to Senators’ questions, a non-discrimination provision would not prevent consumer loyalty programs, but a price differential between allowing a company to collect data and not allowing a company to collect data under the CCPA cannot be coercive.

Second, the hearing discussion focused on the need for meaningful, effective enforcement. Ms. O’Connor and Professor Moy stressed the need for stronger enforcement in response to questions from Senators Markey, Klobuchar, and Schatz. They both recommended that the FTC be vested with greater authority, including rulemaking power and the ability to levy monetary fines. To support this recommendation, they explained that rulemaking power allows the FTC to be agile as technology changes and as new rules need to be developed. As Professor Moy phrased it, meaningful fines elevate privacy and data security issues to a position of importance for company strategy. In addition, Ms. O’Connor and Professor Moy both stressed that state attorneys generals should also be provided with the power to enforce the federal privacy law. Not only can state attorneys generals enforce smaller violations that do not necessarily rise to the attention of a national enforcer like the FTC, but states attorneys general also have been successful at working to help businesses and communities understand their obligations, Professor Moy stated.

This hearing is expected to be one of an ongoing series of hearings on data privacy hosted by the Senate Committee on Commerce, Science, and Transportation.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jayne Ponder Jayne Ponder

Jayne Ponder provides strategic advice to national and multinational companies across industries on existing and emerging data privacy, cybersecurity, and artificial intelligence laws and regulations.

Jayne’s practice focuses on helping clients launch and improve products and services that involve laws governing data privacy…

Jayne Ponder provides strategic advice to national and multinational companies across industries on existing and emerging data privacy, cybersecurity, and artificial intelligence laws and regulations.

Jayne’s practice focuses on helping clients launch and improve products and services that involve laws governing data privacy, artificial intelligence, sensitive data and biometrics, marketing and online advertising, connected devices, and social media. For example, Jayne regularly advises clients on the California Consumer Privacy Act, Colorado AI Act, and the developing patchwork of U.S. state data privacy and artificial intelligence laws. She advises clients on drafting consumer notices, designing consent flows and consumer choices, drafting and negotiating commercial terms, building consumer rights processes, and undertaking data protection impact assessments. In addition, she routinely partners with clients on the development of risk-based privacy and artificial intelligence governance programs that reflect the dynamic regulatory environment and incorporate practical mitigation measures.

Jayne routinely represents clients in enforcement actions brought by the Federal Trade Commission and state attorneys general, particularly in areas related to data privacy, artificial intelligence, advertising, and cybersecurity. Additionally, she helps clients to advance advocacy in rulemaking processes led by federal and state regulators on data privacy, cybersecurity, and artificial intelligence topics.

As part of her practice, Jayne also advises companies on cybersecurity incident preparedness and response, including by drafting, revising, and testing incident response plans, conducting cybersecurity gap assessments, engaging vendors, and analyzing obligations under breach notification laws following an incident.

Jayne maintains an active pro bono practice, including assisting small and nonprofit entities with data privacy topics and elder estate planning.