If the action from the 116th Congress matches only half of the noise it is making regarding the tech industry, the next few months are likely to see a revolution in the government’s approach to regulation in our digital era. The past few weeks have seen tremendous activity, from congressional hearings to new bills being introduced. While many of these bills were discussed in our February 14 webinar, “From Enforcement to Regulation: Legislative Trends for the Tech Industry,” there have been considerable developments since then, which we address below.
Congressional Hearings
The House Energy and Commerce Committee held hearings on February 26, with the Senate Commerce Committee following with hearings on February 27 and March 26. The Senate Judiciary Committee held additional hearings on March 12. These hearings developed several consistent themes. First, the impetus for a federal bill on privacy issues is coming from fears of a patchwork collection of state legislation on the collection and security of data. Second, there is a reluctance by several members of Congress to limit the effect of extant state laws on these issues. And third, there is a general consensus that the Federal Trade Commission (FTC) and state attorneys general should have enforcement authority, while it is uncertain whether there should be a private cause of action.
Need for Federal Law
In the House hearing on February 26, Republican Rep. Greg Walden said that standards for privacy and security “should not change depending on where you live in the United States.” Similarly, Democratic Rep. Jan Schakowsky noted that “without a comprehensive federal privacy law, the burden has fallen completely on consumers to protect themselves, and this has to end.” While industry groups have echoed these calls for a federal bill as a way to harmonize the law across the country, several panelists before the House also cautioned about the harmful competitive effects of getting a privacy bill wrong. Looking to Europe’s GDPR, panelists from the American Enterprise Institute and the Interactive Advertising Bureau noted that preliminary observations indicate that its implementation has produced greater market power for large industry incumbents while also limiting consumer options, as some businesses have simply decided that the easiest way to comply with Europe’s law is to withdraw from the European market. In the Senate Commerce Committee hearings, Chairman Roger Wicker echoed calls for a federal law, stating that “[w]hile there are some glitches in the California law [the California Consumer Privacy Act (CCPA)] that affected its strong protection, it seems to have support on both sides of the aisle. I agree with the witnesses that [a federal law will] be stronger and better.” In the Senate Commerce hearings in March, Justin Brookman of Consumer Reports stated that “consumers understandably feel they have lost all control or agency over their data,” and he commended the Senate for undertaking hearings to address the “relatively universal acknowledgment that some new legislation is needed” (emphasis in original). Nina Dosanjh, speaking on behalf of the National Association of Realtors, specifically addressed the concerns of small businesses in her appearance before the March Commerce Committee hearing. Calling for statutory obligations for all service providers handling consumer data, she noted that “small businesses … are often in substantially the same position as an individual consumer when negotiating a contract with a large service provider.” Accordingly, she urged that “data service providers … need direct statutory obligations to ensure they comply with relevant laws to govern information.”
Consumer opt-outs for data collection have long been the norm for Internet traffic in America. This stems from the baseline for America’s privacy regime in the Fair Information Practice Principles and their call for “notice and choice” regarding data. Court cases have held that a consumer’s continued use of a website which discloses in its terms and conditions that it tracks online activity acts as acquiescence to that tracking. This standard came in for significant criticism from several senators before the Senate Judiciary Committee. Democratic Sen. Dianne Feinstein from California said, “I also believe affirmative opt-in consent should be the standard, and that’s a position I have taken for years. Not opt-out.” The issue of opt-in/opt-out was a focus of questioning from Democratic Sen. Mazie Hirono from Hawaii. When asked whether they supported an opt-in approach, several panelists opposed it in toto while others feared that opt-in/opt-out created a “take it or leave it” approach, and that once a consumer opted in, it would be, in the words of Alistair Mactaggart (the sponsor of the initiative that prompted the CCPA), “business as usual.”
Limitation of State Standards
In the hearing before the Senate Judiciary Committee, ranking member Sen. Feinstein noted that since California is home to the largest businesses in the tech industry, “California is home to the strongest state privacy law in the nation.” Furthermore, she said, “I will not support any federal privacy bill that weakens the California standard.” Google’s Will DeVries stated, “Now more than ever, there is momentum for and consensus around creating a federal privacy law. We welcome this, and reaffirm our long-standing support for smart and strong comprehensive privacy legislation.” Additional industry support for federal legislation came from Intel’s David Hoffman, who said, “GDPR and CCPA have substantial negative impacts to innovation and competition …. We need a uniquely American law that is stronger and better than GDPR and CCPA.” Republican Sen. Thom Tillis of North Carolina sounded a cautionary note; while supporting a federal law with pre-emption, he strongly warned about getting it wrong through “Dodd-Frank-like” overreach.
Testifying before the Senate Commerce Committee, Victoria Espinel of BSA | The Software Alliance, whose members include many leading technology companies, appeared to echo Sen. Feinstein’s comments when she stated:
In addition, in order to provide consistent expectations for consumers and clear obligations for companies across the country, it would be appropriate for a strong federal law to replace, but not undermine the protections in, state laws. We recognize that states, such as California, have been leaders on this issue, passing laws aimed at enhancing consumer privacy protections. Importantly, the aim of a consistent national standard is not to weaken privacy protections provided by California or other state laws. Rather, the aim is to strengthen those laws by providing comprehensive, clear, and consistent protections for consumers across the country.
While many industry players might prefer that certain provisions of our current patchwork approach to privacy be eliminated by federal pre-emption, given the vehemence of Sen. Feinstein’s comments and the amenable comments of Espinel to working within the confines of current legal standards, it will be interesting to see whether an eventual agreement will result in support for a bill that preserves the more aggressive elements of the state-based status quo in order to remove the issue from the state houses to Congress.
Enforcement
In early March, at the National Association of Attorneys General meeting in Washington, D.C., Federal Trade Commission Chair Joe Simons stated that if Congress enacts federal privacy legislation, he hopes that it will allow for state attorney general enforcement.
In addition to state attorney general enforcement, there was much discussion of and support for the idea that the FTC should be able to secure fines and penalties for violations. Espinel noted that “it will change cultures internally if companies know that for a first violation, the FTC has the authority … to issue a fine ….” The current FTC enforcement regime is based on its original 1914 act, which allowed only for administrative actions. While its powers have expanded over the intervening decades, the FTC’s enforcement powers are themselves a bit of a patchwork, with interconnected laws that dictate when it can seek only administrative relief and when it can go to court and seek equitable relief or penalties for violations of rules and orders. FTC Chair Simons and many others have also called for enhanced authority for the FTC to seek penalties for an initial violation, so it will be interesting to see whether any federal law also carries with it expanded FTC enforcement authority.
Recent Bills
While much of the recent action in Congress has centered on the above-referenced hearings, a few bills have been introduced since our overview of the legislative landscape in our February 14 webinar. Two noteworthy bills have been put forward, one related to the Internet of Things (IoT) and another related to ownership of data. The IoT bill as drafted applies only to government agencies, but the bill incorporates and mandates standards to be put forth by the National Institute of Standards and Technology (NIST). As noted in the webinar, California has enacted an IoT bill that provides specific guidance as to what levels of security are required. If enacted, the standards from the NIST could well prove to be a de facto standard for all companies. Republican Sen. John Kennedy of Louisiana introduced a very interesting, even if very short, bill that purports to establish that Section 5 of the FTC Act creates an ownership right by individuals of the data they generate on the Internet. It would mandate that social media companies make the data and any analysis available to be inspected by and exported by the user. Further, it creates a relationship such that during the registration process, the user consents to license his or her data to the social media company. While it is not clear what if any level of momentum this bill may enjoy, it is certainly indicative of the current atmosphere on Capitol Hill that a bill would be introduced that goes straight to the heart of the business model of social media companies.
Going Forward
If any bill does gain traction, there are always core issues that will prove quite tricky. For example, how will personally identifiable information be defined? What is a breach; must the data be acquired, or merely accessed? Regarding collection of data, should consumers opt in to the collection, or opt out? At the federal level, would a new bill exempt or apply to companies governed by the data requirements of the Gramm-Leach-Bliley Act or HIPAA? How will small businesses cope with compliance costs? And for all the attention and momentum there appears to be in Congress for legislation of this kind, it should not be forgotten that this is Congress we are talking about, and it will be a great challenge to navigate the rocks and shoals outlined above and get legislation of this kind enacted. Some have expressed the goal to have any such legislation enacted by year’s end. While this may seem ambitious, given the attention on the presidential race next year, it may also be a necessity. Accordingly, companies with any interest in affecting the development of legislation, whether to resolve major or individual adverse impacts or simply to add a voice to the contours of legislation, should engage with Congress now.
Related Links
Previously discussed bills can be found below.
- American Data Dissemination Act of 2019: To read Sen. Rubio’s bill, click here.
- Social Media Privacy Protection and Consumer Rights Act: To read Sen. Klobuchar’s bill, click here.
- Consumer Data Protection Act of 2018: To read Sen. Wyden’s discussion draft, click here.
- Data Care Act: To read Sen. Schatz’ bill, click here.
- Children's Online Privacy Protection Act of 1998: To read Sen. Markey’s amendment, click here.
- Data Acquisition and Technology Accountability and Security Act: To read the AG opposition letter to Reps. Luetkemeyer and Maloney’s draft legislation, click here.
- CONSENT Act: To read Sens. Markey and Blumenthal’s bill, click here.
- DIGIT Act: To read Sens. Fisher and Booker’s bill, click here.