Issue-spotting Federal Privacy Framework from Congressional Hearings
On February 26 and 27, commerce committees in the House and Senate convened the first consumer data privacy hearings of the 116th Congress. These hearings reflect a growing consensus on Capitol Hill that, in light of developments both in the states and overseas, a comprehensive federal privacy framework is becoming increasingly necessary to address an increasingly fragmented and incongruous patchwork of privacy regulation to the detriment of consumers and industry. Although members of the Committee have only begun the process of examining the details of such a federal framework, several key issues can already be discerned from the two hearings:
A major question before Congress is whether a federal law should override state measures. The California Consumer Privacy Act of 2018 (CCPA), set to take effect in January 2019, is a key benchmark for evaluating the adequacy of new federal privacy regime for Democrats. Some Democrats and consumer advocates fear that a preemptive federal law will weaken consumer protections and industry accountability provisions in the CCPA. Republicans and industry representatives, however, believe that federal preemption is critical because the costs of navigating divergent state laws could drive small and medium sized businesses out of the market and harm competition by consolidating market power in a few large firms.
Generally, Republican members on the Committee prefer case-by-case adjudicatory approach based on actual harm, whereas Democratic members prefer rulemaking authority for the Federal Trade Commission (FTC) to adopt prophylactic rules. For example, Rep. McNerney (D-CA) said it’s critical to give FTC rulemaking authority for privacy and data security so that a comprehensive privacy regime will be able to adapt to technological innovations and advancements. Rep. Greg Walden (R-OR), the Ranking Member of the Energy and Commerce Committee, isn’t convinced and wants to see the results of the FTC’s investigations into Equifax and Facebook. Rep. Walden said, “The outcome of their work will help Congress evaluate the effectiveness of laws currently on the books, and the enforcement tools utilized to hold companies accountable.”
Federal lawmakers have been slow to craft a comprehensive data privacy law, in part, because there are existing laws on the books that address data privacy by sector. Congress must decide how the new privacy law will cover the various businesses already subject to their own sectoral laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act (HIPAA). These laws already govern the use of consumer data maintained by credit reporting agencies, financial institutions, and healthcare and healthcare insurance industries, respectively.
Many issues emerged during the hearing concerning how prescriptive a federal framework needs to be. They include discriminatory advertising practices; special protections for children; enforcement and penalties; agency resources; and data security legislation. Some of the topics that received more extensive attention from lawmakers include: Is the notice-and-consent regime outmoded due to innovation and expanded data collection technologies? Should the new law be risk-based? Should there be a right to access, correct, and delete personal information? Are there practices that are presumptively unfair and should be outright banned? Should discriminatory advertising practices be addressed?
More to Come
These bi-cameral commerce committee hearings were the first of many in the coming year that will examine which of the myriad issues Congress must address in a comprehensive federal data privacy framework. The Senate Judiciary Committee has announced its own data privacy hearing on March 12, titled, “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation.” Stay tuned.