On February 27, 2019, the Senate Commerce Committee held a hearing to examine what Congress should do to address risks to consumers and implement data protections for all Americans. The hearing was titled “Policy Principles for a Federal Data Privacy Framework.” It focused on six topics, including: (1) federal preemption; (2) privacy values; (3) corporate transparency; (4) trust and informed consent; (5) the Federal Trade Commission (“FTC”) and State Attorneys General enforcement authority; and (6) special protections for children. Senators on both sides of the aisle generally expressed optimism about working together to address the challenges of developing a federal privacy data framework. We anticipate a continuing debate and proposed legislation in Congress over data privacy. Below is a high-level summary of some of the issues discussed.

The issues of transparency and consumer control were hot topics. Both Senators and witnesses stressed the importance of protecting individual’s personal data from being used for purposes for which it was not originally collected. Further, one witness suggested that an opt-in consent regime should apply to sensitive personally identifiable information, like health and financial information, social security numbers and children’s information. Interestingly, one law school professor argued that the traditional approach of “notice and choice,” which emphasizes transparency through notice to consumers and choice through user consent, has failed. He argued that the best path forward is to implement a regime toward “substantive and robust” rules that build consumers’ trust in companies and establishes a firm framework that companies cannot operate outside of without consequences.

Two big issues for Congress to consider involve preemption and enforcement authority. Proponents of preemption argued that a federal privacy framework could eliminate the risks inherent in the patchwork of state laws, which sometimes impose conflicting obligations on companies that operate in multiple states. In response to a question whether the rights established by the California Consumer Privacy Act (“CCPA”) should serve as a floor to a national privacy law, witnesses agreed that federal legislation should be “stronger and better” than the CCPA and offer “more meaningful protection” of privacy interests.

Not only did proponents of preemption argue that a federal framework would eliminate significant challenges for businesses, but also that it would reduce consumer confusion and provide a consistent experience across state lines and industries. Further, proponents felt that offering a single federal standard that could be enforced by state attorneys general and the FTC would be beneficial. In contrast, other speakers felt that a federal law that preempts states’ regulatory efforts would have “net negative effects,” including jeopardizing the international flow of data if U.S. privacy law appears weaker as a result.

The hearing closed without an announcement regarding Congress’ next steps. We expect the debate over data privacy protections to continue and we will provide updates on such debates and proposed legislation as necessary.

Our previous posts related to CCPA are available here.