Panelists representing consumer privacy perspectives discussed an array of strategies for approaching data privacy protection laws at a hearing before the Senate Commerce, Science, and Transportation Committee today.
Four witnesses – Ireland Data Protection Commissioner Helen Dixon, American Civil Liberties Union Senior Legislative Counsel Neema Singh Guliani, Future of Privacy Forum CEO Jules Polonetsky, and Common Sense Media CEO and Founder Jim Steyer – spoke in favor of enacting Federal data protection regulations, which many in Congress have said they support.
In presenting their ideas to committee members, the witnesses drew from two high-profile sets of privacy regulations – the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
The witnesses all agreed that private sector self-regulation won’t do enough to protect data privacy, and that the means used by many companies now to engage users on privacy rights – namely opt-out terms and condition notices written in confusion legalese – are problematic and ineffective.
Rather, panelists said that data protection laws should have “scaled” guardrails based on how organizations collect, store, and use consumer data. New rules also should decrease the onus now place on consumers to control their own privacy settings, and boost consumer education efforts. Witnesses also argued that state-level laws like CCPA should serve as a baseline – not a ceiling – for Federal-level regulation.
“The California law is a floor, not a ceiling,” said Steyer, who helped in drafting CCPA. “Anything that should come out of this committee and this Senate should be stronger than the California law,” he said.
Guliani urged that Federal data privacy law not preempt state privacy laws generally. Rather, she said, federal regulation should have a narrow and clear preemption provision that addresses conflicts and preserves the rights of states to pass and enforce stronger laws.
“We know firsthand that in many cases it has been states, not Congress, that have led efforts to protect consumers,” Guliani said. “We should be wary of the Federal government stepping in and with one stroke of a pen, wiping out dozens of state laws already on the books and preventing future ones.”
In terms of enforcement, Polonetsky suggested that steps to create internal accountability at companies – including employee training and use of better technologies – would help them to comply with tougher data privacy regulations.
Polonetsky, Steyer, and Guliani also the Federal Trade Commission – as the prime enforcer of any new privacy rules – should not only have civil penalties and targeted rule-making to do its job, but also increased resources to take on those new duties, and so that consumers can effectively sue companies that violate their privacy rights.
Federal data privacy protection laws should also address different demographics that are more vulnerable to data rights violations, the witnesses said. Steyer said children and teenagers are most vulnerable and deserve special protection, while Guliani said that the legislation should protect against discrimination based on protected characteristics like race or gender.
Steyer noted that CCPA was created in a bipartisan effort, and emphasized that Congress can follow the same path and collaborate on meaningful legislation that protect Americans’ data rights.
“At the end of the day I think the bottom line is clear,” Steyer said. “This is your folks’ moment to do something great for everybody in America on a bipartisan basis.”