“A decade from now, we may look back and view this past year as a watershed with respect to the issue of consumer data privacy,” said Sen. John Thune (R-S.D.), chairman of the Senate Commerce Committee, while surveying a row of executives from some of the largest tech companies—AT&T, Amazon, Google, Twitter, Apple, and Charter Communications.
“The question is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take.”
The Senator’s comments were made at a Wednesday hearing, “Examining Safeguards for Consumer Data Privacy,” which explored the privacy policies of top technology and communications firms, reviewed the current state of consumer data privacy, and explored possible approaches to more effectively safeguarding privacy.
Thune laid out some recent events to make his case for the sea change in how data privacy is perceived: the massive 2017 Equifax data breach; the Congressional hearing with Facebook CEO Mark Zuckerberg convened after revelations that political intelligence firm Cambridge Analytica had acquired access to the personal data of millions of unwitting Facebook users; the European Union’s General Data Protection Regulation (GDPR), which took effect in May and came with many privacy-related mandates and severe penalties for violators; and the June 28 signing of the California Consumer Privacy Act (CCPA) into law.
“These developments have all combined to put the issue of consumer data privacy squarely on Congress’s doorstep. What can Congress do to promote clear privacy expectations without hurting innovation?” Thune asked.
Tech companies support privacy legislation
Another advocate of federal legislation was Bud Tribble, VP of software technology at Apple, who stressed the company’s strong support of “federal privacy legislation that reflects Apple’s long-held view that privacy is a fundamental human right.”
Tribble described data privacy as central to how Apple designs products. “Some would call this ‘privacy by design,’ ” he added. “It means that we challenge ourselves to minimize the amount of personal information we collect. Can the information we do collect be less identifiable? Can we process information on the device instead of sending it to servers? We want your device to know everything about you; we don’t feel that we should.”
Amazon associate general counsel Andrew DeVore discussed the business benefits of establishing consumer trust at the online retailer. “We have known from our very beginnings as an online bookstore that maintaining customer trust is essential to our success,” he said. “Our customers trust us to handle their data carefully and sensibly in a secure and appropriate manner in line with their expectations. Any privacy mistake risks the loss of that trust and serious reputational damage even if there is no violation of privacy laws.”
Beyond internal efforts, however, there are current and future legislative demands to meet, DeVore said.
“While our longstanding commitment to privacy aligned us well with the GDPR principles, meeting its specific requirements for the handling, retention, and deletion of personal data required us to divert significant resources to administrative and recordkeeping tasks and away from inventing new features for customers and our core mission of providing better service, more selection, and lower prices,” he said. “We encourage Congress to ensure that additional overhead and administrative demands any legislation might require actually produce commensurate consumer privacy benefits.”
Another supporter of a uniform national framework, Rachel Welch, SVP for policy and external affairs at Charter Communications, said such a framework “should start with the consumer and be grounded in the concept of empowering and informing consumers to control the personal information that is collected about them online.”
“Whether a consumer’s information is adequately protected should not differ based on which state he or she is logging in from. A patchwork of state laws would be confusing for consumers, difficult for businesses to implement, and hinder continued innovation on the internet—which is a borderless technology.”
Rachel Welch, SVP for policy and external affairs at Charter Communications
It should, Welch said, focus on a series of core principles, such as:
The best way to ensure consumers have control over their data is through opt-in consent, with no more pre-ticked “boxes,” take-it-or-leave-it offers, or other default consents;
The use of personal data should be reasonably limited to what the consumer understood at the time consent was provided;
Companies should ensure that consent is renewed with reasonable frequency;
Explanations about how companies collect, use, and maintain consumers’ data should be easy to understand and readily available;
Privacy policies should be separate from other terms and conditions of service;
Consumers should know that their personal information is being treated with the same level of protections wherever they go on the internet; and
There should be a single national standard that protects consumers’ online privacy regardless of where they live, work, or travel.
“Whether a consumer’s information is adequately protected should not differ based on which state he or she is logging in from,” Welch said. “A patchwork of state laws would be confusing for consumers, difficult for businesses to implement, and hinder continued innovation on the internet—which is a borderless technology.”
She, like several of her colleagues, agreed that the Federal Trade Commission (FTC) “is the appropriate agency to oversee and enforce online privacy and data security.”
One of those colleagues, Leonard Cali, SVP of global public policy for AT&T, spoke strongly of the need for a uniform law with the FTC as overseer, while warning against the risk of multiple, conflicting laws.
“Perhaps for the first time, there is widespread agreement among industry, policy makers, and many consumer groups of the need for a new and comprehensive federal privacy law,” testified Leonard Cali, senior vice president of global public policy for AT&T. “Consumers rightly expect that consistent privacy protections will apply regardless of which app, device, service, or company is collecting and using their personal information.”
He warned, however, of an increasing risk that “we will end up with a patchwork quilt of inconsistent privacy regulations at the federal and state level, which will only serve to confuse consumers and stifle innovation.”
The emergence of GDPR, and California’s variation, serve to further call out the need for a federally based legislative approach, Cali said. “Like GDPR, many of the California requirements are highly prescriptive, and ambiguities and errors in its language leave open serious questions about how it will be enforced and interpreted,” he testified. “For both, there also remain serious questions about their ultimate impact on consumers, desirable new technologies like AI, and the marketplace.”
“I am not here to provide Congress a laundry list of the possible negative implications of the California law,” Cali added. “The more important point for Congress to understand is that the passage of the law and interest of other states in legislation raise the imminent risk that companies and consumers will soon face a patchwork of inconsistent state privacy laws. Indeed, 26 state privacy bills were introduced this year alone.”
“While each state may adopt its own set of privacy permissions and restrictions, providers struggling with compliance may have no choice but to adopt the most restrictive elements of each state’s law, given the impracticability of complying with multiple state rules when offering mobile and internet services that, by their nature, have no state boundaries,” he added. “The result may be a more restrictive privacy framework than any state intended with less innovation, investment and consumer welfare than any state anticipated.”
Cali added that a “national privacy framework” could be overseen by the FTC and should define sensitive and non-sensitive data and its appropriate treatment. Likewise, data security and breach-notification legislation “should establish a reasonable, flexible, and consistent national framework,” he said.
Primarily, the FTC, which has brought more than 500 enforcement actions for privacy and data security violations, including cases involving major internet and telecommunications companies, seeks enforcement actions for “unfair or deceptive acts or practices in or affecting commerce,” under Section 5 of the Federal Trade Commission Act—this includes false promises of how consumer data is used and secured. As states adopt privacy laws that clash with the FTC’s longstanding framework, the agency’s position as the nation’s leading privacy regulator will inevitably be eroded.
In short, according to Cali, federal legislation is necessary to codify a privacy law that builds on and strengthens the FTC’s role as the nation’s preeminent privacy “cop on the beat.”
Sen. Brian Schatz (D-Hawaii) questioned the consistent promotion by panelists of the FTC as the likely agency at the heart of any federal legislation, especially after suggestions to ramp up its resources and rulemaking authority were met with tepid reactions. “Some of these companies are saying, ‘We want a new law, we want to preempt the states from acting, but we don’t really want to give the FTC authority to make new rules in this space,’ ” he said.
“The problem right now is that if there is a violation, the FTC may or may not have a rule that is specifically being violated. So, the only thing you can do is go to the company and say, ‘We are notifying you that you are violating Section 5, let’s enter into a consent decree’ and then, only if you violate that consent decree, is there the authority to fine,” Schatz said. “Then it just becomes a cost of doing business to ‘move fast and break things.’”
Learning from established laws
When talk turned to what specifics a new federal law would encompass, Sen. Thune asked the panel why it should turn to GDPR or California’s privacy law provisions to either emulate or bypass. Cali responded that both laws apply to all organizations “uniformly,” noting that as a positive element among some of the negatives.
“The challenge with GDPR is that it is overly prescriptive,” he added. “It is still early, but you’ve already seen hundreds of Websites that have gone dark. Smaller companies and start-ups appear to be exiting Europe, and it actually looks like it is strengthening the large incumbent platforms. On top of that, it may, because of the limits on data retention, hurt innovation in things like blockchain and artificial intelligence.”
As for California, Cali said, it was hastily drafted. It has, for example, a non-discrimination obligation that could pose a legal threat to something as simple as loyalty cards “where you get a benefit for sharing data with the grocery store.”
His hope: “Congress looks at both these laws, learns from them, and does better than them.”
Congress, Amazon’s DeVore stressed, should also consider possible unintended consequences of the CCPA approach.
“Amazon supports [California’s] goals of giving consumers visibility and control when businesses collect and sell their personal information,” he said. “But because the CCPA was quickly enacted there was little opportunity for thoughtful review, resulting in some provisions that ultimately do not promote best practices in privacy.”
For example, the CCPA’s definition of “personal information” goes beyond information that actually identifies a person to include any information that “‘could be linked with a person,’ which arguably is all information,” DeVore claimed. “The result is a law that is not only confusing and difficult to comply with, but that may actually undermine important privacy-protective practices like encouraging companies to handle data in a way that is not directly linked to a consumer’s identity.”
Keith Enright, chief privacy officer for Google, said obligations under GDPR have been “a tremendous challenge,” and manpower calculations reach into hundreds of years of full-time equivalencies. Nevertheless, “companies like Google are certainly better able to absorb the compliance costs and a rigorous regulatory regime like that than the burden created for small- and medium-sized businesses,” Enright said.
Tribble agreed, citing the 6 million (and growing) developers who call Apple’s app store home. “It is very important, when crafting legislation, to look at those businesses and what the burden will be on them in terms of recordkeeping and so forth,” he said. “It would be very important to make sure it is not over-burdensome for that class of companies.”
A second hearing, planned for early next month, will include privacy advocates as well as other key stakeholders. Alastair MacTaggert, a California privacy activist who spearheaded that state’s recent law, and Andrea Jelenik, the head of GDPR enforcement for the European Union, have already agreed to testify.