Up Next: Federal Data Privacy Legislation?
On September 26, 2018, senior executives from AT&T, Amazon, Google, Twitter and Charter Communications testified before the Senate Commerce Committee on the importance of protecting consumer privacy, the need for clear rules that still ensure the benefits that flow from the responsible use of data, and key principles that should be included in any federal privacy law. The discussion centered on two issues: (1) the potential for Congress to pass a federal privacy law, including the scope and model for any such law, and (2) the role of the Federal Trade Commission (“FTC”) in regulating data privacy practices. Committee Chairman John Thune (R-SD) noted “[t]he question is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take.”
On the topic of a potential new federal privacy law, the companies appeared to agree on certain broad privacy principles that could be incorporated into legislation, including:
- Support for the creation of a federal privacy law and a preference for preemption rather than a patchwork of different state privacy laws;
- Concern around a federal privacy law attempting to copy the European Union’s General Data Protection Regulation (“GDPR”) or the recently passed California Consumer Privacy Act. A federal privacy law should seek to avoid the difficulties and unintended consequences created by these laws, allowing the U.S. should put its own stamp on what the law should be; and
- Agreement that a federal law should not be unduly burdensome for small and medium sized enterprises.
On the topic of whether the FTC was the appropriate body to regulate data privacy, while all company representatives agreed that the FTC was the appropriate regulatory body, none voiced support for increasing the agency’s authority.
Senator Thune said the Senate Commerce Committee would hold further hearings on data privacy.
In the House of Representatives, Representatives Suzan DelBene (D-WA) and Hakeem Jeffries (D-NY) introduced legislation last month that would require the FTC to promulgate regulations requiring companies that collect, store, process or share sensitive personal information to enact data privacy and use policies that, among other requirements, provide specific types of notice to consumers, enable consumer opt-outs, and obtain third-party audits of their privacy controls.
At the agency level, the Department of Commerce National Telecommunications and Information Administration (“NTIA”) issued a request for comment on the same day as the Senate Commerce hearing, seeking comments on seven proposed outcomes for federal action on consumer privacy policy. The NTIA also seeks comments on whether changes are needed to the FTC’s statutory authority, resources, or processes, in order for the FTC to achieve the goals set out in NTIA’s request for comment.
Grayson J. Derrick
Chair, Technology and Intellectual Property Section