On December 4, 2019, the Senate Commerce Committee addressed data privacy in a hearing titled, “Examining Legislative Proposals to Protect Consumer Data Privacy.” The hearing focused on the two leading privacy proposals that were put forward in the week leading up to the hearing, the Consumer Online Privacy Rights Act (COPRA), introduced by Sen. Maria Cantwell, D-Wash., ranking member on the Committee, and a Staff Discussion Draft of the United States Consumer Data Privacy Act of 2019 (CDPA), introduced by Sen. Roger Wicker, R-Miss., Chairman of the Committee. The competing proposals share many similarities, including their scope of covered data and entities, as well as their approaches to consumer transparency and access. However, as witness testimony during the hearing revealed, the proposals diverge on a few critical issues.
The Committee heard testimony from an all-star panel with experience across the public and private sectors. They testified to the importance of enacting federal legislation to protect consumer data privacy rights and expressed their general support for key provisions of the two leading proposals. The panel consisted of Julie Brill, former FTC Commissioner and current Corporate VP and Deputy GC at Microsoft; Maureen Ohlhausen, former FTC Acting-Chair and Commission, and current Co-Chair of the 21st Century Privacy Coalition; Laura Moy, Executive Director of the Georgetown Law Center on Privacy & Technology; Nuala O’Connor, Senior VP and Chief Counsel of Digital Citizenship at Walmart; and Michelle Richardson, Directory of Privacy and Data at the Center for Democracy and Technology. Although the witnesses prioritized different principles, they all emphasized the urgent need for a bold, comprehensive privacy law at the federal level that is coupled with strong enforcement mechanisms.
The questions during the hearing highlighted the main differences between the two leading proposals: preemption and a private right of action. Regarding preemption, COPRA would preempt only state laws that expressly conflict with it, whereas CDPA would preempt all state laws regarding data privacy, including the California Consumer Protection Act which goes into effect on January 1, 2020. The panelists representing industry discussed the challenges of complying with a patchwork of state privacy laws, as well as the speed and efficiency that a uniform national framework could provide. The other main issue receiving significant attention at the hearing was whether a federal privacy law should include a private right of action for consumers. COPRA gives consumers a private right of action, whereas CDPA would rely on the FTC and state attorneys general to enforce the law. The discussion of a private right of action also led into a broader discussion about enforcement. Some panelists voiced support for increasing staffing and other resources at the FTC, as well as strengthening the FTC’s authority for rulemaking and imposing first-time civil penalties.
In addition to discussing the issues of preemption and a private right of action, many lawmakers expressed concern about the potential negative impact of a federal privacy law on innovation, particularly for small businesses. The witnesses proposed a variety of ways to mitigate that impact, primarily by providing clarity through legislation that is readable on its face and by exempting small businesses from certain requirements. Additionally, multiple lawmakers and witnesses underscored the importance of including civil rights protections that would prohibit discriminatory uses of data.
The hearing demonstrated that, although both sides of the aisle agree on the need for a comprehensive federal data privacy law, passing a bipartisan bill will require bridging divides between the two latest leading proposals on a handful of key persistent issues. Two weeks later, on December 18, a bipartisan draft bill was issued from the House Energy & Commerce Committee. While important momentum seems to be gaining, a federal law is not likely imminent, and will certainly not come about prior to the CCPA’s effective date.