Tech industry representatives told the Senate in a privacy hearing this week that they want a stronger federal privacy law than California’s that would also preempt it and any other state laws.
Given reports from conservative organizations that the California Consumer Privacy Act (CCPA) is bad for business, some senators seemed surprised by the industry’s comments on Wednesday, and asked the industry witnesses to clarify if they indeed want “more stringent” privacy laws than California.
“We think the California law should be a floor and a federal law should be tougher,” Retail Industry Leaders Association Chief Operating Officer Brian Dodge told the Senate Subcommittee on Commerce, Science and Transportation.
President and Chief Executive Officer of the Software Alliance, Victoria Espinel, added, “We believe a federal law can go beyond California and be better than California.”
Much of the Senate hearing focused on questioning whether the industry would cooperate with Congress to draft a strong privacy law, while Tuesday’s House Committee on Energy and Commerce hearing — which hosted mainly tech experts as the witnesses — focused on whether a federal privacy law should preempt state ones.
But several senators and representatives took the time to scold Silicon Valley for misusing consumer data, and mentioned giving the Federal Trade Commission (FTC) authority to fine tech companies for bad behavior.
“Americans are really fed up,” Rep. Kathy Castor (D-Fla.) said at the House hearing on Tuesday. “When their data is misused, it’s really outrageous we’ve let if get this far.”
Sen. Marsha Blackburn (R-Tenn.) even jibed at Democrats, saying House Republicans worked on privacy legislation since 2013, when Democrats were too enamored with the tech industry to rein it in.
“We now realize this data-sharing is not a bug,” Blackburn told industry leaders. “It is a business model, and it has made Big Tech a whole lot of money by exploiting the use of this data. It’s nice to come in here and talk about what we’re going to do, but you all have been doing this for years. Trust is number one. They don’t trust you now. What are you doing about that?”
The industry witnesses didn’t have an answer. So Sen. Richard Blumenthal (D-Conn.) pushed harder.
“What you’ve shown us so far is that you’re willing to look the other way, that you’re willing to put profits over people,” he said. “I think most people have no idea of the vastness of their vulnerability and how much data is collected, whether it’s their locations or the voices of their children through toys or devices (like Alexa) they use in the name of security.”
Senators also pressed the industry witnesses on what they think is a “misuse” of consumer data. Not all agreed on one definition, and some offered purposefully cryptic answers.
For example, even though Dodge said the retail industry wants a stronger privacy law than California’s, he also defined misuse of consumer data as “the relationship between retailers and customers is buying goods and services, so anything dramatically departed from that is misuse,” a vague definition at best.
But not all the industry witnesses were so cagey. The Interactive Advertising Bureau’s Chief Executive Officer Randall Rothenberg described a scenario where he’s googling recipes for eggs, then that data is shared with his insurance company, then his insurance company raises the price of his insurance because eggs might negatively affect his cholesterol.
That, he said, is a gross misuse of consumer data.
Espinel told the Senate that tech industry culture must change in order for tech companies to stop misusing consumer data.
“I think we need to have a culture where companies are focused on the consumer, and protecting the consumer,” she said. “Companies should be limited to uses that are relevant to the stated purpose of why they are using the data. I think it comes back to the consumer and having that as the central tenet for how companies are thinking about data.”
Industry witnesses at the Senate hearing and tech experts at the House hearing mostly agreed that a federal privacy law should preempt state ones, except for a few outliers. Lawmakers’ biggest concern is that a patchwork of state laws would hurt small businesses and chill innovation.
At the Senate hearing, Northeastern University’s Professor of Law and Computer Science Woodrow Hartzog said he teaches his students to expect to deal with a patchwork of state laws on a variety of issues, so the argument that state regulation stifles innovation may not be true, because many industries consider it a legal reality.
“In the United States we have a tradition of dealing with a patchwork of state laws,” he said. “While there are virtues to consistency, in my opinion it is not the obstacle that would strike me as the first thing we have to do to get privacy right.”
Despite some pushback from some tech experts, all senators or representatives with statements or comments on privacy said they want a federal standard that preempts state laws.
Neither the House or the Senate unveiled draft privacy legislation at the hearings, but the industry expects draft legislation soon. Members of both chambers continue to hint that legislation is in the works.