Data Privacy Alert: Businesses Will Likely Bear the Brunt of US Federal Privacy Law

Last week, the Senate Judiciary Committee held another hearing to continue discussions regarding federal data privacy policy legislation. The hearing, which was conducted to explore the impact of California's Consumer Privacy Act (CCPA) and the European Union's General Data Protection Regulation (GDPR) on consumers and competition, marked the latest congressional inquiry into the heated debate over the best way to protect Americans' online privacy, coming on the heels of a pair of hearings held by the Commerce Committees in recent weeks.

Stakeholders on both sides of the debate have generally agreed on the need for uniform federal privacy legislation, but there has been much debate on the details, including to what extent a national framework will preempt state privacy laws, like the CCPA, which is set to take effect January 2020.

Sen. Dianne Feinstein (D-CA), the Judiciary Committee’s top Democrat, added pressure on the lawmakers by stating that she would not support any federal law that is less restrictive than CCPA. Feinstein also stated she would push for uniform breach notification standards. She noted that she has been working to enact legislation on this topic since 2003, when California produced the first in what has since become a patchwork of breach reporting laws in all 50 U.S. states. During the hearing Sen. Feinstein stated, "In the past few years, hundreds of millions of consumers have had their sensitive personal data stolen as a result of data breaches. Consumers are now just becoming aware of how insecure our personal information is."

Sen. Feinstein’s statements during the hearing indicate that federal legislation will not ease the burden on businesses. Most of last week’s hearing was spent discussing the difference between GDPR and CCPA. The Judiciary Committee questioned two panels of witnesses about the benefits and drawbacks of each of the separate law’s approach. Most of the witnesses discouraged enacting legislation that would require companies to obtain opt-in consent from consumers before collecting and using their personal information, stating that it was unfair and impractical to expect consumers to provide meaningful and informed consent for every data request.

Californians for Consumer Privacy Chairman Alastair Mactaggart argued that an opt-in policy poses several issues, including that consumers are likely to give their permission to only established familiar brands, leaving startups in the dust, and that once a company has obtained consent, it becomes "business as usual." He also stressed that the worry with an opt-in is that it is basically a “take it or leave it approach,” meaning that consumers have to opt-in or they cannot use the service. Others agreed that while opt-in is appropriate in circumstances where there is particularly sensitive data, Mactaggart added, "opt-out with rules of the road that make sense and are predictable and reliable are a better user experience and probably a better way to go."

Some Republicans questioned the opt-out method and whether companies are really honoring requests to stop using their information once it has been collected. During the hearing, Sen. Josh Hawley (R-MO) grilled Google senior privacy counsel Will DeVries about "the implicit bargain that consumers are being asked to ratify by which they get supposedly free services but actually have enormous amounts of personal data extracted from them without knowing what's going on." He also questioned the accuracy of the DeVries’ testimony that Google "clearly explains how it makes money and clearly explains how its products use personal information," and honed in on reports that the tech giant continues to collect location data from users of its Android devices even when the phone is not in use or a user has disabled location services. 

Sen. Hawley dismissed the notion that location tracking issues were complicated, arguing that when someone turns off their location history, "they expect the location tracking to be off." He concluded with the statement, "What's complicated is that you don't allow consumers to stop your tracking of them," the senator said. "You tell them that you do, a consumer would have a reasonable expectation based on what you've told them that they're not being tracked but, in fact, you're still gathering the information and you're still using it ... Americans have not signed up for this."

As these hearings continue to heat up, Brouse McDowell will remain diligent with staying informed on data privacy laws. Our attorneys are here to help our clients navigate these tricky waters. Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Contact us for more information.