There's a bipartisan call for a US data-privacy law, but there's a divide when it comes to balancing federal legislation with state rules.
On Tuesday the House Energy and Commerce Committee held its first hearing on data privacy, with a Senate hearing scheduled for Wednesday. Once just a blip on the political radar, data privacy has now set off a roaring alarm, as tech scandals have surfaced regularly over the last few years.
Facebook's Cambridge Analytica scandal, issues with Google and data surveillance, and breaches affecting the majority of Americans have brought privacy awareness to an all-time high, and Congress is set to act.
"Reports of the abuse of personal information undoubtedly give Americans the creeps," Rep. Jan Schakowsky, a Democrat from Illinois, said at the hearing. "Without a comprehensive federal privacy law, the burden has fallen completely on consumers to protect themselves, and this has to end."
The hearing comes as lawmakers prepare to pass a federal privacy law. Multiple Congress members have proposed bills with varying degrees of severity. That includes Sen. Ron Wyden, a Democrat from Oregon, who proposed a data-privacy law that could jail CEOs for lying about their practices. Sen. Marco Rubio, a Republican from Florida, introduced his own bill in January, which asks that the Federal Trade Commission recommend privacy requirements.
Several states have their own privacy laws, with California's Consumer Privacy Act the strictest. But tech giants hope a federal privacy law will render state rules powerless. Companies like Google, Amazon and Facebook have hoped to influence how a federal data-privacy law will shake out, spending a record amount of more than $65 million for lobbying last year.
At Tuesday's hearing, witnesses representing the tech giants, such as the Interactive Advertising Bureau and the Business Roundtable, called for Congress to pass federal legislation that would pre-empt state laws. It's too confusing for companies to navigate different rules for each state, they said.
"Without a consistent federal privacy standard, a patchwork of state privacy laws will create consumer confusion, present substantial challenges for businesses trying to comply with these laws, and fail to meet consumers' expectations about their digital privacy," David Grimaldi, Jr., the IAB's executive vice president on public policy, said in his opening remarks.
Denise Zheng, vice president of technology and innovation at Business Roundtable, echoed those sentiments, saying state laws don't benefit consumers because they're often confusing for companies to follow.
That perspective conflicts with what privacy advocates are arguing: that state laws provide protections a federal law could miss.
While federal legislation has lagged behind, technology and privacy concerns have advanced, with state lawmakers playing catch-up. There are no federal laws on biometric data collection or breach notifications, but Illinois passed its Biometric Information Privacy Act in 2008, and Vermont passed its Security Breach Notice Act in 2018. Congress members proposed a bill following the Equifax breach, but more than a year later, it's gone nowhere.
"US privacy laws typically establish a floor and not a ceiling so that states can afford protections they deem appropriate for their citizens and be 'laboratories of democracy,' innovating protections to keep up with rapidly changing technology," Brandi Collins-Dexter, the senior campaign director of online civil rights organization Color of Change, wrote in her opening testimony.
Nuala O'Connor, CEO of the Center for Democracy and Technology, said state attorneys general need to be able to enforce a federal privacy law if it's passed. She noted that each state has different demographics and privacy values, and state attorneys general are the best suited to defend those varying interests.
Rep. Greg Walden, a Republican from Oregon, said state privacy laws are helpful but that they're not enough for the US.
"Your privacy and security should not change depending on where you live in the United States," Walden said. "One state should not set the standard for the rest of the country."
Last May, the European Union's General Data Protection Regulation kicked into effect, imposing strict privacy standards on tech companies. The IAB, which represents companies including Google, Amazon, Verizon, Facebook and Twitter, said Congress shouldn't model a federal data-privacy law on the GDPR or on California's privacy law.
Roslyn Layton, from the American Enterprise Institute, criticized the GDPR, pointing out that it's helped tech giants like Google, Facebook and Amazon grow in Europe, while stopping small companies that can't keep up with the regulation.
"Increasing the number of agencies and bureaucrats who govern our data does not increase our privacy," Layton said. "It reduces our freedom, makes enterprise more expensive and deters innovation."
Grimaldi said legislation should incentivize self-regulation from tech giants, and the IAB's suggestions didn't include any penalties for companies that failed to protect people's privacy.
Not everyone testifying before the House committee agreed.
"Self-regulation alone is not going to be enough," O'Connor said. "That was revolutionary in 1999, but it is no longer sufficient to protect consumers today."