The road to a US data privacy law is paved with hearings.
On Wednesday, the Senate commerce committee heard from consumer advocates on how lawmakers should craft a data privacy bill. Tech firms often have lawmakers' attention -- spending a record $65 million in lobbying last year -- but Wednesday's hearing gave consumer advocates the chance to voice their concerns.
Witnesses included representatives from the American Civil Liberties Union, the Future of Privacy Forum, Common Sense Media and the Irish Data Protection Commission, and their recommendations differed vastly from suggestions technology firms have made to Congress in past hearings. Among other things, the advocates urged federal legislators to protect state laws and give enforcers more resources to penalize companies that abuse people's data.
As privacy issues with tech giants like Facebook and Google continue to brew, US lawmakers are looking to pass legislation that can rein in how companies collect and use people's personal data. Though the European Union's General Data Protection Regulation went into effect last May, the US doesn't have a national equivalent regulating privacy.
"It's clear that companies have not adequately learned from past failures, and at the expense of consumers, we are seeing that self-regulation is insufficient," Democratic Sen. Maria Cantwell, a ranking member on the committee, said during the hearing.
Without a federal law on privacy, a government watchdog found, there's been weak enforcement against companies that mishandle millions of people's data.
Lawmakers have gone back and forth on a federal data privacy bill, with multiple Congress members proposing their own versions of potential legislation. Tech VIPs have also called for a federal data privacy law. Apple CEO Tim Cook has voiced his support for legislation, Facebook CEO Mark Zuckerberg has called for a privacy protection bill, and Google has shared its framework for what legislation should look like.
Though there's no federal law, multiple states have passed their own bills, including California, in a move supporters called a "milestone moment."
Tech companies are calling for a federal law that would pre-empt all the state laws that've already passed -- telling lawmakers that multiple states with their own rules for privacy protection would lead to confusion.
The advocates, on the other hand, have warned that a federal law that pre-empts state laws would be harmful to data privacy in the long run. Because technology advances fast and federal laws can't keep up, it's often up to states to draft new legislation.
"We know firsthand that in many cases it has been states, not Congress, that have led efforts to protect consumers," Neema Singh Giuliani, senior legislative counsel at the ACLU, said in her opening remarks. "These states have acted as laboratories. They've experimented and innovated with new ways to protect consumers."
The witnesses also called for stronger enforcement against tech companies. Under current laws, the Federal Trade Commission is limited in its resources when it comes to penalizing tech companies. Facebook is expecting an FTC fine of up to $5 billion, but the agency said it doesn't have enough resources to enforce many data abuses.
That's different from the Irish Data Protection Commission, which has received 5,839 complaints in the 11 months since the GDPR came into effect, commissioner Helen Dixon said. The IDPC has 51 large-scale investigations underway, 12 of which are focused on major US tech companies, the commissioner said.
Legislation should also limit how much data companies can harvest, with consumer advocates calling for data minimization. That would mean companies should be able to request only necessary data, and nothing else.
"If I have a flashlight app, is it really reasonable for the app to require me to turn over all my location data or my financial data, just as a condition of using that app?" Giuliani said.
If federal legislation passes, advocates said, there also needs to be a public awareness campaign on new privacy protections. And we need to see a shift from the legalese-filled privacy policies that people have routinely ignored, the witnesses said.
"Clear, easy-to-use information is absolutely critical," said Jim Steyer, founder of Common Sense Media. "This is complex stuff, and we need to make it very easy for consumers to understand what their rights are and how to exercise them."