Privacy advocates tell senators what they want in a data protection law

They want to hold tech companies accountable for compromising your privacy.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Center for Democracy & Technology CEO Nuala O'Connor, right, testifies Wednesday before the Senate Commerce, Science and Transportation Committee about consumer data privacy.

Center for Democracy & Technology CEO Nuala O'Connor, right, testifies Wednesday before the Senate Commerce, Science and Transportation Committee about consumer data privacy.

Chip Somodevilla/Getty Images

Privacy advocates and tech giants like Google, Amazon and Apple all want a federal privacy law.

But there's a difference in how they want it written.

While tech companies essentially want a federal privacy law to be a ceiling that would limit how far states could go with their own privacy rules, privacy advocates want it to be more of a floor that states can build on.

Two weeks after representatives from AT&T, Amazon, Google, Twitter, Apple and Charter Communications testified to Congress on a federal privacy law, lawmakers on Wednesday listened to what privacy advocates want from the potential legislation .

Representatives included Andrea Jelinek, the chair of the European Data Protection Board; Alastair Mactaggart, the advocate behind California's Consumer Privacy Act; Laura Moy, executive director of the Georgetown Law Center on Privacy and Technology; and Nuala O'Connor, president of the Center for Democracy and Technology.

During the hearing before the Senate Committee on Commerce, Science and Transportation, privacy advocates stressed the need for a federal privacy law that could work in tandem with state laws instead of overwriting them.

Watch this: Google bug exposed data of up to 500,000 Google+ users

The legislation would also have to allow for firm penalties for tech companies that don't comply, they said. Some suggested creating a new agency to regulate tech companies under the bill, while others recommended expanding the Federal Trade Commission's powers to fine tech companies.

"Fines can really rise to a level that provides the right incentive for companies under the GDPR , and we desperately need that here in the US," Moy said. She was referring to the European Union's General Data Protection Regulation, which has a maximum fine of 20 million euros or 4 percent of a company's annual global revenue.

Unlike Europe and its GDPR, the US doesn't have a federal law for data privacy that would ensure transparency in how companies use your data, or penalties for tech services that fail to protect your information.

United States Sen. Richard Blumenthal

Sen. Richard Blumenthal, a Connecticut Democrat, says that unless changes are made, "consumers will continue to be at risk."

Michael Brochstein/Getty Images

While the US isn't necessarily looking to pass its own GDPR, there's growing momentum among lawmakers to draft data privacy legislation to regulate an industry they think is growing out of control. Senators at Wednesday's hearing pointed to Facebook's breach affecting 50 million people and a Google Plus vulnerability the company failed to disclose for months as cases where tech companies fell short on consumer privacy.

"The fact is that consumers have no meaningful federal protection for consumer data. All we have is congressional oversight and whistleblowers who come forth and press reports," said Sen. Richard Blumenthal, a Democrat from Connecticut. "Until there is an effective enforcer at the federal or state level, with federal standards backed by strong resources and authority, consumers will continue to be at risk."

Witnesses testifying also pushed for opt-in consent, which would require companies to ask you for permission before getting your data. Tech companies have spoken out about this, but advocates argue it's necessary for true privacy standards.

"A choice has to be a real choice. This is something the GDPR does well. It says that consent must be freely given," Moy said. "When a company says, 'accept our practices with your data or don't use our service,' that's not a free choice."

As lawmakers continue to draft the bill, Mactaggart warned members of Congress about the influence tech companies can have on the potential legislation. Mactaggart played a key role in California's Consumer Privacy Act, a bill tech companies fought against.

"My experience is that there were a couple of tiny little words inserted and they said it was 'just for clarification,'" he said. "And the reality is that if we let those stay, it would have totally gutted the law."

Now that California's law has passed, he said, tech companies will seek a weaker federal version in the hopes of minimizing the state law's effects. Tech companies see GDPR's strictures as too harsh and are looking to influence a US data privacy bill with looser standards.

They argue that strict privacy standards would stifle innovation and prevent new tech companies from growing.

Privacy advocates are hoping this new legislation is more focused on protecting consumer data than the businesses that profit from it.

NASA turns 60: The space agency has taken humanity farther than anyone else, and it has plans to go further.

The Honeymoon Is Over: Everything you need to know about why tech is under Washington's microscope.