Back to General Resources

Senate Judiciary Committee Hearing on GDPR and CCPA

Senate Judiciary Committee

“GDPR & CCPA: Opt-Ins, Consumer Control, and the Impact on

Competition and Innovation”

Tuesday, March 12, 2019

Key Topics & Takeaways

  • Preemption: Panelists agreed that federal legislation should preempt states, though Hoffman added the federal approach should be stronger. Mactaggart and Lee stated that if there was preemption, the protections in the California Consumer Protection Act (CCPA) should be a floor, not a ceiling. All panelists said they support congressional action in this space.
  • Breach Notification: Mactaggart said breach notification is “essential” because otherwise, consumers would never know their information was at risk, noting the CCPA includes a private right of action for data breaches resulting from negligence.
  • FTC Authority: Panelists agreed it was important for the FTC to have “strong” authority, but Hoffman noted that not all industry sectors are governed by the FTC. Panelists agreed that civil fining authority for the FTC should be explored. Bambauer pointed out that the FTC has the expertise to understand what types of services are to a consumer’s benefit and which are not, and that a good regulator can evaluate the possible harm of innovations and allow them to move forward that others lacking expertise would find suspicious.

Witnesses

Panel I

Panel II

Opening Statements

Sen. Lindsey Graham (R-S.C.), Chairman, Senate Judiciary Committee

In his opening statement, Graham said it was important for Congress to explore what role it should play in privacy issues, noting the European Union (EU) has enacted the General Data Protection Regulation (GDPR) and California has approved the California Consumer Privacy Act (CCPA). Graham said he wants to ensure consumers understand what is happening with their data, especially when companies are monetizing it. He noted he does not want to interrupt innovation but warned that technology can be manipulated to cause harm, saying there is bipartisan desire to learn more and do something constructive.

Sen. Dianne Feinstein (D-Calif.), Ranking Member, Senate Judiciary Committee

In her opening statement, Feinstein noted it is important to understand the impact of CCPA and GDPR and how well they are protecting consumers, noting that in recent years hundreds of millions of consumers have been affected by data breaches and that consumers are becoming more aware of how insecure their personal information is. Feinstein noted there has been some pushback on these laws, as some have complained the opt-in consent requirements in the GDPR result in confusion and others complain the CCPA is too narrow and does not go far enough to limit abuses. Feinstein said it is her belief that individuals should have “as much control as possible” over their data, and that companies should be required to protect personal data with a heightened degree of care and be held responsible if that data ends up in the “wrong hands.” She added that she would not support federal legislation that weakens the California standard, and any federal policy should include data breach notification requirements.

Testimony

Panel I

Will DeVries, Senior Privacy Counsel, Google, Inc.

In his testimony, DeVries discussed Google’s approach to privacy, saying that if users do not trust Google, they will not use the products, so privacy and trust are “vital” to their business. DeVries said they continually aim to improve their approach to privacy, noting that they “welcome” the increased momentum for a federal privacy framework that would codify “important” individual rights.

noting that many of Google’s products are free and advertising is a main source of revenue. DeVries listed a number of “key components” that Congress should consider, including that any legislation should be risk- and outcomes-based, consistent, adaptable, and work for all types and sizes of entities. DeVries also noted that legislation should require responsibility for data collection and use, transparency, choice and control, portability, and accountability.

Alastair Mactaggart, Chairman, Californians for Consumer Privacy

In his testimony, Mactaggart gave an overview of the CCPA, saying its three main components are that consumers can find out what information corporations have collected about them, consumers can instruct companies to cease selling their information, and companies have to keep that data safe. Mactaggart said the CCPA “spells the end” of large data mining companies tracking consumers across the web, noting that a massive percentage of new growth in digital ad revenue is from only two companies, adding that stopping this pervasive tracking will ultimately benefit competition in the market. He noted that CCPA is an opt-out system, rather than a “take it or leave it approach” that would require consumers to consent in order to use a given service. He said it gives consumers “meaningful control” and urged the committee not to undo CCPA’s protections via federal legislation.

David Hoffman, Director of Security Policy and Global Privacy Officer, Intel

In his testimony, Hoffman said that many privacy laws have negative impacts on innovation and competition, and “notice and choice” methods are “unlikely” to adequately protect consumers and create barriers to innovation and competition. He called for a new model of protection that does not rely primarily on consent, and legislation should provide “meaningful” protections instead of the “false promise” of control. He added that legislation should prohibit unaccountable data sharing with third party companies and empower and fully resource the Federal Trade Commission (FTC).

Gabriel Weinberg, CEO and Founder, DuckDuckGo

In his testimony, Weinberg said laws like the GDPR and CCPA are pro-consumer, pro-business and pro-advertising. He described his company’s search engine service that allows consumers to search without being tracked, using only contextual advertising. Weinberg explained that his company does not collect any personal information but is still able to make money through advertising, stressing that “privacy is not anti-advertising.” Weinberg said consumers are “flocking” to brands they trust and respect, and they should be given a “robust” mechanism to opt out of data tracking.

Tom Lee, Policy Lead, Mapbox

In his testimony, Lee explained that while his company does collect GPS data in order to improve their map products, they built features to “put data privacy first,” including minimizing the information they collect, anonymizing what they do collect, requiring their customers to allow their users to opt out of collection, encrypting their data, applying strong access and control policies, and only using the data to improve their products, which he said proves you can build a business and protect privacy at the same time. Lee said it was time for “some rules of the road” and “common sense” ethical standards for those that ask users to trust them with their data. Lee did note that this process can carry risks and costs, including the burden of the proliferation of differing standards, and the “jumble” of state privacy laws could create loopholes, oversights, and errors.

Panel II

Roslyn Layton, Visiting Scholar, American Enterprise Institute

In her testimony, Layton discussed various issues with the GDPR, saying that it has strengthened the largest players and weakened small and medium-sized firms, is expensive to implement, silences free speech by limiting access in international news sources, and threatens innovation and research. She said that the GDPR has not led to greater trust online and has actually created risks for identity theft and online fraud, and said the GDPR has used the pretense of consumer control to increase the power of the government. Layton called on Congress to create better systems and policies and the GDPR.

Michelle Richardson, Director, Privacy and Data Project, Center for Democracy and Technology

In her testimony, Richardson expressed her support for comprehensive federal privacy legislation, calling the current notice and consent model “broken,” adding that the privacy burden should be moved away from consumers to companies who collect and use the data. Ultimately, Richardson said there is no “meaningful way” for consumers to make informed, timely decisions about the hundreds of companies they interact with daily, and the goal should be to define “digital civil rights.” She said any privacy law should limit the collection, use and sharing of sensitive consumer information that is not necessary to offer the service the user requested, require all entities to take reasonable efforts to secure personal information, and grant individuals the ability to access, correct, delete, and port their information. She noted that these should apply regardless of business model on company size, as privacy harm has nothing to do with these factors.

Professor Jane Bambauer, Professor of Law, University of Arizona James E. Rogers College of Law

In her testimony, Bambauer critiqued the CCPA and GDPR, saying the best interest of the consumer is not always intuitive in the digital economy. She said that following the implementation of the GDPR, there has been a “significant” reduction in venture capital investment across every sector in Europe, and the firms who lose the most are younger and smaller ones. Bambauer said consumer control frameworks often leave consumers under protected when they choose to opt in without enough information, or overprotected to their detriment, as consumers often benefit from making their data available to certain companies.

Question & Answer

Preemption

Asked by Graham if a federal privacy framework should preempt the states, the panelists agreed, though Hoffman added the federal approach should be stronger. Mactaggart and Lee added that if there was preemption, the protections in CCPA should be a floor, not a ceiling. All panelists said they support congressional action in this space.

Sen. Marsha Blackburn (R-Tenn.) asked about federal preemption. Bambauer said if every state were to have a different law, the compliance cost would be “overwhelming” and companies would comply with the most demanding standard, creating a rush to the highest level of regulation.

FTC Authority

Multiple Senators asked about FTC authority. Panelists agreed it was important for the FTC to have “strong” authority, but Hoffman noted that not all industry sectors are governed by the FTC. Panelists agreed that civil fining authority for the FTC should be explored.

Asked by Sen. Christopher Coons (D-Del.) and Blackburn about FTC authority, Bambauer pointed out that the FTC has the expertise to understand what types of services are to a consumer’s benefit and which are not, and that a good regulator can evaluate the possible harm of innovations and allow them to move forward that others lacking expertise would find suspicious. Richardson said the FTC should be given fining authority but will need the help of state attorneys general and direction from Congress. Bambauer added that the FTC should define safe harbors for activities that is in the consumer’s best interest.

Breach Notification

Sen. Amy Klobuchar (D-Minn.) asked about the importance of breach notification requirements. Mactaggart said notice is “essential” because otherwise, consumers would never know their information was at risk, noting the CCPA includes a private right of action for data breaches resulting from negligence.

Property Rights

Asked if personal data should be considered property, Bambauer said that deeming it property requires a certain set of legal rights that are not currently well-defined, and she does not think personal data should be considered property.

Compliance Costs

Asked about compliance costs, Layton noted that some startups are choosing not to serve the EU because costs and uncertainty are high, adding that Europe is the recipient of two-thirds of the country’s digital goods and services exports.

For more information on this hearing, please click here.