Federal and state officials revisit laws in a hearing on protecting consumers’ privacy and providing rules for businesses.
9/23/2020 14:00
On Wednesday, members of Congress and state and federal regulators tackled the ongoing discussion of federal data privacy legislation and how state laws fit into the puzzle.
At the backdrop of the hearing, hosted by the Senate Committee on Commerce, Science, and Transportation, are bipartisan federal proposals and the framework set out by the California Consumer Privacy Act (CCPA) that is now in effect.
ACA International, in a letter to the committee in advance of the hearing, is advocating for data privacy legislation that balances the need to protect consumers’ privacy and not create duplicative requirements given existing complex state and global directives the accounts receivable management (ARM) industry is required to comply with.
“ACA members support data privacy, but do not believe duplicative burdens are necessary or beneficial to consumers and the economy,” CEO Mark Neeb said in the letter.
In addition to complying with the CCPA, businesses are already bracing for new complications that would likely stem from the California Privacy Rights Act (CPRA), a statewide ballot initiative that will be decided on Nov. 3, 2020. This new initiative, which comes just three months after the enforcement of the CCPA began, would impact businesses across the country.
According to the National Conference of State Legislatures, data privacy bills were considered in more than 30 states and Puerto Rico in 2020.
Washington state’s proposal, the Washington Privacy Act, was of note during the hearing as well as the CPRA ballot initiative in California.
ACA is tracking those state and federal proposals, which are outlined in the August 2020 advocacy report.
- S. 583 – The Data Privacy Act
- S. 1214 – The Privacy Bill of Rights
- S. 189 – The Social Media Privacy Protection and Consumer Rights Act of 2019
- H.R.2013 – The Information Transparency and Personal Data Control Act
- H.R. 4978 – Online Privacy Act of 2019
Senate Commerce Committee Chairman Roger Wicker, R-Miss., announced another federal legislative proposal, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act, during the hearing.
U.S. Sens. John Thune, R-S.D., Deb. Fischer, R-Neb., and Marsha Blackburn, R-Tenn., are co-sponsors of the bill. The legislation would provide Americans with more choice and control over their data and direct businesses to be more transparent and accountable for their data practices. The bill would also enhance the Federal Trade Commission’s authority and provide additional resources to enforce the act, according to a news release.
“Today we have a chance to pass a strong national privacy law that achieves the goals of privacy advocates with real consensus among members of both parties and a broad array of industry members,” Wicker said during the hearing.
A sticking point during the hearing and the years-long discussion on federal data privacy legislation is if it will and should preempt existing state laws.
“State law is the backbone of consumer privacy in the United States,” said California Attorney General Xavier Becerra. A federal data privacy law should serve as a “playbook” for states, but not preempt state laws, he added.
“I encourage the members of the committee to favor legislation that sets a federal privacy protection floor rather than a ceiling, allowing my state and others that may follow the opportunity to provide further protections tailored to our residents,” Becerra said.
The consensus among committee members on both sides of the aisle—with the prevalence of data privacy proposals in the 116th Congress—was just that, bipartisan consensus is needed on the issue.
“We need to resolve this issue, but we can’t do this at the expense of states that have already taken action to protect their citizens,” said U.S. Sen. Maria Cantwell, D-Wash., ranking member of the committee, who introduced the Consumer Online Privacy Rights Act with U.S. Sens. Brian Schatz, D-Hawaii, and Ed Markey, D-Mass.
Hearing witnesses from the FTC, including current and former members, supported legislation that would boost the commission’s enforcement authority on data privacy.
Maureen Ohlhausen, former commissioner and acting chairman of the FTC, said Congress must support the FTC with resources and enforcement authority as the federal data privacy legislation discussion continues. She also supported a balance between protecting consumers’ data and privacy rights and those of businesses.
“As someone who has also focused on the intersection of antitrust and privacy law, and the impact of regulation of market competition, I urge that a federal approach be technology neutral and avoid unduly burdening smaller entities or innovative services,” she said in her testimony.
U.S. Sen. Jerry Moran, R-Kansas, agreed that laws should be technology-neutral and protect consumers on an equal playing field with businesses.
“None of this will work unless we can figure out a solution that brings us all together and I am certainly committed to doing that,” Moran, who introduced the Consumer Data Privacy and Security Act in March, said. “We have our work cut out for us, but the goal is to get a product that can pass and become law.”
As Congress considers any potential new privacy requirements, ACA is monitoring new European General Data Protection Regulation (GDPR) requirements and working to shape state laws such as the CCPA and many others. As it moves forward, Congress should consider privacy laws that ACA members are already following, such as the Health Insurance Portability and Accountability Act of 1996 and the Gramm- Leach-Bliley Act, and not create overly complex or duplicative new requirements.
“We appreciate that Congress is revisiting this important issue,” Neeb said in the letter to the committee. “We ask that the Senate consider some of the problems stemming from unclear requirements of the CCPA and ensure that any law going forward preempts state requirements. All Americans should receive the same level of privacy protections.”