Issue-spotting Federal Privacy Framework from Congressional Hearings

On February 26 and 27, commerce committees in the House and Senate convened the first consumer data privacy hearings of the 116th Congress. These hearings reflect a growing consensus on Capitol Hill that, in light of developments both in the states and overseas, a comprehensive federal privacy framework is becoming increasingly necessary to address an increasingly fragmented and incongruous patchwork of privacy regulation to the detriment of consumers and industry. Although members of the Committee have only begun the process of examining the details of such a federal framework, several key issues can already be discerned from the two hearings:  

Preemption

A major question before Congress is whether a federal law should override state measures. The California Consumer Privacy Act of 2018 (CCPA), set to take effect in January 2019, is a key benchmark for evaluating the adequacy of new federal privacy regime for Democrats. Some Democrats and consumer advocates fear that a preemptive federal law will weaken consumer protections and industry accountability provisions in the CCPA. Republicans and industry representatives, however, believe that federal preemption is critical because the costs of navigating divergent state laws could drive small and medium sized businesses out of the market and harm competition by consolidating market power in a few large firms.

Rulemaking Authority

Generally, Republican members on the Committee prefer case-by-case adjudicatory approach based on actual harm, whereas Democratic members prefer rulemaking authority for the Federal Trade Commission (FTC) to adopt prophylactic rules. For example, Rep. McNerney (D-CA) said it’s critical to give FTC rulemaking authority for privacy and data security so that a comprehensive privacy regime will be able to adapt to technological innovations and advancements. Rep. Greg Walden (R-OR), the Ranking Member of the Energy and Commerce Committee, isn’t convinced and wants to see the results of the FTC’s investigations into Equifax and Facebook. Rep. Walden said, “The outcome of their work will help Congress evaluate the effectiveness of laws currently on the books, and the enforcement tools utilized to hold companies accountable.”

Scope

Federal lawmakers have been slow to craft a comprehensive data privacy law, in part, because there are existing laws on the books that address data privacy by sector. Congress must decide how the new privacy law will cover the various businesses already subject to their own sectoral laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act (HIPAA). These laws already govern the use of consumer data maintained by credit reporting agencies, financial institutions, and healthcare and healthcare insurance industries, respectively.

Prescriptiveness

Many issues emerged during the hearing concerning how prescriptive a federal framework needs to be. They include discriminatory advertising practices; special protections for children; enforcement and penalties; agency resources; and data security legislation. Some of the topics that received more extensive attention from lawmakers include: Is the notice-and-consent regime outmoded due to innovation and expanded data collection technologies? Should the new law be risk-based? Should there be a right to access, correct, and delete personal information? Are there practices that are presumptively unfair and should be outright banned? Should discriminatory advertising practices be addressed?

More to Come

These bi-cameral commerce committee hearings were the first of many in the coming year that will examine which of the myriad issues Congress must address in a comprehensive federal data privacy framework. The Senate Judiciary Committee has announced its own data privacy hearing on March 12, titled, “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation.” Stay tuned.

Tags

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek